| Author | Messages | |
gabriel/tfi
Posts:427
 | | 02/21/2009 6:58 AM |
| I would like to disable inactive users and computers by simply using the native dstools via tasksch.exe:
Example:
dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
dsquery computer -inactive 60 -limit 10000 | dsmod computer -disabled yes
but I recall I read in this list dstools were not recommended for some reasons.... tried to search in the list archive but did not find anything relevant.
Can someone tell me why it's better not to use dsquery/dsmod?
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| laurahcomputing
Posts:148
| | 02/21/2009 6:58 AM |
| 'Cos oldcmp.exe is way cooler? :-)
On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net> wrote:
> I would like to disable inactive users and computers by simply using the native dstools via tasksch.exe:
> Example:
> dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
> dsquery computer -inactive 60 -limit 10000 | dsmod computer -disabled yes
>
> but I recall I read in this list dstools were not recommended for some reasons.... tried to search in the list archive but did not find anything relevant.
>
> Can someone tell me why it's better not to use dsquery/dsmod?
>
> Thanks - Gabriele.
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
--
-----------------------
Laura E. Hunter
Architect, Oxford Computer Group (http://www.oxfordcomputergroup.com)
Microsoft MVP, Directory Services
(https://mvp.support.microsoft.com/profile/laura)
Author, Active Directory Consultant's Field Guide (http://tinyurl.com/7f8ll)
Author, Active Directory Cookbook, Third Edition (http://tinyurl.com/7kp3ct)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| bsonposh
Posts:409
| | 02/21/2009 6:58 AM |
| And powershell is even cooler than that.
On 2/16/09, Laura E. Hunter <laurahcomputing@gmail.com> wrote:
> 'Cos oldcmp.exe is way cooler? :-)
>
> On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net> wrote:
>> I would like to disable inactive users and computers by simply using the
>> native dstools via tasksch.exe:
>> Example:
>> dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
>> dsquery computer -inactive 60 -limit 10000 | dsmod computer -disabled yes
>>
>> but I recall I read in this list dstools were not recommended for some
>> reasons.... tried to search in the list archive but did not find anything
>> relevant.
>>
>> Can someone tell me why it's better not to use dsquery/dsmod?
>>
>> Thanks - Gabriele.
>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
>
>
>
> --
> -----------------------
> Laura E. Hunter
> Architect, Oxford Computer Group (http://www.oxfordcomputergroup.com)
> Microsoft MVP, Directory Services
> (https://mvp.support.microsoft.com/profile/laura)
> Author, Active Directory Consultant's Field Guide (http://tinyurl.com/7f8ll)
> Author, Active Directory Cookbook, Third Edition (http://tinyurl.com/7kp3ct)
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
--
Sent from my mobile device
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| listmail
Posts:824
| | 02/21/2009 6:58 AM |
| Keep telling yourself that Brandon..... 
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brandon Shell
Sent: Monday, February 16, 2009 10:30 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] dstools to disable inactive users/computers
And powershell is even cooler than that.
On 2/16/09, Laura E. Hunter <laurahcomputing@gmail.com> wrote:
> 'Cos oldcmp.exe is way cooler? :-)
>
> On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net> wrote:
>> I would like to disable inactive users and computers by simply using
>> the native dstools via tasksch.exe:
>> Example:
>> dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
>> dsquery computer -inactive 60 -limit 10000 | dsmod computer -disabled
>> yes
>>
>> but I recall I read in this list dstools were not recommended for
>> some reasons.... tried to search in the list archive but did not find
>> anything relevant.
>>
>> Can someone tell me why it's better not to use dsquery/dsmod?
>>
>> Thanks - Gabriele.
>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
>
>
>
> --
> -----------------------
> Laura E. Hunter
> Architect, Oxford Computer Group (http://www.oxfordcomputergroup.com)
> Microsoft MVP, Directory Services
> (https://mvp.support.microsoft.com/profile/laura)
> Author, Active Directory Consultant's Field Guide
> (http://tinyurl.com/7f8ll) Author, Active Directory Cookbook, Third
Edition (http://tinyurl.com/7kp3ct)
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
--
Sent from my mobile device
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| gabriel/tfi
Posts:427
| | 04/03/2009 6:11 AM |
| What attribute "dsquery user/computer -inactive" will query?
Hopefully it's the replicated lastLogonTimeStamp... isn't it? :-o
Thanks - Gabriele.
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> > Sent: lunedì 16 febbraio 2009 16.22
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] dstools to disable inactive users/computers
> >
> > 'Cos oldcmp.exe is way cooler? :-)
> >
> > On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net>
> > wrote:
> > > I would like to disable inactive users and computers by simply
> using
> > the native dstools via tasksch.exe:
> > > Example:
> > > dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
> > > dsquery computer -inactive 60 -limit 10000 | dsmod computer -
> disabled
> > yes
> > >
> > > but I recall I read in this list dstools were not recommended for
> > some reasons.... tried to search in the list archive but did not find
> > anything relevant.
