How to clean up Active Directory: Step 2 – delete Distributed Link Tracking objects

Continued from How to clean up Active Directory: Step 1 – old computer objects …

I found tens of thousands of unused records in AD left over from the Windows 2000/2003 days. In fact, almost 80% of my AD Database consisted of records that served no purpose.

If you AD Domain has been around since the Windows 2000 days, you need to check this.

Windows 2000 used to store records in AD about file locations on NTFS volumes. In my domain that meant tens of thousands of records. In a child domain we found hundreds of thousands of records. This feature has been disabled since Windows 2008 so if your domain is Windows 2008 or higher, these records are trash.

Finding FileLink objects

Open AD Users and Computers –> Expand you domain –> System –> FileLinks

This is a good time to make a backup of your AD Database and verifying you know how to restore it. 

Look in the ObjectMoveTable and VolumeTable folders. If you see any records there, you can delete them.

Deleting FileLink records

You can delete any object under the ObjectMoveTable and VolumeTable folders. I did not delete the folders.

Microsoft has a script which is supposed to delete them but I was never able to get it to work. I ended up deleting the items one page at a time using AD Users & Computers. This took a little time but ended up being faster than fixing the script.

If you are a script guru it might be worth your time to write something but since this is a “Do One Time” task, I didn’t see the value. I just drank some coffee, clicked select all, delete, sip, repeat.

How to clean up Active Directory: Step 1 – Old Computer Objects

Keeping Active Directory clean and organized is important. It doesn’t take long for hundreds of unused objects or accounts to accumulate which leads to security problems and management nightmares. Auditors seem to have a special hatred for stale objects in Active Directory so keeping everything neat and tidy is a necessity.

Computer Accounts

When you join a computer to the domain, a computer account is created in AD. When you retire the computer it is best to remove it from AD. Many times IT departments forget to do this. Over time AD can easily contain hundreds of unused computer objects.

Getting rid of unused computer objects

Computer objects are easy to clean up. Every Windows computer has a domain account and password. Nobody ever sees the password but the computer knows it. Windows computers change their password every 30 days.

Unused computer account are those that have passwords that have not changed in more than 30 days.

If you want to know more about computer accounts and passwords read Microsoft’s Machine Account Password Process blog post.

Using a PowerShell script we can easily find unused computer accounts.

$lastSetdate = [DateTime]::Now - [TimeSpan]::Parse("200")

Get-ADComputer -Filter {PasswordLastSet -le $lastSetdate} -Properties passwordLastSet -ResultSetSize $null | FL

This script finds any computer that has not changed it’s password in the last 200 days. That means the password should have been reset 170 days ago. Change the 200 to whatever value you think is appropriate but I can’t think of a reason to use a value less than 60.

Notice the PasswordLastSet field. This computer has not been used in over six months.

Remember that some computers don’t get used very often. Perhaps there is a computer in the conference room, a test server that is off most of the time, or some other rarely used computer. Those devices could easily go a long time without being used and thus have very old passwords. You probably don’t want to delete those.

What happens if you delete a computer account and need it?

If you delete a computer account and then find the computer in a store room, you will have to rejoin it to the domain. That is a simple process as long as you know the local administrator’s password.

Deleting computer accounts … the slow way.

Before you delete computer accounts you should verify that everything the script finds is unused. It might be best to simply open Active Directory Users and Computers, find the offending accounts, and delete them one at a time as you validate they are no longer in use. This is the cautions approach.

Deleting computer accounts … the fast way.

Once you are positive the script is returning computer accounts that you no longer need, you can modify the script to automatically delete them.

Be careful! Being careless could bring your network down. Verify the script is only returning items you want to delete. If in doubt STOP HERE.

$lastSetdate = [DateTime]::Now - [TimeSpan]::Parse("200")

Get-ADComputer -Filter {PasswordLastSet -le $lastSetdate} -Properties passwordLastSet -ResultSetSize $null | Remove-ADComputer

If you still have the same PowerShell window open you do not need to execute the first line again.

