Solved

Removing computers from AD

Posted on 2006-07-18
6
246 Views
Last Modified: 2010-11-07
Hi Guys,

I've just noticed that i had tons and tons of old computer accounts IN AD where i haven't removed them from the domain properly (my fault, i thought the would scavege stale records automatically). I am going through them and clearing them up, but wondered if there was an easy way of knowing which computers are still active and which aren't. Also, what would happen if i deleted the record of an active computer by mistake?

Thanks, Gavin
0
Comment
Question by:Gavin5511
  • 3
  • 2
6 Comments
 
LVL 23

Accepted Solution

by:
TheCleaner earned 250 total points
ID: 17130379
As I said before, use OldCmp from Joeware:  http://www.joeware.net/win/free/tools/oldcmp.htm to clean up old computer accounts.

If you accidentally delete an active computer it just won't be able to get onto the domain.  You'll basically need to go to the computer, remove it from the domain, reboot, then readd it to the domain, and reboot again.
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 250 total points
ID: 17130508

Scavenging relates to DNS only, and isn't AD so it gets a little confusing above. Hopefully this covers both possibilities.

In AD it's possible to tell if computer accounts are inactive by a number of means - our best bet is going to be DSQuery (which comes with the Windows 2003 Support Tools), it's nice and easy to use. Type this in the command prompt:

dsquery computer -inactive 8 -limit 0

That will return the distinguished names of all computers that haven't logged into the domain for 8 weeks - you can obviously replace 8 with whatever you prefer. If you're happy with the list then you can just remove the straight away like this (don't do this before reading everything below):

dsquery computer -inactive 8 -limit 0 | dsrm

Which will permanently remove those accounts. Be careful though, you may end up removing systems you like with that. Instead perhaps do:

dsquery computer -inactive 8 -limit 0 | computers.txt

Then hop through computers.txt removing anything you really don't want to kill then this time do:

type computers.txt | dsrm

If you delete a Computer Account from AD for an Active Machine it will no longer be able to log onto the domain and you will recieve a big warning message whenever someone tries to log in.

For DNS, in case that was what needed cleaning up, you have a few things to do to make Scavenging really work.

First open up the properties for your Forward Lookup Zone (mydomain.local), then click the Aging button under the General Tab. This has two values under it, the No-Refresh and the Refresh Intervals. For a Record to be Scavenged both of these must have expired (that is No-Refresh + Refresh) and generally it works well to have those two values equal your DHCP Lease Time. If your DHCP Lease Time is 10 days then you could set each to 5 (for example), although 7 and 3 respectively would be better.

Once you've set the Aging bit open the Properties for the DNS Server itself, click Advanced and select Enable Scavenging, set the Scavenging Period to 1 day at the most; it really doesn't need to run too often to keep things nice and neat. That will clear out any expired records from DNS. You can do the same with any Reverse Lookup Zones to make sure that's tidy too.

HTH

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 17130523

Hmm sorry, took me ages to type that. You may be better with the tool above from TheCleaner :)

Chris
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:Gavin5511
ID: 17136871
Cheers guys,

I ended up using oldcmp as suggested by the cleaner. worked really well, and outputted some nice reports to rpint out and keep record off. I then went through and just done a few minor tweaks and deletes using the DSquery which also worked really well, although i found it a touch harder to use than oldcmp.

anyway, my question wasn't actually asking about DNS scaveging, just thought you might be able to set up a similar thing on active directory BUT........ i checked my settings, and they wasn't right anyway, so you have helped out there big time too!

Thanks guys
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 17136875

Happy to help :)

Chris
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17137988
Glad to see you got it going.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Best practice DHCP migration 7 67
home folder path for users 4 74
Dentrix G4 1 65
SBS 2003 RWW Login 3 37
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question