I remove computer accounts that are stale for 6 months or longer. Period. That is usually sufficient to cover most maternity leaves, etc... I can't be sure that they are getting virus pattern file updates or hotfixes if they're off for such a long period, so agree that longer than that is ridiculous. If there is a vaild reason, a deskside tech. can always put them back in the domain when they return. These occurences are rare enough that it's more worth it to remove them.
Just my two cents! -DaveC Reuters CIO Infrastructure -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, March 17, 2005 9:22 AM To: [email protected] Subject: RE: [ActiveDir] Can you expire a computer account in AD I suppose the limitations should be pointed out, so here goes. The reason you wouldn't want just lastlogontimestamp is something that was discussed here a little while back. Basically, it's that as a datapoint, it's not enough information to accurately figure out which objects are not being used. To make it worse, LLTStamp is a replicated and latent attribute. Put another way, it's accuracy is only within 7 days which is the replication schedule for that attribute. Comp accounts are 30 day intervals, but you run the risk of disabling/removing something that is a valid account if you rely on this soley. Using this in conjunction with password last set should reduce the error rate exponentially as it's yet another indicator of activity. Keep in mind that a valid computer account neither has to log on nor change their password on that schedule to be valid. Consider laptops as an example, especially laptops that stay off the network for long periods of time (year at a time?). I can honestly say that I think it's ridiculous to have a corporate resource that stays off the network for extended periods, but they do exist and have to be accounted for in some fashion. I believe that's why the requirement to disable vs. remove entirely came into the picture. Just something to be aware of when using this information. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Thursday, March 17, 2005 9:01 AM To: [email protected] Subject: Re: [ActiveDir] Can you expire a computer account in AD it is in oldcmp: oldcmp -llts [EMAIL PROTECTED] wrote: > I read this somewhere and had to confirm. Looks like if you're 2003 > domain functional - lastLogonTimestamp works for computers as well. > Unfortunately, it's not exposed in tools like DSGET. Maybe joe will > add this as a switch to oldcmp - as well as user accounts. > > -m > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of P West > Sent: Tuesday, March 15, 2005 3:24 PM > To: [email protected] > Subject: Re: [ActiveDir] Can you expire a computer account in AD > > That's exacctly what i intend to do. Disable those suckers. > > > thanks all > ----- Original Message ----- > From: "Mulnick, Al" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Tuesday, March 15, 2005 2:44 PM > Subject: RE: [ActiveDir] Can you expire a computer account in AD > > > >>Because it derives from the User class, I can't think of a reason why > > you > >>couldn't set that value. I'm not sure (and have no way to test at the >>moment) if that value would be valid for what you're doing however. >> >>You could just disable the computer accounts vs. expire them. That's >>available from the GUI if you want to access it that way else it's >>scriptable. >> >>al >> >>-----Original Message----- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of P West >>Sent: Tuesday, March 15, 2005 2:28 PM >>To: [email protected] >>Subject: Re: [ActiveDir] Can you expire a computer account in AD >> >>thanks AL >>thanks Tom >> >> >> >>Ok i used oldcmp. among others and the pwdlastset (oldcmp works great) > > came > >>back feb 2000 even though the password expiration says march 20 2005. >> >>i dont think theres an issue with locating old accounts with > > pwdlastset > the > >>thing is what's up with a password expiration date of march 20 2005 if > > the > >>pwdlastset is feb 2000. this password for pc account should get reset > > every > >>30 days. >> >>The ping was a great idea, we were planning on doing it. But our dns >>records are not so clean so u can ping a pc and get a response but its > > a > >>different pc name when you ping -a ip address. DNS scavenging is > > getting > >>turned on , but i think the issue may still exist. >> >>One last point. Can u or cant you expire a computer account in ad? i > > dont > >>think you can , i tried to google it , next im callin ms to ask ,.but > > wanted > >>to know what u folks opinion on it was. >>----- Original Message ----- >>From: "Mulnick, Al" <[EMAIL PROTECTED]> >>To: <[email protected]> >>Sent: Tuesday, March 15, 2005 2:10 PM >>Subject: RE: [ActiveDir] Can you expire a computer account in AD >> >> >> >>>He beat me to it ;0) >>> >>>You may also want to couple that with a simple ping method to > > validate > if > >>>the machine actually exists or not. Might cross reference it with >> >>DHCP/DNS >> >>>if ping is too much overhead. >>> >>>Just some thoughts. >>> >>>Al >>> >>>-----Original Message----- >>>From: [EMAIL PROTECTED] >>>[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz > > Onyszko > >>>Sent: Tuesday, March 15, 2005 1:55 PM >>>To: [email protected] >>>Subject: Re: [ActiveDir] Can you expire a computer account in AD >>> >>>P West wrote: >>> >>>>We are trying to clean up old AD pc accounts. Have used every > > tool > >>>>under the sun to come up with the pwdlastset to show old accounts. >>>> >>>>example >>>>One pc says the pwdlast set is feb 2000 when our ad guy looks at >>>>password expiration the dates are say march 20 2005. but the >>>>pwdlastset date is feb 2000. >>>> >>>>For some reason the pwdlastset is not updating or at least thats > > what > >>>>im thinking. >>> >>>try to use Joe's oldcmp tool: >>>http://www.joeware.net/win/free/tools/oldcmp.htm >>> >>> >>>-- >>>Tomasz Onyszko [MVP] >>>[EMAIL PROTECTED] >>>http://www.w2k.pl >>>List info : http://www.activedir.org/List.aspx >>>List FAQ : http://www.activedir.org/ListFAQ.aspx >>>List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ ----------------------------------------------------------------- Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
