Solved

Removing computers from AD

Posted on 2006-07-18
6
227 Views
Last Modified: 2010-11-07
Hi Guys,

I've just noticed that i had tons and tons of old computer accounts IN AD where i haven't removed them from the domain properly (my fault, i thought the would scavege stale records automatically). I am going through them and clearing them up, but wondered if there was an easy way of knowing which computers are still active and which aren't. Also, what would happen if i deleted the record of an active computer by mistake?

Thanks, Gavin
0
Comment
Question by:Gavin5511
  • 3
  • 2
6 Comments
 
LVL 23

Accepted Solution

by:
TheCleaner earned 250 total points
ID: 17130379
As I said before, use OldCmp from Joeware:  http://www.joeware.net/win/free/tools/oldcmp.htm to clean up old computer accounts.

If you accidentally delete an active computer it just won't be able to get onto the domain.  You'll basically need to go to the computer, remove it from the domain, reboot, then readd it to the domain, and reboot again.
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 250 total points
ID: 17130508

Scavenging relates to DNS only, and isn't AD so it gets a little confusing above. Hopefully this covers both possibilities.

In AD it's possible to tell if computer accounts are inactive by a number of means - our best bet is going to be DSQuery (which comes with the Windows 2003 Support Tools), it's nice and easy to use. Type this in the command prompt:

dsquery computer -inactive 8 -limit 0

That will return the distinguished names of all computers that haven't logged into the domain for 8 weeks - you can obviously replace 8 with whatever you prefer. If you're happy with the list then you can just remove the straight away like this (don't do this before reading everything below):

dsquery computer -inactive 8 -limit 0 | dsrm

Which will permanently remove those accounts. Be careful though, you may end up removing systems you like with that. Instead perhaps do:

dsquery computer -inactive 8 -limit 0 | computers.txt

Then hop through computers.txt removing anything you really don't want to kill then this time do:

type computers.txt | dsrm

If you delete a Computer Account from AD for an Active Machine it will no longer be able to log onto the domain and you will recieve a big warning message whenever someone tries to log in.

For DNS, in case that was what needed cleaning up, you have a few things to do to make Scavenging really work.

First open up the properties for your Forward Lookup Zone (mydomain.local), then click the Aging button under the General Tab. This has two values under it, the No-Refresh and the Refresh Intervals. For a Record to be Scavenged both of these must have expired (that is No-Refresh + Refresh) and generally it works well to have those two values equal your DHCP Lease Time. If your DHCP Lease Time is 10 days then you could set each to 5 (for example), although 7 and 3 respectively would be better.

Once you've set the Aging bit open the Properties for the DNS Server itself, click Advanced and select Enable Scavenging, set the Scavenging Period to 1 day at the most; it really doesn't need to run too often to keep things nice and neat. That will clear out any expired records from DNS. You can do the same with any Reverse Lookup Zones to make sure that's tidy too.

HTH

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 17130523

Hmm sorry, took me ages to type that. You may be better with the tool above from TheCleaner :)

Chris
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Author Comment

by:Gavin5511
ID: 17136871
Cheers guys,

I ended up using oldcmp as suggested by the cleaner. worked really well, and outputted some nice reports to rpint out and keep record off. I then went through and just done a few minor tweaks and deletes using the DSquery which also worked really well, although i found it a touch harder to use than oldcmp.

anyway, my question wasn't actually asking about DNS scaveging, just thought you might be able to set up a similar thing on active directory BUT........ i checked my settings, and they wasn't right anyway, so you have helped out there big time too!

Thanks guys
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 17136875

Happy to help :)

Chris
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17137988
Glad to see you got it going.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
This video discusses moving either the default database or any database to a new volume.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now