Solved

Removing computers from AD

Posted on 2006-07-18
6
262 Views
Last Modified: 2010-11-07
Hi Guys,

I've just noticed that i had tons and tons of old computer accounts IN AD where i haven't removed them from the domain properly (my fault, i thought the would scavege stale records automatically). I am going through them and clearing them up, but wondered if there was an easy way of knowing which computers are still active and which aren't. Also, what would happen if i deleted the record of an active computer by mistake?

Thanks, Gavin
0
Comment
Question by:Gavin5511
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 23

Accepted Solution

by:
TheCleaner earned 250 total points
ID: 17130379
As I said before, use OldCmp from Joeware:  http://www.joeware.net/win/free/tools/oldcmp.htm to clean up old computer accounts.

If you accidentally delete an active computer it just won't be able to get onto the domain.  You'll basically need to go to the computer, remove it from the domain, reboot, then readd it to the domain, and reboot again.
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 250 total points
ID: 17130508

Scavenging relates to DNS only, and isn't AD so it gets a little confusing above. Hopefully this covers both possibilities.

In AD it's possible to tell if computer accounts are inactive by a number of means - our best bet is going to be DSQuery (which comes with the Windows 2003 Support Tools), it's nice and easy to use. Type this in the command prompt:

dsquery computer -inactive 8 -limit 0

That will return the distinguished names of all computers that haven't logged into the domain for 8 weeks - you can obviously replace 8 with whatever you prefer. If you're happy with the list then you can just remove the straight away like this (don't do this before reading everything below):

dsquery computer -inactive 8 -limit 0 | dsrm

Which will permanently remove those accounts. Be careful though, you may end up removing systems you like with that. Instead perhaps do:

dsquery computer -inactive 8 -limit 0 | computers.txt

Then hop through computers.txt removing anything you really don't want to kill then this time do:

type computers.txt | dsrm

If you delete a Computer Account from AD for an Active Machine it will no longer be able to log onto the domain and you will recieve a big warning message whenever someone tries to log in.

For DNS, in case that was what needed cleaning up, you have a few things to do to make Scavenging really work.

First open up the properties for your Forward Lookup Zone (mydomain.local), then click the Aging button under the General Tab. This has two values under it, the No-Refresh and the Refresh Intervals. For a Record to be Scavenged both of these must have expired (that is No-Refresh + Refresh) and generally it works well to have those two values equal your DHCP Lease Time. If your DHCP Lease Time is 10 days then you could set each to 5 (for example), although 7 and 3 respectively would be better.

Once you've set the Aging bit open the Properties for the DNS Server itself, click Advanced and select Enable Scavenging, set the Scavenging Period to 1 day at the most; it really doesn't need to run too often to keep things nice and neat. That will clear out any expired records from DNS. You can do the same with any Reverse Lookup Zones to make sure that's tidy too.

HTH

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 17130523

Hmm sorry, took me ages to type that. You may be better with the tool above from TheCleaner :)

Chris
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 1

Author Comment

by:Gavin5511
ID: 17136871
Cheers guys,

I ended up using oldcmp as suggested by the cleaner. worked really well, and outputted some nice reports to rpint out and keep record off. I then went through and just done a few minor tweaks and deletes using the DSquery which also worked really well, although i found it a touch harder to use than oldcmp.

anyway, my question wasn't actually asking about DNS scaveging, just thought you might be able to set up a similar thing on active directory BUT........ i checked my settings, and they wasn't right anyway, so you have helped out there big time too!

Thanks guys
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 17136875

Happy to help :)

Chris
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17137988
Glad to see you got it going.
0

Featured Post

Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Microsoft Office Customization Tool’s Outlook problem 12 97
What is this Task? 4 180
Enterprise Mode 4 70
Workstations and their computers and their printers 8 74
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question