> > >
> > > Can someone tell me why it's better not to use dsquery/dsmod?
> > >
> > > Thanks - Gabriele.
> > >
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> > >
> >
> >
> >
> > --
> > -----------------------
> > Laura E. Hunter
> > Architect, Oxford Computer Group (http://www.oxfordcomputergroup.com)
> > Microsoft MVP, Directory Services
> > (https://mvp.support.microsoft.com/profile/laura)
> > Author, Active Directory Consultant's Field Guide
> > (http://tinyurl.com/7f8ll)
> > Author, Active Directory Cookbook, Third Edition
> > (http://tinyurl.com/7kp3ct)
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| scharique
Posts:0
| | 04/03/2009 9:30 AM |
| I would PowerShell all together,to query and disable both inactive users and
computer, for instance the query shown belowlooks up users who have not
logged since past 60 days and disables them, yes it relies on the
lastlogontimestamp which gets updated every 9-14 days, remember that its
replicated all the time but just not updated all the time.
$old = (Get-Date).AddDays(-30).ToFileTime()
Get-QADUser -searchroot "ou=na,dc=mydomain,dc=int"-ldap
"(lastlogontimestamp=*)(lastlogontimestamp>=$old)" | disable-qaduser
On Fri, Apr 3, 2009 at 5:01 AM, Gabriele Scolaro <gabro@gabro.net> wrote:
> What attribute "dsquery user/computer -inactive" will query?
> Hopefully it's the replicated lastLogonTimeStamp... isn't it? :-o
>
> Thanks - Gabriele.
>
> > > -----Original Message-----
> > > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > > owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> > > Sent: lunedì 16 febbraio 2009 16.22
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] dstools to disable inactive users/computers
> > >
> > > 'Cos oldcmp.exe is way cooler? :-)
> > >
> > > On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net>
> > > wrote:
> > > > I would like to disable inactive users and computers by simply
> > using
> > > the native dstools via tasksch.exe:
> > > > Example:
> > > > dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
> > > > dsquery computer -inactive 60 -limit 10000 | dsmod computer -
> > disabled
> > > yes
> > > >
> > > > but I recall I read in this list dstools were not recommended for
> > > some reasons.... tried to search in the list archive but did not find
> > > anything relevant.
> > > >
> > > > Can someone tell me why it's better not to use dsquery/dsmod?
> > > >
> > > > Thanks - Gabriele.
> > > >
> > > > List info : http://www.activedir.org/List.aspx
> > > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > > List archive: http://www.activedir.org/ma/default.aspx
> > > >
> > >
> > >
> > >
> > > --
> > > -----------------------
> > > Laura E. Hunter
> > > Architect, Oxford Computer Group (http://www.oxfordcomputergroup.com)
> > > Microsoft MVP, Directory Services
> > > (https://mvp.support.microsoft.com/profile/laura)
> > > Author, Active Directory Consultant's Field Guide
> > > (http://tinyurl.com/7f8ll)
> > > Author, Active Directory Cookbook, Third Edition
> > > (http://tinyurl.com/7kp3ct)
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
| | | |
| listmail
Posts:824
| | 04/03/2009 10:46 AM |
| Yes. However you may want to look at oldcmp... 4 out of 5 admins who clean
up computers prefer oldcmp.
http://www.joeware.net/freetools/tools/oldcmp/index.htm
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, April 03, 2009 6:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dstools to disable inactive users/computers
What attribute "dsquery user/computer -inactive" will query?
Hopefully it's the replicated lastLogonTimeStamp... isn't it? :-o
Thanks - Gabriele.
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> > Sent: lunedì 16 febbraio 2009 16.22
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] dstools to disable inactive users/computers
> >
> > 'Cos oldcmp.exe is way cooler? :-)
> >
> > On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net>
> > wrote:
> > > I would like to disable inactive users and computers by simply
> using
> > the native dstools via tasksch.exe:
> > > Example:
> > > dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
> > > dsquery computer -inactive 60 -limit 10000 | dsmod computer -
> disabled
> > yes
> > >
> > > but I recall I read in this list dstools were not recommended for
> > some reasons.... tried to search in the list archive but did not
> > find anything relevant.
> > >
> > > Can someone tell me why it's better not to use dsquery/dsmod?
> > >
> > > Thanks - Gabriele.
