Computer removed from domain

  • Thread starter Thread starter kotolski
  • Start date Start date
K

kotolski

Is there an automatic AD setting that after a certain time frame, if a
computer has not authenticated to the domain, AD will remove the
computer?
 
Is there an automatic AD setting that after a certain time frame, if a
computer has not authenticated to the domain, AD will remove the
computer?
Click to expand...

No,

There is no setting to do this automatically out of the box.
"Authenticated to the domain", do you mean the last time the computer
logged in?
This attribute you are looking for is called lastlogon which gives you
the time the computer/user last authenticated to Active Directory.
This value is not replicated to all domain controllers and it is set
as a 64-bit number so you need to gather this value from all DC's and
convert it to something we can read.
From there you can disable or delete the accounts with this info.
Click to expand...
There are scripts and a couple of free tools you can download or other
third party tools such as Active Directory Janitor which allows you to
disable, delete, move accounts from one console

http://www.joeware.net/freetools/

http://www.specopssoft.com/products/adjanitor/

Good luck

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com
 
Is there an automatic AD setting that after a certain time frame, if a
computer has not authenticated to the domain, AD will remove the
computer?
Click to expand...

No, and it is difficult to imagine this would every be a good idea.

Admins should make a conscious decision to remove a computer
from the domain. Otherwise network, DNS, or just long absences
could do this automatically when it was not the best plan.

There are very few domains where this would a large enough number
being CORRECTLY removed to even be useful and it such domains
a script can be written, preferably to display a list of computers for
admin review before removing them.
 
There are two attributes you can key off of to solve this problem.

As mentioned before, there is the lastLogon attribute. Since this is not
replicated, it becomes less efficient to use, because you must construct
your query such that it asks each DC for the last logon for each computer
and then compares the values. There are many tools out there that do the
querying and comparison automatically, but because you're querying multiple
DCs, it can take awhile, especially if you have several DCs spread out over
a LAN.

A more efficient approach is to work from the pwdLastSet attribute.
Computer accounts that are actively on the domain will reset their password
with a domain controller every 30 days. (Note: that default 30 day value
can be configured to another value). The pwdLastSet attribute is
replicated, which makes it a simple query.

You may want to query for all computer accounts whose pwdLastSet value is
longer than say, 45 days, and review them for deletion. You may also want
to consider laptops or remote users that take their computes from their
domain for extended periods of time. We have some DSRAZOR for Windows
customers that automatically scan AD (scheduled job) on a nightly basis for
computer accounts with old passwords and automatically remove or disable
them. Some of our customers also place rules in the query to exclude
laptops, etc.

If you would like to see how you can do this with DSRAZOR than you can go to
our website here:
www.visualclick.com/?source=cleanupcomputers050407
 
Back
Top