Questions

Computer removal in AD

+
0 Votes
Locked

Computer removal in AD

DrewDizzle
I want to do some housecleaning in AD, and I want to remove any old computer names from the computers list in AD. I cant find anything that does this automatically, so I was thinking I could do this when no one is working...

Turn all computers on the domain off, then delete them from AD. If my assumptions are right, AD would then repopulate itself as I turned the computers back on.. Right?

I dont really care about permissions I had assigned the computers already, as I understand this would be like a new computer to AD..

Please let me know if anyone has any ideas!

Thanks
+
0 Votes
The Scummy One
Collapse -

if you audit properly, you can determine which computer names have not been logged into in like 4-6 months or something. These would be the safer bets to remove.
You should also take into consideration that people take leave or extended absence, and some of these systems may still be needed to work upon return.

And to mention, if they use remote access, the names may not show up on the audits unless they are audited as well. What you should avoid is to remove names of active computers, especially if they are on travel, home workers, absence, etc.. Well, unless you are trying to create helpdesk calls

+
0 Votes
cmiller5400
Collapse -

If you delete the computer accounts, they will need to be rejoined to the domain. Better follow Scummy's advice and audit instead.

+
0 Votes
CG IT
Collapse -

if you delete the computer account. You will lose the computers membership in specific OUs, which in turn will lose Group Policy settings for that OU that the computer was a member of. and other settings to numerous to mention.

No the computer account is NOT recreated if you turn the computer off, delete the computer account, then turn the PC back on.

Since you ask, then you haven't done it before so try it on a test computer first. Place a computer is an OU, apply a GPO to that OU. then turn off the computer, deleted the computer account. Turn the computer back on and see what happens. Look in the OU see if the computer is there, look to see if GPOs were applied. Try logging on with that computer, see if you get a message that says there's no computer account listed in AD for the computer your trying to log on with.... etc. ,

+
0 Votes
The Scummy One
Collapse -

a FUN support day :0 :^0

Re-Adding all of the computers to the domain afterwards. Nobody logging in, etc..

You are just RUINING the FUN that they will have :^0

Here it is more strict, we dont actually have the ability (not being in IT) to re-add computers from the domain, and we have to add our own to it (through a utility website). So, we need to go to the website, create a name and wait for verification that it added, rename the computer, reboot, log in as an admin (don forget to find out the admin PW first :0 ), and add the computer with our login info, and reboot again.
then we can log in to the computer with our account, and run a utility to auto-change the admin PW again.
What a hassle, especially on a slow system on a slow as he** network

+
0 Votes
cmiller5400
Collapse -

That would drive me nuts.

+
0 Votes
The Scummy One
Collapse -

If the computer isnt logged into the domain on-site at least every 60 days, the name gets auto-removed from the AD. This raises havoc for Home users who have to show up on site a few times a year, anyone going on leave for 2+ months, etc..
When they get back, they have a mess to deal with before they get to the mess that they already have from being absent.

+
0 Votes
LarryD4
Collapse -

Here is a basic VB script that will do the job. You will have to tailor it to your needs though.
----------------------------
On Error Resume Next

Const ForReading = 1

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile("c:\Files\ws.txt", ForReading)

Do Until objTextFile.AtEndOfStream
strComputer = objTextFile.Readline

Set objComputer = GetObject("LDAP://CN=" & strComputer & _
"," & "OU=WorkStations,DC=myCompany,DC=com")
objComputer.DeleteObject (0)
If Err.Number = 0 Then
Err.Clear
WScript.Echo "Deleted computer " & strComputer & " from AD"
Elseif Err.Number <> 0 Then
Err.Clear
WScript.Echo "Unable To delete computer " & strComputer
End If
Loop

objTextFile.Close
Set objTextFile = Nothing
Set objFSO = Nothing
Set objComputer = Nothing
Set objContainer = Nothing

Wscript.Echo "Done"

--------------------------

Their is a lot you can do including saving each computer account name to a text file to read later if you remove the wrong PC. But this is the basic code for removing computer accounts.

+
0 Votes
MAEX
Collapse -

Have seen lots of comments, but how about spending a bit of time and search for a couple of scripts to check your AD environment.

First script to check last machine account logon to your domain.

Second script to check last user logon from particular machine account to your domain.

After having these two details you should be able to assess what to delete and what not. The first script should be enough.

+
0 Votes
CG IT
Collapse -

he should know what computers are supposed to be there and what computers are not. Simply a matter of looking at the damn list. Not on the list, shouldn't be there, delete volia! badda boom, done.

+
0 Votes
The Scummy One
Collapse -

auditing should help determine what should be safe to remove