?
Solved

Removing computers from AD

Posted on 2006-07-18
6
Medium Priority
?
271 Views
Last Modified: 2010-11-07
Hi Guys,

I've just noticed that i had tons and tons of old computer accounts IN AD where i haven't removed them from the domain properly (my fault, i thought the would scavege stale records automatically). I am going through them and clearing them up, but wondered if there was an easy way of knowing which computers are still active and which aren't. Also, what would happen if i deleted the record of an active computer by mistake?

Thanks, Gavin
0
Comment
Question by:Gavin5511
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 23

Accepted Solution

by:
TheCleaner earned 1000 total points
ID: 17130379
As I said before, use OldCmp from Joeware:  http://www.joeware.net/win/free/tools/oldcmp.htm to clean up old computer accounts.

If you accidentally delete an active computer it just won't be able to get onto the domain.  You'll basically need to go to the computer, remove it from the domain, reboot, then readd it to the domain, and reboot again.
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1000 total points
ID: 17130508

Scavenging relates to DNS only, and isn't AD so it gets a little confusing above. Hopefully this covers both possibilities.

In AD it's possible to tell if computer accounts are inactive by a number of means - our best bet is going to be DSQuery (which comes with the Windows 2003 Support Tools), it's nice and easy to use. Type this in the command prompt:

dsquery computer -inactive 8 -limit 0

That will return the distinguished names of all computers that haven't logged into the domain for 8 weeks - you can obviously replace 8 with whatever you prefer. If you're happy with the list then you can just remove the straight away like this (don't do this before reading everything below):

dsquery computer -inactive 8 -limit 0 | dsrm

Which will permanently remove those accounts. Be careful though, you may end up removing systems you like with that. Instead perhaps do:

dsquery computer -inactive 8 -limit 0 | computers.txt

Then hop through computers.txt removing anything you really don't want to kill then this time do:

type computers.txt | dsrm

If you delete a Computer Account from AD for an Active Machine it will no longer be able to log onto the domain and you will recieve a big warning message whenever someone tries to log in.

For DNS, in case that was what needed cleaning up, you have a few things to do to make Scavenging really work.

First open up the properties for your Forward Lookup Zone (mydomain.local), then click the Aging button under the General Tab. This has two values under it, the No-Refresh and the Refresh Intervals. For a Record to be Scavenged both of these must have expired (that is No-Refresh + Refresh) and generally it works well to have those two values equal your DHCP Lease Time. If your DHCP Lease Time is 10 days then you could set each to 5 (for example), although 7 and 3 respectively would be better.

Once you've set the Aging bit open the Properties for the DNS Server itself, click Advanced and select Enable Scavenging, set the Scavenging Period to 1 day at the most; it really doesn't need to run too often to keep things nice and neat. That will clear out any expired records from DNS. You can do the same with any Reverse Lookup Zones to make sure that's tidy too.

HTH

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 17130523

Hmm sorry, took me ages to type that. You may be better with the tool above from TheCleaner :)

Chris
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 1

Author Comment

by:Gavin5511
ID: 17136871
Cheers guys,

I ended up using oldcmp as suggested by the cleaner. worked really well, and outputted some nice reports to rpint out and keep record off. I then went through and just done a few minor tweaks and deletes using the DSquery which also worked really well, although i found it a touch harder to use than oldcmp.

anyway, my question wasn't actually asking about DNS scaveging, just thought you might be able to set up a similar thing on active directory BUT........ i checked my settings, and they wasn't right anyway, so you have helped out there big time too!

Thanks guys
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 17136875

Happy to help :)

Chris
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17137988
Glad to see you got it going.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question