I recently ran across a freeware tool called OldCMP that's been around for quite some time. OldCMP is a command-line tool that helps you find old user or computer accounts in your Active Directory environment.
To those outside of technology, it doesn't make sense that you could "lose" user or computer objects. However, if you regularly use scripts and imaging software to create, replace update or delete massive numbers of users and computers, then the concept of "lost" objects makes a great deal of sense. In addition, in Kentucky's environment, we leverage ePolicy Orchestrator to keep antivirus software updated and, as you might imagine, it's difficult to gather useful reports on antivirus coverage if your machine counts aren't accurate.
** A quick 'cover yourself' type of note that this is a freeware tool and it is what it is, you get what you pay for, etc. Also, it's a command-line tool that is interfacing with Active Directory, so note that you can really do some damage to your directory if you don't use this tool properly. **
With that out of the way, let's cover a few details. You can download the tool at the link provided above. You can review many of the command-line switches available here. Switches that you'd use in our particular environment would likely be:
-b basedn (to specify the directory location to begin - in our case, you'd use several "DC=" settings to establish a district domain in our forest)
-age x (to specify the minimum age for a password change - we might use 90 days or even longer to increase the likelihood that results are machines/user that are really not being used)
-llts (This allows us to use LastLogonTimeStamp for some of the age stats. Some trust this more than the password change statistic in AD and, between the two, you will likely be able to verify that machines/users are really as dated as they appear)
- format dhtml (For IE, this would allow the report to generate in dynamic HTML format, which would allow you to sort the resorts by clicking on column headings, etc. This is very useful.)
-report (simply to write a report of the objects found)
So, if I run OldCMP from a command prompt with this format:
oldcmp.exe -b DC=adams,DC=kentucky,DC=org -age 90 -llts -format dhtml -report
If I were in the adams.kentucky.org AD domain, I should generate a dynamic HTML file that shows the computers in my domain that have a LastLogonTimeStamp setting of older than 90 days. It could be that some machines haven't logged on in years and you could find that by sorting on the proper column.
Perhaps some of you have used this tool in the past or, for others, perhaps you can use this to some benefit. In our environment, this could be a very useful tool for districts to clean up their AD domain and more easily identify machines that need to be removed.
Wednesday, August 11, 2010
Subscribe to:
Posts (Atom)
