Active Directory machines

Posted on 2011-05-05
Last Modified: 2012-05-11
I have an issue where machines in Active Directory have been sitting there for years without dropping off even if they are not on the network anymore. Is there a policy or configuration where I can check this? I thought after 45 days or so the machines automatically drop off if they do not report to AD? Thanks
Question by:Thomas N
    LVL 21

    Expert Comment

    by:Joseph Moody
    You are referring to password de-syncing. Computer accounts will never delete themselves from AD.

    You can:

    1. Run a query (Saved Queries) for machines that have not logged in X days
    2. Invest in a piece of software (such as SPECOPS Active Directory Janitor) to automatically keep computer/user accounts cleaned up.
    LVL 57

    Accepted Solution

    Another really great tool for this is old computer from Joe Richards

    It works on users as well.

    A common method here (using any method)  would be to first disable accounts (maybe after 90 days) and then delete accounts older than 120 or 180 days.



    Author Comment

    by:Thomas N

    This would have nothing to do with what I am talking about? Tombstoning.
    LVL 38

    Expert Comment

    The default time line for tombstoning a server is 90 days. Once again an AD object of a server will not delete itself. Instead it goes through a tombstoned lifetime.

    This is the true story of a tombstoned object and how it works.
    (Phantoms, Tombstone and the Infrastructure master)

    Going through the tombstoned process still leaves metadata for FRS, DNS and AD. This has to be removed. Now, Petri's site offers the best article for metadata cleanup.
    LVL 7

    Expert Comment

    you talking about being in AD or teh DNS of AD?

    Jmoody10: is correct in saying that objects ( like users or computers) dont delete themselves from AD if no longer in ues

    Author Comment

    by:Thomas N
    I think mainly my problem is that I inherited an OU with thousands of old machines in there and I need to clean them out. The person who was taking care of it never deleted any machines from there for years. What would be the best way to identify machines that have not had there password reset in say more than 90 days and then deleting them? I have never done this before so if possible If I can be provided the actual commands would be great. I think mkline71 is on the right track but when I go to the website for the joeware it only has the actual oldcmp.exe file but not directions on how to use it. Thanks
    LVL 21

    Expert Comment

    by:Joseph Moody
    dsquery computer -uco -stalepwd 90 -limit 0 | dsrm -uci -noprompt

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
    Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
    This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now