dsrm tool
- From: "uSlackr" <Gmartin@xxxxxxxxxxxx>
- Date: Wed, 6 May 2009 19:03:56 -0400
We just finished writing a windows cmd script to locate and delete aging computer accounts from AD. The script uses a combination of the ds* tools to find old accounts, check to see whether they have a flag to exclude their deletion and if not delete them from AD. We ran into a problem where some accounts had child objects (virtual server hosts for one) that requires us to use the -subtree option with dsrm. It works like a charm.
The script can be found here:
http://linux2.gmartin.org:82/tiki/tiki-view_blog_post.php?blogId=2&postId=138
But it got me thinking, what if a bug in the script caused cn=computer,ou=servers,dc=corp,dc=com to drop the CN and leave the OU inplace. The subtree switch would allow dsrm to delete the OU and everything in it. So I have two thoughts.
- We're going to set the "prevent accidental deletion" flag on all OUs. This is a good practice anyway. We found this script reference for that:
http://msmvps.com/blogs/ulfbsimonweidner/archive/2007/09/25/protect-objects-from-accidential-deletion-in-windows-server-2008.aspx
- Second, would it make sense to ask MS to add a switch to dsrm that would prevent it from deleting OUs? That way, if you wrap it in a script you could specify the -nooudelete switch and regardless of what you asked, it would refuse to act.
Any thoughts on this?
\\uSlackr
.
- Follow-Ups:
- Re: dsrm tool
- From: Florian Frommherz [MVP]
- Re: dsrm tool
- Prev by Date: Re: login and logoff timestamps
- Next by Date: Re: Export Group Memberships
- Previous by thread: CA (certificate Authority) - Removing AD from box
- Next by thread: Re: dsrm tool
- Index(es):
Relevant Pages
|
Loading
