Active Directory Clean-Up tips

D

Dextop

Hi all,
I am new to this group, so please bear with me, if I'm breaking any
rules of this group.

Now to get to the point. I am a Jr. Sys-Admin in a medium size company
with multiple sites. We have a single domain, which contains several
OU's region wise. i.e we have a OU for Asia Pacific one for Europe one
for Americas e.t.c each of these are divided into sites (one for each
different building).
The AD is managed by many people, and control is delegated to
different admins at site level. The problem is that we have a large
number of computers registered with our AD. What we need is
1) Find inactive computer accounts and disable them.
2) Move computers to there appropriate containers.

Each site has about a hundred systems, thoough we do have some large
sites which have approx around 300 - 400 computers. I know this is
going to be a very slow and tedious process. but someone has gotta do
it. And, I have found myself in this soup.

I request you all to suggest any tools or methodology which can/should
be used to approach this problem. Since I have a very limited
experience in this field any help would be appreciated.

TIA

Akshat
 
D

Dextop

Thanks for your response

Can you please elaborate on how can i shortlist computers that are not
in use, i believe you are thinking along the lines of last logon or
something like that?? At present i am short on details.

I'll check out joeware.net too

Akshat
 
P

Paul Bergson

Run oldcmp and it should give you a list. That simple.

From Joeware:
The tool will work with a Windows 2000 AD as well as a Windows 2003 AD. It
can key off the pwdLastSet attribute or in a Windows 2003 Domain Functional
Domain on lastLogonTimestamp. This means you are going after IDs that have
not had their password reset in x days or you can go after accounts that
haven't logged on x days where by default x, is 90 days. I chose 90 days
because computers should change their password at least every 30 days unless
they have had their registries modified to prevent that password change.
There are exceptions like when a mobile user goes away and doesn't log into
the network for a long time or for some poorly written SAN/NAS solutions
that don't change the password on the machine accounts on a regular basis.
Generally, however, if the password on a computer account is between 90-120
days, you can safely remove it.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
D

Dextop

I think you misuderstood my question I meant how to look for it using
the query tool in ADU&C snap-in. It doesn't show lastlogin time for
computers..............
TIA

-Akshat
 
P

Paul Bergson

Only available on 2003 native mode. Are you there?

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
D

Dextop

No not yet, we're running mixed mode. We even have some Windows NT
boxes, used for intranet and other such stuff. We are in the process
of phasing them out slowly. I think I'll stick to tools like AD JAnitro
and OldCmp for now. Thanks for your patience with me, and any other
suggestion will be mosst welcome.

Akshat
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Active Directory design 3
Large Global single domain Group Policy design 1
GPO and Add Computer to Domain 1
Groups and OU's 3
Active Directory structure - OU's 2
OU creation question 1
OU/Container Question Rephrased 2
HELP - specifying ability to add a workstation to a domain. 1

Top