RE: [ActiveDir] inactive computers question

[Isham, Alan A]

We use the following technique to remove unused or obsolete computers from our environment: Run daily script on all computers that have NOT refreshed their pwdLastSet value >= xx days (xx implies age is configurable) Report findings in HTML format to a centralized location Use Friday's report as an input file to perform computer deletes on Saturday's when the Active Directory environment is under utilized Report deletes in HTML format to a centralized location On average we remove a couple hundred of machines per week, which is good and bad.  Good because we are keeping our AD environment clean which is a key learning from Windows NT 4 EOL.  Bad because we are not following best practices of retiring computers due to leaves, terminations, etc.   Note:  I will be presenting best known practices and techniques on this topic at DEC Spring 2004 in Washington DC ; )  See http://www.netpro.com/events/decadspring04/abstracts_c.cfm for details. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Monday, December 22, 2003 8:56 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] inactive computers question pwdLastSet is a replicated attribute. Within the limits of replication latency, he should be getting the same value regardless of the DC he happens to query.   The lastLogon attribute (available in 2000) is not replicated, so if the scripts use that to determine inactive computers then they'll need to loop through all of the DCs to get the most recent value. From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Monday, December 22, 2003 9:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] inactive computers question though I haven't used dsquery this way before, i think I can hazard a simple theory as to why you are getting inconsistent reports. Since pwdLastSet is not replicated among DCs, the values will be DIFFERENT across all you DCs. There is no magical way to determine which DC has the most current value for a specific non-replicated attribute.    Richard Mueller (http://www.rlmueller.net/) has a very handy script that loops thru ALL your DCs and get the most current pwdLastSet value. I think this would be a better option.     Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon From: Rich Milburn Sent: Mon 12/22/2003 7:59 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] inactive computers question I know that dsquery and dsrm are good for AD2003 environments to find and remove inactive computer accounts in AD, as is Robbie's script.  Someone on the SMS list has AD 2000 though, dsquery doesn't work, and Robbie's script is returning nothing.  Even if the info is not easily convertible to a date, seems like you should be able to sort by a column in a csvde export and see the same information - i.e. sort by pwdLastSet?  Any ideas?  It looked like lastLogonTimestamp might be a good one... but alas that's new with 2003 so that's no good for him.  The main source of my confusion is that dsquery and a sort by pwdLastSet do not show the same computers as being inactive the longest.   Thanks Rich -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.