Thomas N
asked on
Active Directory machines
I have an issue where machines in Active Directory have been sitting there for years without dropping off even if they are not on the network anymore. Is there a policy or configuration where I can check this? I thought after 45 days or so the machines automatically drop off if they do not report to AD? Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm
This would have nothing to do with what I am talking about? Tombstoning.
This would have nothing to do with what I am talking about? Tombstoning.
The default time line for tombstoning a server is 90 days. Once again an AD object of a server will not delete itself. Instead it goes through a tombstoned lifetime.
This is the true story of a tombstoned object and how it works.
(Phantoms, Tombstone and the Infrastructure master)
http://support.microsoft.com/kb/248047
Going through the tombstoned process still leaves metadata for FRS, DNS and AD. This has to be removed. Now, Petri's site offers the best article for metadata cleanup.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
This is the true story of a tombstoned object and how it works.
(Phantoms, Tombstone and the Infrastructure master)
http://support.microsoft.com/kb/248047
Going through the tombstoned process still leaves metadata for FRS, DNS and AD. This has to be removed. Now, Petri's site offers the best article for metadata cleanup.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
you talking about being in AD or teh DNS of AD?
Jmoody10: is correct in saying that objects ( like users or computers) dont delete themselves from AD if no longer in ues
Jmoody10: is correct in saying that objects ( like users or computers) dont delete themselves from AD if no longer in ues
ASKER
I think mainly my problem is that I inherited an OU with thousands of old machines in there and I need to clean them out. The person who was taking care of it never deleted any machines from there for years. What would be the best way to identify machines that have not had there password reset in say more than 90 days and then deleting them? I have never done this before so if possible If I can be provided the actual commands would be great. I think mkline71 is on the right track but when I go to the website for the joeware it only has the actual oldcmp.exe file but not directions on how to use it. Thanks
dsquery computer -uco -stalepwd 90 -limit 0 | dsrm -uci -noprompt
You can:
1. Run a query (Saved Queries) for machines that have not logged in X days
2. Invest in a piece of software (such as SPECOPS Active Directory Janitor) to automatically keep computer/user accounts cleaned up.