Link to home
Start Free TrialLog in
Avatar of Thomas N
Thomas NFlag for United States of America

asked on

Active Directory machines

I have an issue where machines in Active Directory have been sitting there for years without dropping off even if they are not on the network anymore. Is there a policy or configuration where I can check this? I thought after 45 days or so the machines automatically drop off if they do not report to AD? Thanks
Avatar of Joseph Moody
Joseph Moody
Flag of United States of America image

You are referring to password de-syncing. Computer accounts will never delete themselves from AD.

You can:

1. Run a query (Saved Queries) for machines that have not logged in X days
2. Invest in a piece of software (such as SPECOPS Active Directory Janitor) to automatically keep computer/user accounts cleaned up.
ASKER CERTIFIED SOLUTION
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Thomas N

ASKER

http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm

This would have nothing to do with what I am talking about? Tombstoning.
The default time line for tombstoning a server is 90 days. Once again an AD object of a server will not delete itself. Instead it goes through a tombstoned lifetime.

This is the true story of a tombstoned object and how it works.
(Phantoms, Tombstone and the Infrastructure master)
http://support.microsoft.com/kb/248047

Going through the tombstoned process still leaves metadata for FRS, DNS and AD. This has to be removed. Now, Petri's site offers the best article for metadata cleanup.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
you talking about being in AD or teh DNS of AD?

Jmoody10: is correct in saying that objects ( like users or computers) dont delete themselves from AD if no longer in ues
I think mainly my problem is that I inherited an OU with thousands of old machines in there and I need to clean them out. The person who was taking care of it never deleted any machines from there for years. What would be the best way to identify machines that have not had there password reset in say more than 90 days and then deleting them? I have never done this before so if possible If I can be provided the actual commands would be great. I think mkline71 is on the right track but when I go to the website for the joeware it only has the actual oldcmp.exe file but not directions on how to use it. Thanks
dsquery computer -uco -stalepwd 90 -limit 0 | dsrm -uci -noprompt