PowerShell for Windows Admins

Sep 6 2013   2:45PM GMT

Cleaning up my AD

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

I decided it was time to clean some of the rubbish out of my test AD. I’ll be upgrading to Windows Server 2012 R2 next month so a bi tof a clean up now is a good idea.

I decided to start with the computer objects. I’ve created & deleted quite a few virtual machines over the years so there’s a good chance of finding something to remove. Computes in an AD domain have a secure channel to the domain controller to which they authenticate on startup. The password on this channel is reset automatically every 30 days. Any machines that haven’t reset their password in a while a probably good candidtes for removal:

Get-ADComputer -Filter * -Properties PasswordLastSet |
select Name, PasswordLastSet |
sort PasswordLastSet

That shows me a few machines to remove. Anything that hasn’t reset its password for 12 months is fair game.

$date = (Get-Date).AddYears(-1)
Get-ADComputer -Filter {PasswordLastSet -lt $date} -Properties PasswordLastSet |
select Name, PasswordLastSet | sort PasswordLastSet

Its odd but I couldn’t get the search to work when I was calculating the date in the filter

Now I can delete them:

PS> Get-ADComputer -Filter {PasswordLastSet -lt $date} -Properties PasswordLastSet | Remove-ADComputer -Confirm:$false

Remove-ADComputer : The directory service can perform the requested operation only on a leaf object
At line:1 char:82
+ … swordLastSet | Remove-ADComputer -Confirm:$false
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=W08SQL05,OU=…anticore,DC=org:ADComputer) [Remove-ADComputer], ADExce
ption
+ FullyQualifiedErrorId : ActiveDirectoryServer:8213,Microsoft.ActiveDirectory.Management.Commands.RemoveADComputer

Not what I was expecting. The error message is what you get when trying to delete an OU with objects still in it but a computer object is a leaf object.

It turns out that the computer object can contain other objects especially when its a virtual machine. Unfortunately, the only way to see this is to use ADSIEdit. This is the full ADSIedit you need not the Attribute Editor in AD Users & Computers or AD Administrative Center. When I looked in ADSIEdit I saw there was indeed a child object

CN=Windows Virtual Machine,CN=W08SQL05,OU=SQL Server,OU=Servers,DC=Manticore,DC=org

Both of the affected machines were Windows 2000 VMs but later versions of Windows up to and including Windows 2012 are also affected.

So how to delete:

Option 1 – use the GUI and force deletion. Who me? Not likely. Smile

Option 2 – use Remove-ADObject

Get-ADComputer -Filter {PasswordLastSet -lt $date } |
Remove-ADObject -Recursive -Verbose -Confirm:$false

That’s computers cleaned up. Just leaves users, groups & OUs

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: