Active Directory Spring Cleaning: Unnecessary Computer Objects

Yesterday, a PowerShell script I’d written sent an email to the members of the Active Directory security groups that are delegated control of computer objects within the OUs for various sections of the University under the “Departments” OU. These messages contained a list of all the computer objects in each departmental OU which haven’t contacted the domain to change their password for 90 days (by default a computer will change its password every 30 days) – that being an indication that the computer object may be unneccesary and could possibly be deleted.

In order to generate these reports, I use Windows PowerShell and the Active Directory cmdlets from Quest Software. Once you have those installed, you’ll find a “Quest Software” folder in the Start menu, which contains the “ActiveRoles Management Shell for Active Directory” – you should run this as a member of the admin group that has permissions on the OU you want to report on. Then it’s just a case of a couple of lines of PowerShell.

[If none of this makes any sense, then I’m going to recommend that you go and read the Getting Started chapter from the TechNet Script Center’s PowerShell Owner’s Manual]

First we’ll put the OU’s distinguished name in a string variable, just to reduce the amount of wrapping we’re going to have on the next line…

$OU = "OU=ISS,OU=Departments,DC=campus,DC=ncl,DC=ac,DC=uk"

Then we find the computer objects by using Quest’s Get-QADComputer cmdlet, and filtering it to find the pwdLastSet property longer than 90 days ago…

Get-QADComputer -SearchRoot $OU -SearchScope Subtree
-IncludedProperties pwdPastSet -SizeLimit 0 | where {$_.pwdLastSet -le $((Get-Date).AddDays(-90))}

That gives you a table of computer objects using the default formatting, but we can do better than that.

If we pipe the output of the filter to the Select-Object cmdlet, we can select interesting properties to look at. I’m going to select the computer object’s name, description and parentcontainerdn so we can see how we’ve labelled it and exactly where it is in our OU structure…

Get-QADComputer -SearchRoot $OU -SearchScope Subtree
-IncludedProperties pwdPastSet -SizeLimit 0 | where {$_.pwdLastSet -le $((Get-Date).AddDays(-90))} | select name,description,parentcontainerdn

These might not be the most helpful properties for the computers you manage, so you can check the full list of properties of the computer objects by piping one into the Get-Member cmdlet.

We might have some useful data at this point, but there’s probably going to be some truncation going on, and it might be more useful if we could sort it. You could use the Sort-Object and Format-Table cmdlets to help, but I’m going to suggest that we might be better getting it out into Excel so you can order it and play with it in any way you want. To that end, we’ll pipe the whole lot into the Export-Csv cmdlet…

Get-QADComputer -SearchRoot $OU -SearchScope Subtree
-IncludedProperties pwdPastSet -SizeLimit 0 | where {$_.pwdLastSet -le $((Get-Date).AddDays(-90))} | select name,description,parentcontainerdn | Export-Csv "C:\temp\computers.csv" -noTypeInformation

I hope that helps. 🙂

Which Operating Systems are we using at Newcastle?

I thought it would be interesting to see where things stand with Operating System usage in the Active Directory. These figures are based on 10984 active computer objects.

Windows Clients: 10398

Windows Clients

Windows Vista: 472
Windows XP: 9894
Windows 2000: 32

Windows Server: 392

Windows Server

Windows Server 2008: 65
Windows Server 2003: 323
Windows Server 2000: 4

Other: 192

Other

Windows 7 Ultimate: 9
No Operating System: 125
Mac OS X: 43
Samba: 17

New Windows Vista Base Policy open for testing

For the last few months we’ve been developing a new version of the Windows Vista Base Policy. The current version, which has not been updated since Vista’s release , has suffered from a number of problems, particularly with Folder redirection. These have now been addressed and we are pleased to invite you to help us test the new Policy before its full rollout in the few months of next year

These improvements will allow seamless switching between Windows XP and Vista machine on CAMPUS and will make the rollout of the Vista OS viable for the majority of campus users.

To apply the Policy apply to a machine use ‘TEST 0 Windows Vista Base Policy.’ Please note that the test policy should replace the original policy.

New Windows Vista Base Policy Features

Folder Redirection Fixed!

All standard Vista user folders are now redirected to the Network and any duplicate folders are removed but only if they are empty.

This means that users who have accidently saved files to their local machine will not lose them upon the new Base Policy being applied. The table below shows details on the redirection paths. Notice that where applicable, folders have been redirected to the exact location of their Windows XP counterparts i.e. ‘My Music ‘ rather than ‘Music.’

This means that users moving between XP and Vista are using the same folder and will not see duplicates under drive H:\ or C:\Users

Windows Vista Folder Name

Description

New Location

Contacts

Default Location for Users’s Contacts

\\towerx\homex\username\Contacts

Desktop

Desktop items, including files and shortcuts

n\a

Documents

Default location for all user created documents

\\towerx\homex\username\Documents

Downloads

Default location to save all downloaded content

\\towerx\homex\username\Downloads

Favourites

Internet Explorer Favourites

\\towerx\homex\username\Favorites

Music

Default location for user’s music files

\\towerx\homex\username\My Music

Videos

Default location for user’s video files

\\towerx\homex\username\My Videos

Pictures

Default location for user’s picture files

\\towerx\homex\username\My Pictures

Searches

Default location for saved searches

\\towerx\homex\username\Searches

AppData

Default location for user application data and binaries (hidden folder)

n\a

Links

Contains Windows Explorer Favourite Links

\\towerx\homex\username\Links

Saved Games

Used for Saved Games

\\towerx\homex\username\Saved Games

Redirection

Start Menu

The existing base policy removes the ‘Documents’ label from the Start Menu and replaces it with the full UNC path to the users home directory. This is unhelpful and unsightly. The new Base policy renames the ‘Documents’ label Documents (H:\). This will provide a consistent point of reference for support calls. The Drive map label will also have the same name.

My Pictures and My Music shortcuts reference the new redirected (correct) location.

The computers network name also appears on the start menu providing an ‘at a glance’ view of the computers name.

New Start Menu

Branding

To help distinguish Campus Managed Desktop machines branding has been added.

The University crest now replaces the default logon pictures.

Logon

The Crest is also visible on the Start Menu

Start Menu

System Properties have also been updated.

System Properties

Other Features

Local Administrators

When using ‘Run as Administrator’ the UAC dialog box will list all local administrators on the machine.

Local Admins

Offline Files

Offline files are now automatically Encypted.

Offline

System Drive Permissions redesigned.

The new policy sets stricter permission for the system drive preventing creation of folders by non Administrators as well as creating the C:\TEMP folder on which so many of our packaged applications depend.

Feedback.

We really need feedback on your experiences with the new Policy. Please do not hesitate to get in touch with any comments, questions or issues.

‘Windows Server’ 7 aka Windows Server 2008 R2 Feature list

Last week at PDC Microsoft announced that Microsoft Windows Server 2008 R2 will be the server variant of Windows 7.

Here at TechEd we are seeing demonstrations of some of W7/R2’s features. Here is a quick run through. More detail to follow.

  • Live Migration
  • Remote Desktop Services which will supersede Terminal Services.
  • Bitlocker to go
  • Direct access (a possible killer app for Server 2008 R2 and IPv6)
  • BranchCache.
  • SMB enhancements
  • Offline file enhancements including a ‘Usually offline mode.’
  • Wake on Wireless LAN.
  • Improved power management and increased control via Group Policy.
  • Group Policy scripting with Powershell.
  • Programmatic interface in to performance and reliability systems.