No Asset or RMM tool. Need help with strategy for reconciling old computers in AD
Posted by WorkFoundMyOldAcct@reddit | sysadmin | View on Reddit | 15 comments
I’ve been pushing for ITAM tools since forever ago, but the reality is what it is. I don’t have any good software. I use PowerShell for almost everything at this place. We’re growing faster than anyone realizes, and the IT department sees the last of the growth, so that's the answer to "why don't you have an asset management solution, you idiot?"
Our old admins had an untenable computer naming convention (ex: “LapW11-JSMITH”; “PCW10-JWILSON”) that quickly spiraled out of control when C-suite allowed users to have multiple domain-joined computers, just for fun I guess.
I did away with that naming convention for all newly created devices, but we still have an elephant graveyard of old computer objects that I am sifting through. Shifting focus to computer reconciliation, I want to start broadly, and then move forward with a more nuanced approach.
I want to remove computers that haven’t had anyone log into them for X amount of time, and I want to gather this information by writing a PS script to query AD, and then remove computer objects, starting with the oldest first.
Before I go down this PS rabbit hole, is there a better approach to this, within the scope of the tools I have before me?
My tools are: PowerShell, alcohol...
30yearCurse@reddit
powershell as suggested.. I would suggest perhaps downloading something like ADMANAGER, it has good reporting for devices.
Also make sure your user accounts are up to date.
Do you have policies on returning used equipment? or just send out replacements? Azure? Intune?
RealAnigai@reddit
So I wrote a script a couple of weeks ago that spit out every computer object with a LastLogonTimestamp attribute of like 90 days or older. I explained that attribute and asked my boss if i can delete them after he reviews them because i wanted that CYA and he said yeah(obviously disable first, wait a while, move OU, wait another while, then delete). I did each of those with import-csv to some basic loops in Powershell ISE. Even added a little line to the description with my name, date and why I disabled the computer object.
TL:DR This attribute was introduced I believe in server 2003 to track the logins of objects to ANY domain controller but it isn't regularly replicated to other DC's. Downside is that the default value is 14 days so for example if it shows 10th of November then technically it could be any time between then and the 24th that it logged into ANY DC in the forest.
Incidentally, this attribute on a surface level almost acts the same as the last activity value in MS Entra which isn't always going to be especially accurate either but you just gotta know how to play the game :)
Totallynotaswede@reddit
Check last logon date + last logon user etc with powershell in the ad. Disable the computer objects that havent had a person logging in the past 35+ days, and move to separate OU and wait for complaints.
If you use Microsoft 365 etc you might have licenses for Intune, use that for managment etc for your computers / phones etc, or if not, get some other tool for it.
Naming conventions for the pc's I always just go with some prefix and then use the serial number as suffix, if the NETBIOS limit allows it, which it usually does.
You can have a logon script sent out via GPO that dumps the serial number / hardware data to a smb share, or azure blob etc, if it doesn't exist in the computer object.
From the hw data / serial number, you should be able to organize some kind of lifecycle plan on what computers you need to change.
How many devices are we talking about, 20, 200 or 2000?
WorkFoundMyOldAcct@reddit (OP)
It's close to 1,000 at this point, but we only have 250 employees, so I'd like to at least whittle the number down to at least 500, ideally 350, since I know not everyone has two devices, and I know we only have about 10 imaged loaners at any given time.
From what tenured staff are telling me, the old techs would re-image a laptop for a user if they couldn't solve a particular problem, and then forget to remove the unused object in AD. After a while, this was actually causing DNS conflicts, but that was yet another misconfiguration rabbit hole.
Totallynotaswede@reddit
Yeah, get Intune, SCCM or some other tool for sure.
WorkFoundMyOldAcct@reddit (OP)
Definitely top of the list. We desperately need it.
GeneMoody-Action1@reddit
I have a script that run in several ADs that send stale computer and stale login (Either that have not been used in X) reports to admin group mail, along with the last login date. Short and sweet and most important persistent.
Most of those locations have management tools, but this is just a simple morning reminder seen by more than one person, which gets them asking one another "Are *you* keeping it for any reason?"
Monthly one gets sent to HR with "Anyone on this list that does not work here anymore? Respond NO if not to ensure it was received and checked." That catches the occasional extended vacationers/FMLA etc.
Pass the albatross round where you can...
WorkFoundMyOldAcct@reddit (OP)
That sounds like a great script! What attributes are you referencing to capture those computers?
GeneMoody-Action1@reddit
$smtpServer = "SMTP"
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$msg.From = 'SysAdminno-reply@example.com' $msg.To.Add("SysAdmn@example.com") $msg.To.Add("someone@example.com") $msg.subject = "Stale Computers"
$msg.IsBodyHtml = $True
$body = Search-ADAccount -AccountInactive -TimeSpan 10.00:00:00 | Where {$_.ObjectClass -eq 'computer' -and $_.Enabled -eq $true} | Select Name , LastLogonDate | Sort-Object LastLogonDate, Name | ConvertTo-Html -CssUri 'http://server.example.com/AdminReports/style.css'
$msg.Body = $body
$smtp.Send($msg)
$msg.Dispose()
WorkFoundMyOldAcct@reddit (OP)
Thank you so much!
GeneMoody-Action1@reddit
BTW, I have always used the L8 error as synonymous with an ID10T but safer to represent shorts between the keyboard and chair. :-)
I figured one day someone would write down the latter and go wait a minute...
WorkFoundMyOldAcct@reddit (OP)
Bingo ;) it is a nice reminder for me to keep things light at work, despite the chaos all around me.
GeneMoody-Action1@reddit
NP, the user one is pretty much the same, just change 'computer' to 'user' for object class, then select Name, SamAccoutnName, and LastLogon date.
You can easily see how to get disabled user/computers as well, etc.
And pending no one is editing disabled objects even get when from the last modification date on the AD object.
Have fun!
no_regerts_bob@reddit
without access to any additional resources, I think powershell is your best tool here
WorkFoundMyOldAcct@reddit (OP)
I think you’re right, Bob. I think you’re right.