Re: Scavenging Machine Acounts in AD

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 10/16/04

• Next message: Mark G: "Re: User location within active directory."
• Previous message: rvdmast: "redirection: My Documents or "Mijn documenten""
• In reply to: Joe Richards [MVP]: "Re: Scavenging Machine Acounts in AD"
• Next in thread: Joe Richards [MVP]: "Re: Scavenging Machine Acounts in AD"
• Reply: Joe Richards [MVP]: "Re: Scavenging Machine Acounts in AD"
• Messages sorted by: [ date ] [ thread ]

---

Date: Sat, 16 Oct 2004 06:40:07 -0400

Yes, Thank you, Joe!

Yet another example of the fingers going too fast!

And you have O - N - L - Y three of the five? Hard to believe. I thought
it would have been all of them!

Cary

"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:%23IQxLpysEHA.1216@TK2MSFTNGP10.phx.gbl...
> Let me correct that URL... www.joeware.net
>
> if you want you can read about it in the current Windows IT Pro magazine.
It is
> one of 5 Best Tools for AD (I have 2 other tools in that list as well).
>
> joe
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
>
> Cary Shultz [A.D. MVP] wrote:
> > Mutsa,
> >
> > A large part of the problem apparently is that the domain user account
> > object is a member of the computer's local Administrators group. I
suggest
> > this as the only way that this action ( to rename a computer or to join
it
> > to a domain/workgroup ) is available is if the domain user account
object is
> > a member of the local Administrators group ( or that the domain user
account
> > object being used to do this is a member of the Domain Admins or other
'top
> > level' special groups ).
> >
> > A 'regular' domain user account object *should* not be a member of any
of
> > these groups. This problem very quickly goes away if this basic
security
> > policy is maintained and enforced ( as the ability to do this is not
> > available ).
> >
> > There is also the behavioral problem ( which, again, would not be
possible
> > where basic security policies in place - but I do understand that this
is
> > not always possible politically. Which is always a horrible horrible
> > horrible reason). Management and HR might need to be involved and your
user
> > base needs to be made aware that they are not to be messing with the
> > computer account objects in any way, shape or form. However, this
requires
> > HR and Management to be in agreement with the IT Department's stance on
> > this. This is not always the case ( as mentioned above ) so......
> >
> > Now, while this is not an 'automagic' approach you can go to Joe
Richard's
> > website at http://www.joesware.net and look at his free utilities
section.
> > There is something called oldcmp that will do what you need. However,
you
> > do need to manually run this ( or set up something so that it runs on a
> > schedule ). Be advised that you must first disable any computer account
> > objects before you can delete them. This is just one of the several
> > safeguards that Joe wisely built in to this awesome utility.
> >
> > HTH,
> >
> > Cary
> >
> > "mutsa" <mutsa@roke.co.uk> wrote in message
> > news:%232w2u$3rEHA.2168@TK2MSFTNGP10.phx.gbl...
> >
> >>Does any one know if there is an automatic way to scavenge and delete
the
> >>accounts of machines that have been taken permanently off-line but have
> >
> > not
> >
> >>been cleanly removed from the domain.
> >>
> >>For example a machine is built using RIS which will automatically add
that
> >>client to AD. After that the user removes the machine from the network
to
> >>make it stand-alone, but does not inform me. I would like that machines
> >>account to be either deleted automatically from AD after a set period of
> >>time of say 60 days or disabled somehow.
> >>
> >>Is this possible and can anyone help.
> >>
> >>MMMSD
> >>
> >>
> >
> >
> >

---

• Next message: Mark G: "Re: User location within active directory."
• Previous message: rvdmast: "redirection: My Documents or "Mijn documenten""
• In reply to: Joe Richards [MVP]: "Re: Scavenging Machine Acounts in AD"
• Next in thread: Joe Richards [MVP]: "Re: Scavenging Machine Acounts in AD"
• Reply: Joe Richards [MVP]: "Re: Scavenging Machine Acounts in AD"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Unlock acct permissions ... Joe is one of the best in the world. ... How do I get DSACLS to run on a specific account? ... The permissions in the security do not seem>>> to ... The correct permissions are on the security group, ... (microsoft.public.win2000.active_directory) Re: Unlock acct permissions ... It may actually be the best of the bunch but it is very old now so it is mostly about those GOOD FUNDAMENTALS that one needs and which Joe referenced. ... >>>Overall you appear to be a very "green" admin and you should buy one or more>>>books and learn this stuff before you do too much more. ... >>>Joe Richards Microsoft MVP Windows Server Directory Services ... How do I get DSACLS to run on a specific account? ... (microsoft.public.win2000.active_directory) Re: Service running as Local system account Unable to map drive on ... Hi Joe and Phillip ... account has full permissions on both the share and the file system itself. ... Security Eventlog: ... (microsoft.public.security) Re: Password Expired Query ... issue their own LDAP query to do this. ... If you just want to get this done, Joe R's tool is very easy. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The problem is there isn't a flag saying the account is expired, ... (microsoft.public.windows.server.active_directory) Re: Question about login script ... "Joe" wrote: ... > Is something wrong with my SQL statement? ... >>> I have a login page. ... he needs to activate his account. ... (microsoft.public.dotnet.framework.aspnet)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)