Risks associated with not not removing objects from AD
I've just been having a look through our Active Directory listings of computers/laptops. There is about 3500 objects (computers not users), some are disabled. Whilst going through the list I noticed some computers that were active but i know they have long been disposed of. No doubt there will be potentially be a large amount of computers in AD as active when they no longer exist. It could probably do with a bit of a clear up but I doubt management will entertain it.
So i can put a small report about it to management to get them to change their minds, what are the main risks of not removing old computers from AD. Is it just bad house keeping or is their a potential threat that someone could use the AD object to do something a little bit naughty?
Also is it best to disable the account or just delete it?
So i can put a small report about it to management to get them to change their minds, what are the main risks of not removing old computers from AD. Is it just bad house keeping or is their a potential threat that someone could use the AD object to do something a little bit naughty?
Also is it best to disable the account or just delete it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the suggested tools, i'll look into them. If the computers have been physically destroyed, does the risk still exist? Is it as easy as renaming a machine to one that has been destroyed?
If the computers are destroyed there is no risk but good housekeeping.
...if you have clusters read this http://blogs.technet.com/b/askds/archive/2011/08/23/cluster-and-stale-computer-accounts.aspx
cluster network name account discussed there. I was burned by that once years ago but luckily we disabled first and I just enabled the cluster network name object
Thanks
Mike
...if you have clusters read this http://blogs.technet.com/b/askds/archive/2011/08/23/cluster-and-stale-computer-accounts.aspx
cluster network name account discussed there. I was burned by that once years ago but luckily we disabled first and I just enabled the cluster network name object
Thanks
Mike
Hi all.
@p_nuts: Allow the correction:
@p_nuts: Allow the correction:
if the machines are off the network for xx days (depending your setting default is 90 days i think) the machines won't be able to be used anyway..That's not correct. See the 2nd question/answer here: http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx
Hmm can you overrule that. Cause im pretty sure IT was working like that for us.
Anyway every account can be abused so from that perspective cleaning up is better ..
Anyway every account can be abused so from that perspective cleaning up is better ..
but principally there is a risk as there's an account that can be used and abused.
as Mike mentioned above .. there are too many good and easy tools to not do it..
and it shouldn't cost that much either ..