> > >
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> > >
> >
> >
> >
> > --
> > -----------------------
> > Laura E. Hunter
> > Architect, Oxford Computer Group
> > (http://www.oxfordcomputergroup.com)
> > Microsoft MVP, Directory Services
> > (https://mvp.support.microsoft.com/profile/laura)
> > Author, Active Directory Consultant's Field Guide
> > (http://tinyurl.com/7f8ll)
> > Author, Active Directory Cookbook, Third Edition
> > (http://tinyurl.com/7kp3ct)
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| scharique
Posts:0
| | 04/03/2009 11:37 AM |
| Joe, your tool was the bomb back in the days...but I would use PoSH now 
Here is the meat for deleting inactive computer accounts.
# set the date to be used as a limit - in this example: 90 days earlier than
the current date
$old = (Get-Date).AddDays(-90)
# get the list of computers with the date earlier than this date
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old }
A few variations to this depending on how you want to use the data:
# get a csv report
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old } | select-object Name, ParentContainer, Description,
pwdLastSet | export-csv c:\temp\outdated.csv
# move such computers to another OU
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old } | Move-QADObject -to test.lab/obsolete
# remove the computer records from AD (caution: this actually deletes the
records, run the command with -whatif switch before running without it)
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old } | Remove-QADObject -to test.lab/obsolete
On Fri, Apr 3, 2009 at 9:39 AM, joe <listmail@joeware.net> wrote:
> Yes. However you may want to look at oldcmp... 4 out of 5 admins who clean
> up computers prefer oldcmp.
>
> http://www.joeware.net/freetools/tools/oldcmp/index.htm
>
>
> joe
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> Sent: Friday, April 03, 2009 6:02 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] dstools to disable inactive users/computers
>
> What attribute "dsquery user/computer -inactive" will query?
> Hopefully it's the replicated lastLogonTimeStamp... isn't it? :-o
>
> Thanks - Gabriele.
>
> > > -----Original Message-----
> > > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > > owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> > > Sent: lunedì 16 febbraio 2009 16.22
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] dstools to disable inactive users/computers
> > >
> > > 'Cos oldcmp.exe is way cooler? :-)
> > >
> > > On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net>
> > > wrote:
> > > > I would like to disable inactive users and computers by simply
> > using
> > > the native dstools via tasksch.exe:
> > > > Example:
> > > > dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
> > > > dsquery computer -inactive 60 -limit 10000 | dsmod computer -
> > disabled
> > > yes
> > > >
> > > > but I recall I read in this list dstools were not recommended for
> > > some reasons.... tried to search in the list archive but did not
> > > find anything relevant.
> > > >
> > > > Can someone tell me why it's better not to use dsquery/dsmod?
> > > >
> > > > Thanks - Gabriele.
> > > >
> > > > List info : http://www.activedir.org/List.aspx
> > > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > > List archive: http://www.activedir.org/ma/default.aspx
> > > >
> > >
> > >
> > >
> > > --
> > > -----------------------
> > > Laura E. Hunter
> > > Architect, Oxford Computer Group
> > > (http://www.oxfordcomputergroup.com)
> > > Microsoft MVP, Directory Services
> > > (https://mvp.support.microsoft.com/profile/laura)
> > > Author, Active Directory Consultant's Field Guide
> > > (http://tinyurl.com/7f8ll)
> > > Author, Active Directory Cookbook, Third Edition
> > > (http://tinyurl.com/7kp3ct)
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
| | | |
| gabriel/tfi
Posts:427
| | 04/03/2009 12:29 PM |
| My GOD.... someone dared to tell joe that one of his tools is obsolete,
dead meat, while PoSH is THE CHANGE, THE INNOVATION!!!
OK, I prepare myself, get a bag of pop-corn and wait anxiously to watch the
reply
J
Gabriele
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Scha rique
Sent: venerdì 3 aprile 2009 17.25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] dstools to disable inactive users/computers
Joe, your tool was the bomb back in the days...but I would use PoSH now
Here is the meat for deleting inactive computer accounts.
# set the date to be used as a limit - in this example: 90 days earlier than
the current date
$old = (Get-Date).AddDays(-90)
# get the list of computers with the date earlier than this date
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old }
A few variations to this depending on how you want to use the data:
# get a csv report
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old } | select-object Name, ParentContainer, Description,
pwdLastSet | export-csv c:\temp\outdated.csv
# move such computers to another OU
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old } | Move-QADObject -to test.lab/obsolete
# remove the computer records from AD (caution: this actually deletes the
records, run the command with -whatif switch before running without it)
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old } | Remove-QADObject -to test.lab/obsolete
On Fri, Apr 3, 2009 at 9:39 AM, joe <listmail@joeware.net> wrote:
Yes. However you may want to look at oldcmp... 4 out of 5 admins who clean
up computers prefer oldcmp.
http://www.joeware.net/freetools/tools/oldcmp/index.htm
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, April 03, 2009 6:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dstools to disable inactive users/computers
What attribute "dsquery user/computer -inactive" will query?
Hopefully it's the replicated lastLogonTimeStamp... isn't it? :-o
Thanks - Gabriele.
