mslunecka
asked on
Domain migration - computer account issue after using ADMT
I am an OU administrator for my organization. We recently used ADMT (active directory migration tool) to move all of our computers from an old (and busted) windows 2000 AD to a new windows 2003 AD. I have full control of my OU and group policy privileges. All my stuff is in my own OU or subcontainers.
When we ran the ADMT tool against the list of computers in the old domain, many of those computers no longer existed. This caued lots of problems running ADMT as it would time out on computers it could not contact. It also created computer accounts in the new domain for these computers even though it was never able to successfully contact them.
So now I have all my computers in the new domain, but I've also got these extra computer names. I do not know whether our domain admin has any kind of policy in place to expire computer accounts that have never "phoned home", and I can't wait for that to kick in anyway.
Does anyone know how I can go through my OU and find computer accounts that have never contacted the DC so I can delete them and make my list accurate?
When we ran the ADMT tool against the list of computers in the old domain, many of those computers no longer existed. This caued lots of problems running ADMT as it would time out on computers it could not contact. It also created computer accounts in the new domain for these computers even though it was never able to successfully contact them.
So now I have all my computers in the new domain, but I've also got these extra computer names. I do not know whether our domain admin has any kind of policy in place to expire computer accounts that have never "phoned home", and I can't wait for that to kick in anyway.
Does anyone know how I can go through my OU and find computer accounts that have never contacted the DC so I can delete them and make my list accurate?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help! I never actually had a chance to test your solution, though I've no doubt it would have worked (we keep good DHCP records and comparing a list of our computers against leases for the last 3 months wouldn't have been very difficult)
On our domains the computer account password changes monthly. The accounts don't really expire, but we were able to check for accounts with expired passwords and eliminate them that way. I'm not sure how our domain admin generated the list, but it showed up in my inbox this morning and I got what I needed.
On our domains the computer account password changes monthly. The accounts don't really expire, but we were able to check for accounts with expired passwords and eliminate them that way. I'm not sure how our domain admin generated the list, but it showed up in my inbox this morning and I got what I needed.
ASKER
I had considered running a LANguard scan of my network, but the problem is that I would get so many computer names back (I only administer one piece of our network) it would take too much effort to sift through them, and I need a more immediate answer than that would provide. SOme of the computers in my list just don't get turned on very often.
If anyone else knows of a way to check the AD for computers that have contacted the DC recently I'd be interested in that as well.