Questions

Computer removal in AD

Tags:
+
0 Votes
Locked

Computer removal in AD

DrewDizzle
I want to do some housecleaning in AD, and I want to remove any old computer names from the computers list in AD. I cant find anything that does this automatically, so I was thinking I could do this when no one is working...

Turn all computers on the domain off, then delete them from AD. If my assumptions are right, AD would then repopulate itself as I turned the computers back on.. Right?

I dont really care about permissions I had assigned the computers already, as I understand this would be like a new computer to AD..

Please let me know if anyone has any ideas!

Thanks
  • +
    0 Votes
    The Scummy One

    if you audit properly, you can determine which computer names have not been logged into in like 4-6 months or something. These would be the safer bets to remove.
    You should also take into consideration that people take leave or extended absence, and some of these systems may still be needed to work upon return.

    And to mention, if they use remote access, the names may not show up on the audits unless they are audited as well. What you should avoid is to remove names of active computers, especially if they are on travel, home workers, absence, etc.. Well, unless you are trying to create helpdesk calls

    +
    0 Votes
    cmiller5400

    If you delete the computer accounts, they will need to be rejoined to the domain. Better follow Scummy's advice and audit instead.

    +
    0 Votes
    CG IT

    if you delete the computer account. You will lose the computers membership in specific OUs, which in turn will lose Group Policy settings for that OU that the computer was a member of. and other settings to numerous to mention.

    No the computer account is NOT recreated if you turn the computer off, delete the computer account, then turn the PC back on.

    Since you ask, then you haven't done it before so try it on a test computer first. Place a computer is an OU, apply a GPO to that OU. then turn off the computer, deleted the computer account. Turn the computer back on and see what happens. Look in the OU see if the computer is there, look to see if GPOs were applied. Try logging on with that computer, see if you get a message that says there's no computer account listed in AD for the computer your trying to log on with.... etc. ,

    +
    0 Votes
    The Scummy One

    a FUN support day :0 :^0

    Re-Adding all of the computers to the domain afterwards. Nobody logging in, etc..

    You are just RUINING the FUN that they will have :^0

    Here it is more strict, we dont actually have the ability (not being in IT) to re-add computers from the domain, and we have to add our own to it (through a utility website). So, we need to go to the website, create a name and wait for verification that it added, rename the computer, reboot, log in as an admin (don forget to find out the admin PW first :0 ), and add the computer with our login info, and reboot again.
    then we can log in to the computer with our account, and run a utility to auto-change the admin PW again.
    What a hassle, especially on a slow system on a slow as he** network

    +
    0 Votes
    cmiller5400

    That would drive me nuts.

    +
    0 Votes
    The Scummy One

    If the computer isnt logged into the domain on-site at least every 60 days, the name gets auto-removed from the AD. This raises havoc for Home users who have to show up on site a few times a year, anyone going on leave for 2+ months, etc..
    When they get back, they have a mess to deal with before they get to the mess that they already have from being absent.

    +
    0 Votes
    LarryD4

    Here is a basic VB script that will do the job. You will have to tailor it to your needs though.
    ----------------------------
    On Error Resume Next

    Const ForReading = 1

    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objTextFile = objFSO.OpenTextFile("c:\Files\ws.txt", ForReading)

    Do Until objTextFile.AtEndOfStream
    strComputer = objTextFile.Readline

    Set objComputer = GetObject("LDAP://CN=" & strComputer & _
    "," & "OU=WorkStations,DC=myCompany,DC=com")
    objComputer.DeleteObject (0)
    If Err.Number = 0 Then
    Err.Clear
    WScript.Echo "Deleted computer " & strComputer & " from AD"
    Elseif Err.Number <> 0 Then
    Err.Clear
    WScript.Echo "Unable To delete computer " & strComputer
    End If
    Loop

    objTextFile.Close
    Set objTextFile = Nothing
    Set objFSO = Nothing
    Set objComputer = Nothing
    Set objContainer = Nothing

    Wscript.Echo "Done"

    --------------------------

    Their is a lot you can do including saving each computer account name to a text file to read later if you remove the wrong PC. But this is the basic code for removing computer accounts.

