We had a huge number of "dead" computer accounts in AD that I just went through and disabled. How do I get these out of SCCM? I tried running System Discovery again, but they're still there.
The easiest way would be to create a Collection of computers that have System Resource.User Account Control equal to 4098. After the collection is populated right click it and select Delete Special. This will delete all of the computer objects from System Center not the collection.
Marked as answer byEddie ThraceWednesday, December 16, 2009 8:36 PM
You could modify some of the default tasks, like the "Delete Aged Discovery" tasks, to have a shorter time span before deletion. However, you have to strike a balance between deleting objects which haven't discovered lately, vs. objects which may not have been discovered lately, but are still valid (computer has been offline for a while, because the primary user is on vacation).
There are other processes or procedures you could implement to (over time) alleviate some of the dead objects issues. like not using the built-in AD System Discovery at all, and either using ESD from systemcentertools.com, or not use system discovery at all, and only rely on heartbeat to maintain a recent discovery date.Standardize. Simplify. Automate.
System discovery doens't remove objects it adds them. The built in maintenance tasks will handle this for you if you have enabled them. If they are showing as client = NO I would create a colleciton of them and use delete special to just delete them or wait for the maintenance task to do it for me.
John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum
The easiest way would be to create a Collection of computers that have System Resource.User Account Control equal to 4098. After the collection is populated right click it and select Delete Special. This will delete all of the computer objects from System Center not the collection.
Marked as answer byEddie ThraceWednesday, December 16, 2009 8:36 PM
The easiest way would be to create a Collection of computers that have System Resource.User Account Control equal to 4098. After the collection is populated right click it and select Delete Special. This will delete all of the computer objects from System Center not the collection.
I actually thought about doing that, but even though I've run AD System Discovery since disabling the accounts, none of them show the new UAC #. They do show 4098 when I look at them in AD though.
I wrote an Active Directory cleanup script, which I later expanded to delete SCCM resources as well. I still haven't posted it yet, but I suppose I could do so soon. Otherwise, you could simply write a PowerShell script that retrieves the appropriate computer
names from Active Directory, and then uses the SCCM WMI Provider to remove them from the ConfigMgr database.
The easiest way would be to create a Collection of computers that have System Resource.User Account Control equal to 4098. After the collection is populated right click it and select Delete Special. This will delete all of the computer
objects from System Center not the collection.
I actually thought about doing that, but even though I've run AD System Discovery since disabling the accounts, none of them show the new UAC #. They do show 4098 when I look at them in AD though.
I see the same issue. Are User Account Control changes not picked up by the System Discovery?
