Cleaning up my AD


I decided it was time to clean some of the rubbish out of my test AD.  I’ll be upgrading to Windows Server 2012 R2 next month so a bi tof a clean up now is a good idea.

I decided to start with the computer objects.  I’ve created & deleted quite a few virtual machines over the years so there’s a good chance of finding something to remove.  Computes in an AD domain have a secure channel to the domain controller to which they authenticate on startup. The password on this channel is reset automatically every 30 days. Any machines that haven’t reset their password in a while a probably good candidtes for removal:

Get-ADComputer -Filter * -Properties PasswordLastSet |
select Name, PasswordLastSet |
sort PasswordLastSet

That shows me a few machines to remove. Anything that hasn’t reset its password for 12 months is fair game.

$date = (Get-Date).AddYears(-1)
Get-ADComputer -Filter {PasswordLastSet -lt $date} -Properties PasswordLastSet |
select Name, PasswordLastSet | sort PasswordLastSet

Its odd but I couldn’t get the search to work when I was calculating the date in the filter

Now I can delete them:

PS> Get-ADComputer -Filter {PasswordLastSet -lt $date} -Properties PasswordLastSet | Remove-ADComputer -Confirm:$false

Remove-ADComputer : The directory service can perform the requested operation only on a leaf object
At line:1 char:82
+ … swordLastSet | Remove-ADComputer -Confirm:$false
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=W08SQL05,OU=…anticore,DC=org:ADComputer) [Remove-ADComputer], ADExce
    + FullyQualifiedErrorId : ActiveDirectoryServer:8213,Microsoft.ActiveDirectory.Management.Commands.RemoveADComputer

Not what I was expecting.  The error message is what you get when trying to delete an OU with objects still in it but a computer object is a leaf object.

It turns out that the computer object can contain other objects especially when its a virtual machine. Unfortunately, the only way to see this is to use ADSIEdit. This is the full ADSIedit you need not the Attribute Editor in AD Users & Computers or AD Administrative Center.  When I looked in ADSIEdit I saw there was indeed a child object

CN=Windows Virtual Machine,CN=W08SQL05,OU=SQL Server,OU=Servers,DC=Manticore,DC=org

Both of the affected machines were Windows 2000 VMs but later versions of Windows up to and including Windows 2012 are also affected.

So how to delete:

Option 1 – use the GUI and force deletion.  Who me? Not likely.  Smile

Option 2 – use Remove-ADObject

Get-ADComputer -Filter {PasswordLastSet -lt $date } |
Remove-ADObject -Recursive -Verbose -Confirm:$false

That’s computers cleaned up.  Just leaves users, groups & OUs

This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

One Response to Cleaning up my AD

  1. Roelof says:

    Computer Objects not only get a child object when running as a virtual machine, but also when there are bitlockered partitions on them (recovery key data). I once ran into that like you did, using scripted removal of computer objects for deployment rollback purposes.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s