Computer removal in AD

By DrewDizzle ·
I want to do some housecleaning in AD, and I want to remove any old computer names from the computers list in AD. I cant find anything that does this automatically, so I was thinking I could do this when no one is working...

Turn all computers on the domain off, then delete them from AD. If my assumptions are right, AD would then repopulate itself as I turned the computers back on.. Right?

I dont really care about permissions I had assigned the computers already, as I understand this would be like a new computer to AD..

Please let me know if anyone has any ideas!


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by The Scummy One In reply to Computer removal in AD

if you audit properly, you can determine which computer names have not been logged into in like 4-6 months or something. These would be the safer bets to remove.
You should also take into consideration that people take leave or extended absence, and some of these systems may still be needed to work upon return.

And to mention, if they use remote access, the names may not show up on the audits unless they are audited as well. What you should avoid is to remove names of active computers, especially if they are on travel, home workers, absence, etc.. Well, unless you are trying to create helpdesk calls

Collapse -


by cmiller5400 In reply to Computer removal in AD

If you delete the computer accounts, they will need to be rejoined to the domain. Better follow Scummy's advice and audit instead.

Collapse -

As Cmiller points out, you will lose SIDs

by CG IT In reply to Maybe...

if you delete the computer account. You will lose the computers membership in specific OUs, which in turn will lose Group Policy settings for that OU that the computer was a member of. and other settings to numerous to mention.

No the computer account is NOT recreated if you turn the computer off, delete the computer account, then turn the PC back on.

Since you ask, then you haven't done it before so try it on a test computer first. Place a computer is an OU, apply a GPO to that OU. then turn off the computer, deleted the computer account. Turn the computer back on and see what happens. Look in the OU see if the computer is there, look to see if GPOs were applied. Try logging on with that computer, see if you get a message that says there's no computer account listed in AD for the computer your trying to log on with.... etc. ,

Collapse -

But that would make for

by The Scummy One In reply to As Cmiller points out, yo ...

a FUN support day :0 :^0

Re-Adding all of the computers to the domain afterwards. Nobody logging in, etc..

You are just RUINING the FUN that they will have :^0

Here it is more strict, we dont actually have the ability (not being in IT) to re-add computers from the domain, and we have to add our own to it (through a utility website). So, we need to go to the website, create a name and wait for verification that it added, rename the computer, reboot, log in as an admin (don forget to find out the admin PW first :0 ), and add the computer with our login info, and reboot again.
then we can log in to the computer with our account, and run a utility to auto-change the admin PW again.
What a hassle, especially on a slow system on a slow as he** network

Collapse -

What a convoluted process

by cmiller5400 In reply to But that would make for

That would drive me nuts.

Collapse -

Oh, it gets worse

by The Scummy One In reply to What a convoluted process

If the computer isnt logged into the domain on-site at least every 60 days, the name gets auto-removed from the AD. This raises havoc for Home users who have to show up on site a few times a year, anyone going on leave for 2+ months, etc..
When they get back, they have a mess to deal with before they get to the mess that they already have from being absent.

Collapse -

VB Script

by LarryD4 In reply to Computer removal in AD

Here is a basic VB script that will do the job. You will have to tailor it to your needs though.
On Error Resume Next

Const ForReading = 1

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile("c:\Files\ws.txt", ForReading)

Do Until objTextFile.AtEndOfStream
strComputer = objTextFile.Readline

Set objComputer = GetObject("LDAP://CN=" & strComputer & _
"," & "OU=WorkStations,DC=myCompany,DC=com")
objComputer.DeleteObject (0)
If Err.Number = 0 Then
WScript.Echo "Deleted computer " & strComputer & " from AD"
Elseif Err.Number <> 0 Then
WScript.Echo "Unable To delete computer " & strComputer
End If

Set objTextFile = Nothing
Set objFSO = Nothing
Set objComputer = Nothing
Set objContainer = Nothing

Wscript.Echo "Done"


Their is a lot you can do including saving each computer account name to a text file to read later if you remove the wrong PC. But this is the basic code for removing computer accounts.

Collapse -

Just a minute or two...

by MAEX In reply to Computer removal in AD

Have seen lots of comments, but how about spending a bit of time and search for a couple of scripts to check your AD environment.

First script to check last machine account logon to your domain.

Second script to check last user logon from particular machine account to your domain.

After having these two details you should be able to assess what to delete and what not. The first script should be enough.

Collapse -

If he had proper documentation that was kept up to date

by CG IT In reply to Just a minute or two...

he should know what computers are supposed to be there and what computers are not. Simply a matter of looking at the damn list. Not on the list, shouldn't be there, delete volia! badda boom, done.

Collapse -

But without proper documentation

by The Scummy One In reply to If he had proper document ...

auditing should help determine what should be safe to remove

Related Discussions

Related Forums