Solved

GPO - Disable computer object that has not checked into network for 90 days.

Posted on 2014-09-10
6
330 Views
Last Modified: 2014-09-19
Hi Experts,
The client we support  requested we create a GPO that disables computer objects that hasn't checked into domain for more than 90 days, something that we missed during the initial consideration for this was our workstation build engineers who build several machines and holds them in stock ready to be distributed when required, unfortunately when they send out machines to some of these has now surpassed the 90 days, and the results is the computer object is disabled, is there any way we can work around this, we cannot change the policy, but just ideas on a better process for the engineers building these machines, thoughts?
0
Comment
Question by:craigleenz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40315791
Simply group all your newly built workstations in their own OU and exclude that OU from the GPO.
0
 

Author Comment

by:craigleenz
ID: 40315818
thanks becraig, that's definitely an idea, then once the machine is ready to be deployed, the engineer just move the machine to the correct OU?
0
 
LVL 29

Accepted Solution

by:
becraig earned 250 total points
ID: 40315829
Yup So that way your current GPO to disable any computer objects not logged in will not apply.

However do remember the tombstone lifetime for AD objects:
you can verify this before you proceed:
To absolutely know, follow this procedure on your Windows 2008 domain controller:

1. Click Start, point to Administrative Tools, and then click ADSI Edit.
2. In ADSI Edit, right-click ADSI Edit, and then click Connect to.
3. For Connection Point, click Select a well known Naming Context, and then click Configuration.
4. If you want to connect to a different domain controller, for Computer, click Select or type a domain or server: (Server | Domain [:port]). Provide the server name or the domain name and Lightweight Directory Access Protocol (LDAP) port (389), and then click OK.
5. Double-click Configuration, CN=Configuration,DC=ForestRootDomainName, CN=Services, and CN=Windows NT.
6. Right-click CN=Directory Service, and then click Properties.
7. In the Attribute column, click tombstoneLifetime.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 94

Assisted Solution

by:John Hurst
John Hurst earned 250 total points
ID: 40316106
there any way we can work around this, we cannot change the policy,

Alternatively, consider this to be a business question and save yourself some work. Require engineers building machines to have a "bring forward" to start them every 75 days. I do not think this should be onerous or hard if the reason why is explained.

Otherwise they have to identify to you when to change groups. The second is more work for you and no easier than the first.
0
 

Author Closing Comment

by:craigleenz
ID: 40331929
thanks,
0
 
LVL 94

Expert Comment

by:John Hurst
ID: 40332284
@craigleenz  - You are very welcome and I was happy to help.
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
best free software for ripping cd's 11 223
Easy to use inventory management software 7 130
JQuery on multiple lines 3 16
NAS ISCSI Sharing 8 42
With the shift in today’s hiring climate (http://blog.experts-exchange.com/ee-blog/5-tips-on-succeeding-in-the-new-gig-economy/?cid=Blog_031816), many companies are choosing to hire freelancers to get projects completed efficiently and inexpensively…
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question