Solved

Removing computers from AD

Posted on 2006-07-18
6
237 Views
Last Modified: 2010-11-07
Hi Guys,

I've just noticed that i had tons and tons of old computer accounts IN AD where i haven't removed them from the domain properly (my fault, i thought the would scavege stale records automatically). I am going through them and clearing them up, but wondered if there was an easy way of knowing which computers are still active and which aren't. Also, what would happen if i deleted the record of an active computer by mistake?

Thanks, Gavin
0
Comment
Question by:Gavin5511
  • 3
  • 2
6 Comments
 
LVL 23

Accepted Solution

by:
TheCleaner earned 250 total points
ID: 17130379
As I said before, use OldCmp from Joeware:  http://www.joeware.net/win/free/tools/oldcmp.htm to clean up old computer accounts.

If you accidentally delete an active computer it just won't be able to get onto the domain.  You'll basically need to go to the computer, remove it from the domain, reboot, then readd it to the domain, and reboot again.
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 250 total points
ID: 17130508

Scavenging relates to DNS only, and isn't AD so it gets a little confusing above. Hopefully this covers both possibilities.

In AD it's possible to tell if computer accounts are inactive by a number of means - our best bet is going to be DSQuery (which comes with the Windows 2003 Support Tools), it's nice and easy to use. Type this in the command prompt:

dsquery computer -inactive 8 -limit 0

That will return the distinguished names of all computers that haven't logged into the domain for 8 weeks - you can obviously replace 8 with whatever you prefer. If you're happy with the list then you can just remove the straight away like this (don't do this before reading everything below):

dsquery computer -inactive 8 -limit 0 | dsrm

Which will permanently remove those accounts. Be careful though, you may end up removing systems you like with that. Instead perhaps do:

dsquery computer -inactive 8 -limit 0 | computers.txt

Then hop through computers.txt removing anything you really don't want to kill then this time do:

type computers.txt | dsrm

If you delete a Computer Account from AD for an Active Machine it will no longer be able to log onto the domain and you will recieve a big warning message whenever someone tries to log in.

For DNS, in case that was what needed cleaning up, you have a few things to do to make Scavenging really work.

First open up the properties for your Forward Lookup Zone (mydomain.local), then click the Aging button under the General Tab. This has two values under it, the No-Refresh and the Refresh Intervals. For a Record to be Scavenged both of these must have expired (that is No-Refresh + Refresh) and generally it works well to have those two values equal your DHCP Lease Time. If your DHCP Lease Time is 10 days then you could set each to 5 (for example), although 7 and 3 respectively would be better.

Once you've set the Aging bit open the Properties for the DNS Server itself, click Advanced and select Enable Scavenging, set the Scavenging Period to 1 day at the most; it really doesn't need to run too often to keep things nice and neat. That will clear out any expired records from DNS. You can do the same with any Reverse Lookup Zones to make sure that's tidy too.

HTH

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 17130523

Hmm sorry, took me ages to type that. You may be better with the tool above from TheCleaner :)

Chris
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 1

Author Comment

by:Gavin5511
ID: 17136871
Cheers guys,

I ended up using oldcmp as suggested by the cleaner. worked really well, and outputted some nice reports to rpint out and keep record off. I then went through and just done a few minor tweaks and deletes using the DSquery which also worked really well, although i found it a touch harder to use than oldcmp.

anyway, my question wasn't actually asking about DNS scaveging, just thought you might be able to set up a similar thing on active directory BUT........ i checked my settings, and they wasn't right anyway, so you have helped out there big time too!

Thanks guys
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 17136875

Happy to help :)

Chris
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17137988
Glad to see you got it going.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
I designed this idea while studying technology in the classroom.  This is a semester long project.  Students are asked to take photographs on a specific topic which they find meaningful, it can be a place or situation such as travel or homelessness.…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now