Active Directory machines

Posted on 2011-05-05
Medium Priority
Last Modified: 2012-05-11
I have an issue where machines in Active Directory have been sitting there for years without dropping off even if they are not on the network anymore. Is there a policy or configuration where I can check this? I thought after 45 days or so the machines automatically drop off if they do not report to AD? Thanks
Question by:Thomas N
LVL 22

Expert Comment

by:Joseph Moody
ID: 35702035
You are referring to password de-syncing. Computer accounts will never delete themselves from AD.

You can:

1. Run a query (Saved Queries) for machines that have not logged in X days
2. Invest in a piece of software (such as SPECOPS Active Directory Janitor) to automatically keep computer/user accounts cleaned up.
LVL 57

Accepted Solution

Mike Kline earned 2000 total points
ID: 35702557
Another really great tool for this is old computer from Joe Richards   http://www.joeware.net/freetools/tools/oldcmp/index.htm

It works on users as well.

A common method here (using any method)  would be to first disable accounts (maybe after 90 days) and then delete accounts older than 120 or 180 days.



Author Comment

by:Thomas N
ID: 35702631

This would have nothing to do with what I am talking about? Tombstoning.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

LVL 39

Expert Comment

ID: 35703098
The default time line for tombstoning a server is 90 days. Once again an AD object of a server will not delete itself. Instead it goes through a tombstoned lifetime.

This is the true story of a tombstoned object and how it works.
(Phantoms, Tombstone and the Infrastructure master)

Going through the tombstoned process still leaves metadata for FRS, DNS and AD. This has to be removed. Now, Petri's site offers the best article for metadata cleanup.

Expert Comment

ID: 35705334
you talking about being in AD or teh DNS of AD?

Jmoody10: is correct in saying that objects ( like users or computers) dont delete themselves from AD if no longer in ues

Author Comment

by:Thomas N
ID: 35706666
I think mainly my problem is that I inherited an OU with thousands of old machines in there and I need to clean them out. The person who was taking care of it never deleted any machines from there for years. What would be the best way to identify machines that have not had there password reset in say more than 90 days and then deleting them? I have never done this before so if possible If I can be provided the actual commands would be great. I think mkline71 is on the right track but when I go to the website for the joeware it only has the actual oldcmp.exe file but not directions on how to use it. Thanks
LVL 22

Expert Comment

by:Joseph Moody
ID: 35706796
dsquery computer -uco -stalepwd 90 -limit 0 | dsrm -uci -noprompt

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question