    +
    0 Votes
    MAEX

    Have seen lots of comments, but how about spending a bit of time and search for a couple of scripts to check your AD environment.

    First script to check last machine account logon to your domain.

    Second script to check last user logon from particular machine account to your domain.

    After having these two details you should be able to assess what to delete and what not. The first script should be enough.

    +
    0 Votes
    CG IT

    he should know what computers are supposed to be there and what computers are not. Simply a matter of looking at the damn list. Not on the list, shouldn't be there, delete volia! badda boom, done.

    +
    0 Votes
    The Scummy One

    auditing should help determine what should be safe to remove

    +
    0 Votes

    OK

    DrewDizzle

    Well thanks there guy, in a perfect world you are right. BUT in the real world its not like that. There was no documentation when I took this over recently, so now I have to deal with it and make current lists.

    Why dont you try to be helpful instead of making crappy comments that dont help anyone.

    +
    0 Votes
    DrewDizzle

    Thank you to all who have replied.

    I know it seems like a crazy amount of extra work to do it like I suggested.. But as it stands right now, none of the computers are in specific OUs, except for the default Computers OU.. The GP on that OU is mostly undefined, so even if I lost it, it would'nt be that big a deal.

    The whole point of me wanting to clean it up, is to put them in specific OUs, and then apply different GPs to the new OUs. (How it should be)

    There are about 50 computers here, but like 200 computer names in AD. There are no remote users, and I wouldnt remove any of the critical systems since I know the computer names and they are still active.

    I am not saying I think they will rejoin the OUs they are in now, and re-apply GP permissions once I turn the computers back on.

    I am just trying for a clean slate as far as OUs and computer names in AD.

    +
    0 Votes
    The Scummy One

    But removing the computers and just turning them back on will not re-join them to the domain, so you will need to be careful about which are deleted.
    Probably the best way is using the script above, or other, that can tell you when each computername was last logged into the AD. If it has been over 4-6 months -- remove it.
    the rest, (50 or so) organize as needed without removing them from the AD.

    +
    0 Votes
    DrewDizzle

    Thank you, I see what you are saying now. I would have to rejoin all the computers to the domain after removing them from AD. I did have the audit feature on the GP, so I can look at the event log to see the last time it logged into AD.

    By the way, there is no helpdesk here, its me.. thats it.

    +
    0 Votes
    The Scummy One

    prevent a nightmare for you

    Please mark the helpful answer(s) as helpful. This way if someone has a similar issue, they may not have to post a new question, but just review which items worked.

    You can mark multiple answers as helpful if there were multiple answers that helped.

    Thank You

    +
    0 Votes
    MAEX

    Find User and Computer Accounts based on Last Logon Date Time
    http://www.tools4ever.com/products/utilities/reallastlogon/

    Last Login Script
    http://boards.cramsession.com/boards/vbms.asp?d=744261&pvm=False

    There are pleeennntttyyyyyy of good working examples out there. Just adapt.

    +
    0 Votes
    ITsteve13

    Check out a tool called Netwrix Inactive user tracker, it has an option to track stake computer account. Another tool is True Last Logon. Plus several bigger general purpose AD reporting products have reports for this.

    +
    0 Votes
    Lepide

    what you are talking about s the user management.
    try the script:
    On Error Resume Next

    Const ForReading = 1

    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objTextFile = objFSO.OpenTextFile("c:\Files\ws.txt", ForReading)

    Do Until objTextFile.AtEndOfStream
    strComputer = objTextFile.Readline

    Set objComputer = GetObject("LDAP://CN=" & strComputer & _
    "," & "OU=WorkStations,DC=myCompany,DC=com")
    objComputer.DeleteObject (0)
    If Err.Number = 0 Then
    Err.Clear
    WScript.Echo "Deleted computer " & strComputer & " from AD"
    Elseif Err.Number <> 0 Then
    Err.Clear
    WScript.Echo "Unable To delete computer " & strComputer
    End If
    Loop

    objTextFile.Close
    Set objTextFile = Nothing
    Set objFSO = Nothing
    Set objComputer = Nothing
    Set objContainer = Nothing

    Wscript.Echo "Done"

    or u can go for some AD tools like: http://www.manageactivedirectory.com/

  • +
    0 Votes
    The Scummy One

    if you audit properly, you can determine which computer names have not been logged into in like 4-6 months or something. These would be the safer bets to remove.
    You should also take into consideration that people take leave or extended absence, and some of these systems may still be needed to work upon return.

