Auditing Active Directory

Ok guys, got a little challenge here...

Let's say you have a large company with maybe a couple, several hundred laptops and workstations. Given the following factors:

1) Some abroad connecting via VPN, some local in-house.
2) All on the same domain.

The IT dept. has been through several techs over the past few years, and many computers have been removed, renamed, replaced, or added. As a result, you have an Active Directory structure that potentially still lists among its numbers computer names that no longer actually exist.

So now you have to audit AD and figure out the following:

1) Which computer names are still active?
2) Which computer names belong to computers that no longer exist, and therefore should be deleted?
3) Which users are on which computers?

That's more or less the situation I'm facing. Obviously I can't eyeball-audit every computer since some are abroad across the hemisphere. Note most computers in AD have usernames attached to them in the description, so the unidentified mystery computer names add up to a handful (thankfully).

So I need to figure out first, does the computer still exist, and second, who does it belong to?

Any thoughts?

A couple years ago, a friend of mine had the same problem. He just wrote a batch file to log the computername and username and append it to a file local on the server, and added that to the login scripts for all the users and let it run for a few weeks.

I'm reading that you can basically do the same kinda thing via Group Policy...haven't played with it yet.

Of course the above mentioned script/group policy takes potentially a few weeks of time, I'm assuming, given you have to wait until everyone eventually logs onto their computer, factoring in those off on vacation, travelling, etc.

I was thinking more down the lines of a same-day solution, a way I could just pull up info on if it's been on the network lately and who logs on it frequently, but in hindsight as I research that's obviously a bit far-fetched. We've got an Altiris server that pulls some pretty good info of that nature, but I'm finding even it is incomplete in some cases.

Ah well...

How about:

http://support.microsoft.com/kb/314955

http://www.tools4ever.com/products/u...reallastlogon/

Sorry, a couple of cheap/fast possibilities.

Thanks guys.

I decided on a plan of action that the boss agreed with -- Basically checking Altiris Deployment Server to see if it detects the unaccounted for computer names. For those it does not, I'm just marking them "unknown", then going to watch for a while to see if they crop up. If not, off they go. Basically it's just the result of some poor housekeeping here and there...there have been just a few improperly named machines or ones removed without ever nixing them from AD.

Have you got an Anti-Virus Server that pushes out updates to clients?
If you see ones that have not been contactable in a while, start with those.

Ooooooh good idea, I hadn't thought of that!

or...you could just start disabling all accounts...and when they call and whine and complain you reenable as needed :)

MLF

If you're not afraid of a small .vbs script, I'd suggest going Here

This is what I did and it works quite well for me.
Downloaded LastLogon.txt (saved it locally as LastLogon.vbs)

Opened a command prompt.
Navigated to the local directory where I saved LastLogon.vbs.
Ran this: cscript //nologo LastLogon.vbs > output.txt
(cscript is a command line tool that comes with Windows & the command syntax is on the website I gave you already)

The output.txt file appeared in same directory as LastLogon.vbs. But, I noticed it shows users in the output file, not computers. So I changed the LastLogon.vbs.

I right clicked on LastLogin.vbs, selected edit.
Did a find on "objectCategory="

I changed:
strFilter = "(&(objectCategory=person)(objectClass=user))"
to:
strFilter = "(&(objectCategory=computer))"

Save and rerun via the command prompt. You only have to edit the .vbs file once. From there on in, you just have to run it and it will produce that same report. Seems to work well so far. While the dates aren't entirely accurate to the day, you can still get a very good idea of which systems are stale on your LAN.

Just figured out how to make this thing even easier. Open up notepad, paste this in (from above): cscript //nologo LastLogon.vbs > output.txt and then save it as a .bat file in the same directory. done. The whole process is now a simple click and it generates a report.

You can try using Winfo, its a pretty great tool but it doesnt always work depending on the security settings on the computer.
http://ntsecurity.nu/toolbox/winfo/