?
Solved

GPO - Disable computer object that has not checked into network for 90 days.

Posted on 2014-09-10
6
Medium Priority
?
355 Views
Last Modified: 2014-09-19
Hi Experts,
The client we support  requested we create a GPO that disables computer objects that hasn't checked into domain for more than 90 days, something that we missed during the initial consideration for this was our workstation build engineers who build several machines and holds them in stock ready to be distributed when required, unfortunately when they send out machines to some of these has now surpassed the 90 days, and the results is the computer object is disabled, is there any way we can work around this, we cannot change the policy, but just ideas on a better process for the engineers building these machines, thoughts?
0
Comment
Question by:craigleenz
  • 2
  • 2
  • 2
6 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40315791
Simply group all your newly built workstations in their own OU and exclude that OU from the GPO.
0
 

Author Comment

by:craigleenz
ID: 40315818
thanks becraig, that's definitely an idea, then once the machine is ready to be deployed, the engineer just move the machine to the correct OU?
0
 
LVL 29

Accepted Solution

by:
becraig earned 1000 total points
ID: 40315829
Yup So that way your current GPO to disable any computer objects not logged in will not apply.

However do remember the tombstone lifetime for AD objects:
you can verify this before you proceed:
To absolutely know, follow this procedure on your Windows 2008 domain controller:

1. Click Start, point to Administrative Tools, and then click ADSI Edit.
2. In ADSI Edit, right-click ADSI Edit, and then click Connect to.
3. For Connection Point, click Select a well known Naming Context, and then click Configuration.
4. If you want to connect to a different domain controller, for Computer, click Select or type a domain or server: (Server | Domain [:port]). Provide the server name or the domain name and Lightweight Directory Access Protocol (LDAP) port (389), and then click OK.
5. Double-click Configuration, CN=Configuration,DC=ForestRootDomainName, CN=Services, and CN=Windows NT.
6. Right-click CN=Directory Service, and then click Properties.
7. In the Attribute column, click tombstoneLifetime.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 100

Assisted Solution

by:John Hurst
John Hurst earned 1000 total points
ID: 40316106
there any way we can work around this, we cannot change the policy,

Alternatively, consider this to be a business question and save yourself some work. Require engineers building machines to have a "bring forward" to start them every 75 days. I do not think this should be onerous or hard if the reason why is explained.

Otherwise they have to identify to you when to change groups. The second is more work for you and no easier than the first.
0
 

Author Closing Comment

by:craigleenz
ID: 40331929
thanks,
0
 
LVL 100

Expert Comment

by:John Hurst
ID: 40332284
@craigleenz  - You are very welcome and I was happy to help.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question