    And to mention, if they use remote access, the names may not show up on the audits unless they are audited as well. What you should avoid is to remove names of active computers, especially if they are on travel, home workers, absence, etc.. Well, unless you are trying to create helpdesk calls

    +
    0 Votes
    cmiller5400

    If you delete the computer accounts, they will need to be rejoined to the domain. Better follow Scummy's advice and audit instead.

    +
    0 Votes
    CG IT

    if you delete the computer account. You will lose the computers membership in specific OUs, which in turn will lose Group Policy settings for that OU that the computer was a member of. and other settings to numerous to mention.

    No the computer account is NOT recreated if you turn the computer off, delete the computer account, then turn the PC back on.

    Since you ask, then you haven't done it before so try it on a test computer first. Place a computer is an OU, apply a GPO to that OU. then turn off the computer, deleted the computer account. Turn the computer back on and see what happens. Look in the OU see if the computer is there, look to see if GPOs were applied. Try logging on with that computer, see if you get a message that says there's no computer account listed in AD for the computer your trying to log on with.... etc. ,

    +
    0 Votes
    The Scummy One

    a FUN support day :0 :^0

    Re-Adding all of the computers to the domain afterwards. Nobody logging in, etc..

    You are just RUINING the FUN that they will have :^0

    Here it is more strict, we dont actually have the ability (not being in IT) to re-add computers from the domain, and we have to add our own to it (through a utility website). So, we need to go to the website, create a name and wait for verification that it added, rename the computer, reboot, log in as an admin (don forget to find out the admin PW first :0 ), and add the computer with our login info, and reboot again.
    then we can log in to the computer with our account, and run a utility to auto-change the admin PW again.
    What a hassle, especially on a slow system on a slow as he** network

    +
    0 Votes
    cmiller5400

    That would drive me nuts.

    +
    0 Votes
    The Scummy One

    If the computer isnt logged into the domain on-site at least every 60 days, the name gets auto-removed from the AD. This raises havoc for Home users who have to show up on site a few times a year, anyone going on leave for 2+ months, etc..
    When they get back, they have a mess to deal with before they get to the mess that they already have from being absent.

    +
    0 Votes
    LarryD4

    Here is a basic VB script that will do the job. You will have to tailor it to your needs though.
    ----------------------------
    On Error Resume Next

    Const ForReading = 1

    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objTextFile = objFSO.OpenTextFile("c:\Files\ws.txt", ForReading)

    Do Until objTextFile.AtEndOfStream
    strComputer = objTextFile.Readline

    Set objComputer = GetObject("LDAP://CN=" & strComputer & _
    "," & "OU=WorkStations,DC=myCompany,DC=com")
    objComputer.DeleteObject (0)
    If Err.Number = 0 Then
    Err.Clear
    WScript.Echo "Deleted computer " & strComputer & " from AD"
    Elseif Err.Number <> 0 Then
    Err.Clear
    WScript.Echo "Unable To delete computer " & strComputer
    End If
    Loop

    objTextFile.Close
    Set objTextFile = Nothing
    Set objFSO = Nothing
    Set objComputer = Nothing
    Set objContainer = Nothing

    Wscript.Echo "Done"

    --------------------------

    Their is a lot you can do including saving each computer account name to a text file to read later if you remove the wrong PC. But this is the basic code for removing computer accounts.

    +
    0 Votes
    MAEX

    Have seen lots of comments, but how about spending a bit of time and search for a couple of scripts to check your AD environment.

    First script to check last machine account logon to your domain.

