Wednesday, August 13, 2014

Delete Stale or Inactive Computer Accounts from SCCM

Some time we see some weird entry in the sccm console relate to client record. When we dig we find that our Collection show more count as compare to the actual count. This happen because of  ADSD.

When ADSD is enabled, Config Mgr Administrators generally discover the entire domain or a major OU structure. Admins are amazed to see the sheer number of PCs discovered by ADSD, however, upon further inspection they notice that these “extra” PCs are in fact old PCs that are no longer active on the network.

They might have a process to physically dispose of a PC, but they forget to remove the PC from AD and sometimes Config Mgr too. This is an important part of the decommissioning process. Without removing decommissioned PCs from AD, it leaves AD in a “dirty” state with lots of stale PCs that are no longer active.

So now we know that we have stale entry in the SCCM and AD. We should find some simple solution to get rid of these records. As I am very lazy to will find something simple that can help me to perform it with 1 click example scripts or Bat or Power Shell. Everyone have different think, so they may need something different.

Below are the few solutions that can help us. (Choice is yours)


1. The First Method is Script :

The credit for this script goes to windows management experts team for creating the beautiful script that work for us, so that we can take nap for few more minutes.... 

Below is the link to Download the script :
http://www.windowsmanagementexperts.com/free-scripts/remove-old-objects-from-ad-and-sccm

2. The Second Method is Power shell :

This PowerShell command/script will query Active Directory and return all computer accounts which have not logged in for the past X (configurable) number of days - or not at all. I've included - and commented out - commands that will either Disable or Remove these accounts if you choose to do so.

# This PowerShell Command will query Active Directory and return the computer accounts which have not logged for the past 60 days.  You can easily change the number of days from 60 to any number of your choosing.  lastLogonDate is a Human.Readable conversion of the lastLogonTimeStamp
$then = (Get-Date).AddDays(-60) # The 60 is the number of days from today since the last logon.

Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | FT Name,lastLogonDate

# If you would like to Disable these computer accounts, uncomment the following line:
# Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | Set-ADComputer -Enabled $false

# If you would like to Remove these computer accounts, uncomment the following line:
# Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | Remove-ADComputer


3. The Third Method is AD Tool :

Here is an easy way to identify and delete inactive or stale computers in an Active Directory environment.  Using the dsquery command you can easily find all of the computers in the directory that have not been logged into in a given time interval or disabled.

The following command will return all computers that have been inactive or stale for 2 weeks:

dsquery computer –inactive 2
image
The following command will return all disabled computer account information:

dsquery computer –disabled
image
You can combine this output with the dsrm command to delete these objects from Active Directory

dsquery computer –inactive 2 | dsrm -noprompt 
dsquery computer –disabled | dsrm -noprompt
image 
Following any of the above 3 method we can keep our AD and SCCM Clean.

Hope This Will Help!!
Amarpal Singh



Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)