Managing Computer Objects

  • Thread starter Thread starter Jeremy Clark
  • Start date Start date
J

Jeremy Clark

My organization uses Active Directory with over 10000
users and over 8000 computers. We give LAN administrators
for each OU permission to add and remove user and computer
objects. The problem that we are running into is that some
LAN admins will add computer objects and over time get a
new computer and give it a new name and not delete the old
computer from their respective OU in active directory. At
some point we had over 5000 computer objects that we could
not contact and in order to better manage and get a good
number of how many computers we actually had on our
network we manually deleted the computer objects. I am
looking for a solution other than removing the permissions
from our LAN admins for each OU. My organization needs a
good count of actually how many computers we have on our
domain keeping that count accurate with the computer
objects in active directory. Any help is greatly
appreciated. Thanks for your time.


Without totally changing the way that we manage
 
Hi Jeremy,

A lot of people use a script to remove inactive computer accounts to solve
this problem.

Here is a script that can find and disable/delete inactive computers for
Windows 2000:
http://www.rallenhome.com/books/managingenterprisead/source/Ch11-Listing23_F
inding_Inactive_Computers.perl.txt

This script is a little more straightforward but requires Win Server 2003
AD:
http://www.rallenhome.com/books/adcookbook/src/08.08-find_inactive_computers
..pls.txt

Let me know if you have any questions.

Regards,
Robbie Allen
 
My organization needs a
good count of actually how many computers we have on our
domain keeping that count accurate with the computer
objects in active directory. Any help is greatly
appreciated. Thanks for your time.
Click to expand...

I really cannot imagine how your workflow (computer ordering,
inventory, setup, accounting, etc.) is.
Let me describe our procedures:
Departments are ordering their equipment at a central department. If a
computer (or monitor or printer or any other IT equipment) is
delivered to the company it will receive a unique number which is it's
ID for it's lifetime. We have different number ranges for leasing and
for purchased items. The computer name consists of this ID together
with a common prefix. This ID is the link between our ERP (SAP) and
the service desk/helpdesk (ARS). An inventory tool (Empirum) is
gathering the computer assets and those data are available inside the
helpdesk application.
If a computer is going back to the leasing partner (or a purchased
computer has a hardware defect) someone has to update the record in
ERP (the same person is responsible to delete all data, wiping disks).
It's quite easy to run queries for "valid" computers ... if necessary.

You are looking for a technical solution and you have a big
organizational problem indeed.

Okay, back to tech talk:
You may run a query in AD to detect computers that lost their account
because they haven't been connected for some time. This may be checked
against traveling users (notebooks) which are absent for long.
Then run a script to delete those computers which you have identified
as "gone with the wind".

Ciao, Walter
 
Sorry I didn't mention it in my first post. I am dealing
with a Windows 2000 domain.
 
Thanks for your information Walter. My organization has
equipment that does come through one initial location.With
all of the computers that are already in place though is
where the problem with giving them all a unique id would
be. That and the fact of starting a database with over
10000 computers. Beyond that though, would you be able to
point me in the right direction of where i would find out
how to run this query you speak of? Would it check
something like the last time a user logged onto a certain
computer or something like that? Would this be a VB or
similar script? I have some small scripting background,
although none with AD. Thanks for your time.

Jeremy
 
Back
Top