    Second script to check last user logon from particular machine account to your domain.

    After having these two details you should be able to assess what to delete and what not. The first script should be enough.

    +
    0 Votes
    CG IT

    he should know what computers are supposed to be there and what computers are not. Simply a matter of looking at the damn list. Not on the list, shouldn't be there, delete volia! badda boom, done.

    +
    0 Votes
    The Scummy One

    auditing should help determine what should be safe to remove

    +
    0 Votes

    OK

    DrewDizzle

    Well thanks there guy, in a perfect world you are right. BUT in the real world its not like that. There was no documentation when I took this over recently, so now I have to deal with it and make current lists.

    Why dont you try to be helpful instead of making crappy comments that dont help anyone.

    +
    0 Votes
    DrewDizzle

    Thank you to all who have replied.

    I know it seems like a crazy amount of extra work to do it like I suggested.. But as it stands right now, none of the computers are in specific OUs, except for the default Computers OU.. The GP on that OU is mostly undefined, so even if I lost it, it would'nt be that big a deal.

    The whole point of me wanting to clean it up, is to put them in specific OUs, and then apply different GPs to the new OUs. (How it should be)

    There are about 50 computers here, but like 200 computer names in AD. There are no remote users, and I wouldnt remove any of the critical systems since I know the computer names and they are still active.

    I am not saying I think they will rejoin the OUs they are in now, and re-apply GP permissions once I turn the computers back on.

    I am just trying for a clean slate as far as OUs and computer names in AD.

    +
    0 Votes
    The Scummy One

    But removing the computers and just turning them back on will not re-join them to the domain, so you will need to be careful about which are deleted.
    Probably the best way is using the script above, or other, that can tell you when each computername was last logged into the AD. If it has been over 4-6 months -- remove it.
    the rest, (50 or so) organize as needed without removing them from the AD.

    +
    0 Votes
    DrewDizzle

    Thank you, I see what you are saying now. I would have to rejoin all the computers to the domain after removing them from AD. I did have the audit feature on the GP, so I can look at the event log to see the last time it logged into AD.

    By the way, there is no helpdesk here, its me.. thats it.

    +
    0 Votes
    The Scummy One

    prevent a nightmare for you

    Please mark the helpful answer(s) as helpful. This way if someone has a similar issue, they may not have to post a new question, but just review which items worked.

    You can mark multiple answers as helpful if there were multiple answers that helped.

    Thank You

    +
    0 Votes
    MAEX

    Find User and Computer Accounts based on Last Logon Date Time
    http://www.tools4ever.com/products/utilities/reallastlogon/

    Last Login Script
    http://boards.cramsession.com/boards/vbms.asp?d=744261&pvm=False

    There are pleeennntttyyyyyy of good working examples out there. Just adapt.

    +
    0 Votes
    ITsteve13

    Check out a tool called Netwrix Inactive user tracker, it has an option to track stake computer account. Another tool is True Last Logon. Plus several bigger general purpose AD reporting products have reports for this.

    +
    0 Votes
    Lepide

    what you are talking about s the user management.
    try the script:
    On Error Resume Next

    Const ForReading = 1

    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objTextFile = objFSO.OpenTextFile("c:\Files\ws.txt", ForReading)

    Do Until objTextFile.AtEndOfStream
    strComputer = objTextFile.Readline

    Set objComputer = GetObject("LDAP://CN=" & strComputer & _
    "," & "OU=WorkStations,DC=myCompany,DC=com")
    objComputer.DeleteObject (0)
    If Err.Number = 0 Then
    Err.Clear
    WScript.Echo "Deleted computer " & strComputer & " from AD"
    Elseif Err.Number <> 0 Then
    Err.Clear
    WScript.Echo "Unable To delete computer " & strComputer
    End If
    Loop

    objTextFile.Close
    Set objTextFile = Nothing
    Set objFSO = Nothing
    Set objComputer = Nothing
    Set objContainer = Nothing

    Wscript.Echo "Done"

    or u can go for some AD tools like: http://www.manageactivedirectory.com/