Notice the second line now ends with “Remove-ADComputer.” Hit enter and a few seconds later, all your old unused computer accounts are gone.

Cleaning up AD Computer Objects is simple and should be done regularly. Hopefully this makes the process simple for you.

Next: Clean up AD: Step 2!

Is Active Directory still relevant?

Windows 2000 started Microsoft’s Golden Age. With Active Directory and Group Policy you could control the settings on every PC and server on your network from a single screen.  If you need to tell every computer where to download Window’s Updates you checked a box. If you needed to turn off a Windows feature you checked a box. As long as every PC in your domain was a Windows PC, management was a breeze.

BYOD forced diversity into the network

Fast forward to 2007. Two things changed IT forever:

1. Microsoft introduced Windows Vista
2. Apple introduced the iPhone

Within a few years, IT departments lost control of devices selection and PC sales started declining for the first time ever.

When a CEO walks into the IT department with an iOS or Android device and says “Make it work,” you make it work. The vast majority of tablets sold today run iOS or Android which fall outside the control of Active Directory. It is reasonable to assume device diversity will continue to expand when you consider that Chromebooks now account for 20% of “PCs” sold to educational institutions and Android Laptops have been announced.

You still have to control mobile devices

If you connect a mobile device to your corporate network, regardless of what it is, you should have some control over it. For example, most phones can send and receive corporate email. Email is protected by a password on PCs but not necessarily on a phone. Companies should enforce a password policy on any device that can send or receive company email.

This requires Mobile Device Management (MDM) software. Even if the MDM solution integrates into Active Directory, this is another layer of compelxity for the IT department to manage.  It is one more thing to fix,  configure, and require policies, oversight, auditing, disaster recovery, etc.

Can MDM replace Active Directory?

Some MDM systems work on Windows laptops as well as phones and tablets. If it can be installed on a laptop, it can be installed on a desktop. What if we pushed policies to computers using MDM instead of Active Directory (AD)?

To be honest, I don’t think MDM technology is able to replace AD …. yet … but it may not be long before it can. This has caused me to be very cautious about selecting products that require AD.

It is hard to imagine a world without some form of centralized user account database like AD but with cloud services the use of AD may become problematic.

The effect of the cloud on AD

Assuming you can handle the complexity of migration, you can integrate your existing AD infrastructure into Office 365. You can also sync AD with Google Apps via Directory Sync. Most other cloud applications have their own user account database which does not sync with AD.

This creates another problem. As we choose cloud applications we have to decide if we want Single Sign On (SSO) via AD integration or to force end users to have multiple user account and passwords. Users will have a hard time remembering all their accounts and IT will have to go to multiple sites to manage accounts. Neither solution is ideal.

Microsoft is building a MDM solution

Microsoft is building an MDM solution that is integrated into Active Directory and will manage iOS and Android devices. In many ways that sounds like the perfect solution and it may be. Microsoft frustrated me in the early days of the cloud by creating products that only worked on Windows or Internet Explorer. I understand they were trying to protect Windows and Office but it put them years in cloud and mobile development.

Microsoft’s early lack of vision in the cloud and mobile market makes me caution about using their products on non-Microsoft devices. I can envision a world where their MDM solution is great on Windows Phone but lacks features for Android and iOS. I am worried about being tied to a vendor that could easily use one product to try to force me to use another. Conversely, management of the network would be much less cumbersome if I can use one console for MDM and User Management.

One system to manage them all

At this time, I don’t see any alternative to using MDM to manage mobile devices and AD to manage users.

If Microsoft makes it easy and cost effective to manage mobile devices and users with AD they may be the best user management platform moving forward.

On the other hand, if their management tools and interfaces continue to be Windows-centric, their relevance is going to continue to decline to the point where third party management solutions will be a better choice.

It is hard for me to imagine a world without Active Directory but if Microsoft doesn’t adapt all of it’s products to work well with other products I can see a time in the next 5-10 years where Active Directory will be considered legacy technology.