Active Directory computers

C

CAMC1

Does anyone know what is the easiest way to cleanup Active Directory
Computer names?
There are a lot of computer names that are no longer used or computers have
been removed, but names from active directory still exist.
(If there was a way to tell, a computer was never turned on to access Active
Directory would help me to delete those computers)
MC
 
R

Richard Mueller

CAMC1 said:
Does anyone know what is the easiest way to cleanup Active Directory
Computer names?
There are a lot of computer names that are no longer used or computers
have
been removed, but names from active directory still exist.
(If there was a way to tell, a computer was never turned on to access
Active
Directory would help me to delete those computers)
MC
Click to expand...

Hi,

Check out Joe Richard's oldcmp utility:

http://www.joeware.net/win/free/tools/oldcmp.htm
 
C

CAMC1

I downloaded and ran to get just report, it seem to work with no crashes
yet, and did not scratch my SUV yet, (nice warranty statement)
1 more question though, column "PWDLastSet", does it reflect computer that
was joined to domain, or actually any person who reset their password using
this PC?
I have computer names that pwdLastSet dating back to 2000, but user may have
never used this PC to set password.

Thanks
 
R

Richard Mueller

Hi,

Both user and computer objects have a pwdLastSet attribute. Joe's utility
looks at the value of the pwdLastSet attribute of the computer object, which
will be the last time the computer object had it's password set. Nothing to
do with users.

Computers authenticate to the domain when they startup. By default, they
request a password change when they authenticate if pwdLastSet is more than
14 days in the past. This is transparent to users.
 
J

Joe Richards [MVP]

I actually have no reported cases of scratched paint yet, but you never
know. ;)

Just as an FYI, oldcmp is used in some of the largest companies in the
world as well as the military and governments of several first world
countries, I have no outstanding, "oh my god this is a horrendous bug"
reports at the moment. Actually that tool hasn't had one yet. It is
pretty well tested out. You just have to make sure you check what you
are disabling/deleting before doing so.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
C

CAMC1

Here is my findings with this tool.
According to report I get, it tells me computer
ABC pwdLastSet=2002/08/22.... and Whencreated==2002/08/22....

I looked at "SYmantec System Center", and saw that this computer ABC was
last scanned and definitions updated 8/28/2006

then I realized that, computer actually exist and it is in my network.
So those dates that this tools produces are not enoughf for me to delete the
computer names from Active Directory.

Am I missing something else here?

MC
 
R

Richard Mueller

CAMC1 said:
Here is my findings with this tool.
According to report I get, it tells me computer
ABC pwdLastSet=2002/08/22.... and Whencreated==2002/08/22....

I looked at "SYmantec System Center", and saw that this computer ABC was
last scanned and definitions updated 8/28/2006

then I realized that, computer actually exist and it is in my network.
So those dates that this tools produces are not enoughf for me to delete
the
computer names from Active Directory.

Am I missing something else here?

MC
Click to expand...

It sounds like the computer is not joined to the domain, or has an OS before
NT. I have a Win9x client in my network, for example. Win9x clients do not
authenticate to the domain, but I created an object for it so I could test
for group membership during logon to attach printers. I find that
whenCreated and pwdLastSet are the same long ago date for this object. The
machine is there, it can be pinged, maybe virus signarure files can be
deployed to it, but it never authenticates.
 
C

CAMC1

Computer was joined to domain, but was W98 computer, seldom they log into
network drives (most of the time the just cancel at logon)
I have a few win98 machines that required simple production functions...

Thanks
MC
 
R

Richard Mueller

Hi,

Just like my situation. These clients never authenticate to the domain, so
lastLogon and pwdLastSet (of the computer object) are never updated. Whether
the user connects to a drive or not, or whether the user even authenticates
to the domain does not matter. If there is a computer object, someone must
have manually created it. The actual client never uses it. The oldcmp
utility has no way to tell if the corresponding machine is used. On the
other hand, there is no need for the computer object - unless you use it
like I do, to place in groups for connecting printers during logon.
 
J

Joe Richards [MVP]

Windows 98 machines aren't members of the domain. They only have the
concept of a workgroup, you just specify the domain for the workgroup.

Members of a domain NEED the actual computer accounts to establish the
trust connection.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Searching in Active Directory 1
Can windows NT and 2000 servers co exist in 2003 and or 2008 Active Directory? 3
Active Directory - Computers List 1
Renaming of computer name in a domain still shows old name in AD Computers 1
Searches 4
How to find computers that have authenticated the Active Directory for a period of time. 1
Red X on Computers in AD 5
New Computers accounts not showing up in Active Directory 2000 1

Top