• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 354
  • Last Modified:

Risks associated with not not removing objects from AD

I've just been having a look through our Active Directory listings of computers/laptops.  There is about 3500 objects (computers not users), some are disabled.  Whilst going through the list I noticed some computers that were active but i know they have long been disposed of.  No doubt there will be potentially be a large amount of computers in AD as active when they no longer exist.  It could probably do with a bit of a clear up but I doubt management will entertain it.

So i can put a small report about it to management to get them to change their minds, what are the main risks of not removing old computers from AD.  Is it just bad house keeping or is their a potential threat that someone could use the AD object to do something a little bit naughty?

Also is it best to disable the account or just delete it?
0
jdc1944
Asked:
jdc1944
1 Solution
 
Mike KlineCommented:
First I'll list a few tools I really like for this sort of thing

http://www.joeware.net/freetools/tools/oldcmp/ - old computer, free tool from Joe Richards you can pull a quick report
oldcmp -report

adtidy   http://www.cjwdev.co.uk/Software/ADTidy/Info.html   free GUI tool

It is good housekeeping to remove them if you have old machines.  They could also potentially be plugged back in and used but the person would also have to have an account.

I've always disabled first and then deleted just in case there were false positives.  For example disable after 120 days and delete after 180 days.

Thanks

Mike
0
 
p_nutsCommented:
if the machines are off the network for xx days (depending your setting default is 90 days i think)  the machines won't be able to be used anyway..

but principally there is a risk as there's an account that can be used and abused.

as Mike mentioned above .. there are too many good and easy tools to not do it..

and it shouldn't cost that much either ..
0
 
jdc1944Author Commented:
Thanks for the suggested tools, i'll look into them.  If the computers have been physically destroyed, does the risk still exist?  Is it as easy as renaming a machine to one that has been destroyed?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Mike KlineCommented:
If the computers are destroyed there is no risk but good housekeeping.  

...if you have clusters read this   http://blogs.technet.com/b/askds/archive/2011/08/23/cluster-and-stale-computer-accounts.aspx

cluster network name account discussed there.  I was burned by that once years ago but luckily we disabled first and I just enabled the cluster network name object

Thanks

Mike
0
 
McKnifeCommented:
Hi all.
@p_nuts: Allow the correction:
if the machines are off the network for xx days (depending your setting default is 90 days i think)  the machines won't be able to be used anyway..
That's not correct. See the 2nd question/answer here: http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx
0
 
p_nutsCommented:
Hmm can you overrule that. Cause im pretty sure IT was working like that for us.

Anyway every account can be abused so from that perspective cleaning up is better ..
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now