Some time we see some weird
entry in the sccm console relate to client record. When we dig we find that our
Collection show more count as compare to the actual count. This happen because
of ADSD.
When ADSD is enabled, Config Mgr Administrators generally discover the entire domain or a major OU structure.
Admins are amazed to see the sheer number of PCs discovered by ADSD, however,
upon further inspection they notice that these “extra” PCs are in fact old PCs
that are no longer active on the network.
They might have a process to
physically dispose of a PC, but they forget to remove the PC from AD and
sometimes Config Mgr too. This is an important part of the decommissioning
process. Without removing decommissioned PCs from AD, it leaves AD in a “dirty”
state with lots of stale PCs that are no longer active.
So now we know that we have
stale entry in the SCCM and AD. We should find some simple solution to get rid
of these records. As I am very lazy to will find something simple that can help
me to perform it with 1 click example scripts or Bat or Power Shell. Everyone have
different think, so they may need something different.
Below are the few solutions
that can help us. (Choice is yours)
1. The First Method is Script :
The credit for this script goes to windows management experts team for creating the beautiful script that work for us, so that we can take nap for few more minutes....
Below is the link to Download the script :
http://www.windowsmanagementexperts.com/free-scripts/remove-old-objects-from-ad-and-sccm
2. The Second Method is Power shell :
This PowerShell command/script will query Active Directory and return all computer accounts which have not logged in for the past X (configurable) number of days - or not at all. I've included - and commented out - commands that will either Disable or Remove these accounts if you choose to do so.
# This PowerShell Command will query Active Directory and return the computer accounts which have not logged for the past 60 days. You can easily change the number of days from 60 to any number of your choosing. lastLogonDate is a Human.Readable conversion of the lastLogonTimeStamp
$then = (Get-Date).AddDays(-60) # The 60 is the number of days from today since the last logon.
Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | FT Name,lastLogonDate
# If you would like to Disable these computer accounts, uncomment the following line:
# Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | Set-ADComputer -Enabled $false
# If you would like to Remove these computer accounts, uncomment the following line:
# Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | Remove-ADComputer
3. The Third Method is AD Tool :
Here is an easy way to identify and delete inactive or stale computers in an Active Directory environment. Using the dsquery command you can easily find all of the computers in the directory that have not been logged into in a given time interval or disabled.
The following command will return all computers that have been inactive or stale for 2 weeks:
dsquery computer –inactive 2
The following command will return all disabled computer account information:
dsquery computer –disabled
You can combine this output with the dsrm command to delete these objects from Active Directory
dsquery computer –inactive 2 | dsrm -noprompt
dsquery computer –disabled | dsrm -noprompt
Following any of the above 3 method we can keep our AD and SCCM Clean.
Hope This Will Help!!
Amarpal Singh