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> > Sent: lunedì 16 febbraio 2009 16.22
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] dstools to disable inactive users/computers
> >
> > 'Cos oldcmp.exe is way cooler? :-)
> >
> > On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net>
> > wrote:
> > > I would like to disable inactive users and computers by simply
> using
> > the native dstools via tasksch.exe:
> > > Example:
> > > dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
> > > dsquery computer -inactive 60 -limit 10000 | dsmod computer -
> disabled
> > yes
> > >
> > > but I recall I read in this list dstools were not recommended for
> > some reasons.... tried to search in the list archive but did not
> > find anything relevant.
> > >
> > > Can someone tell me why it's better not to use dsquery/dsmod?
> > >
> > > Thanks - Gabriele.
> > >
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> > >
> >
> >
> >
> > --
> > -----------------------
> > Laura E. Hunter
> > Architect, Oxford Computer Group
> > (http://www.oxfordcomputergroup.com)
> > Microsoft MVP, Directory Services
> > (https://mvp.support.microsoft.com/profile/laura)
> > Author, Active Directory Consultant's Field Guide
> > (http://tinyurl.com/7f8ll)
> > Author, Active Directory Cookbook, Third Edition
> > (http://tinyurl.com/7kp3ct)
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| gabriel/tfi
Posts:427
| | 04/03/2009 6:07 PM |
| That means your code can disable 80% ADs in the world.... :-)
Just kiddin' - I love your tools and I use them often.
Keep up with the great job! Gabriele.
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of joe
> Sent: venerdì 3 aprile 2009 16.39
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] dstools to disable inactive users/computers
>
> Yes. However you may want to look at oldcmp... 4 out of 5 admins who
> clean
> up computers prefer oldcmp.
>
> http://www.joeware.net/freetools/tools/oldcmp/index.htm
>
>
> joe
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele
> Scolaro
> Sent: Friday, April 03, 2009 6:02 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] dstools to disable inactive users/computers
>
> What attribute "dsquery user/computer -inactive" will query?
> Hopefully it's the replicated lastLogonTimeStamp... isn't it? :-o
>
> Thanks - Gabriele.
>
> > > -----Original Message-----
> > > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > > owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> > > Sent: lunedì 16 febbraio 2009 16.22
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] dstools to disable inactive
> users/computers
> > >
> > > 'Cos oldcmp.exe is way cooler? :-)
> > >
> > > On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net>
> > > wrote:
> > > > I would like to disable inactive users and computers by simply
> > using
> > > the native dstools via tasksch.exe:
> > > > Example:
> > > > dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
> > > > dsquery computer -inactive 60 -limit 10000 | dsmod computer -
> > disabled
> > > yes
> > > >
> > > > but I recall I read in this list dstools were not recommended for
> > > some reasons.... tried to search in the list archive but did not
> > > find anything relevant.
> > > >
> > > > Can someone tell me why it's better not to use dsquery/dsmod?
> > > >
> > > > Thanks - Gabriele.
> > > >
> > > > List info : http://www.activedir.org/List.aspx
> > > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > > List archive: http://www.activedir.org/ma/default.aspx
> > > >
> > >
> > >
> > >
> > > --
> > > -----------------------
> > > Laura E. Hunter
> > > Architect, Oxford Computer Group
> > > (http://www.oxfordcomputergroup.com)
> > > Microsoft MVP, Directory Services
> > > (https://mvp.support.microsoft.com/profile/laura)
> > > Author, Active Directory Consultant's Field Guide
> > > (http://tinyurl.com/7f8ll)
> > > Author, Active Directory Cookbook, Third Edition
> > > (http://tinyurl.com/7kp3ct)
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| bsonposh
Posts:409
| | 04/03/2009 6:11 PM |
| blah... dont blow smoke up is [beep]
His tools are old school... You need to hop on the ADWS bandwagon! It's
strategic!
Thanks,
Bwandon
On Fri, Apr 3, 2009 at 6:00 PM, Gabriele Scolaro <gabro@gabro.net> wrote:
> That means your code can disable 80% ADs in the world.... :-)
> Just kiddin' - I love your tools and I use them often.
>
> Keep up with the great job! Gabriele.
>
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of joe
> > Sent: venerdì 3 aprile 2009 16.39
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] dstools to disable inactive users/computers
> >
> > Yes. However you may want to look at oldcmp... 4 out of 5 admins who
> > clean
> > up computers prefer oldcmp.
> >
> > http://www.joeware.net/freetools/tools/oldcmp/index.htm
> >
> >
> > joe
> >
> > --
> > O'Reilly Active Directory Fourth Edition -
> > http://www.joeware.net/win/ad4e.htm
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele
> > Scolaro
> > Sent: Friday, April 03, 2009 6:02 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] dstools to disable inactive users/computers
> >
> > What attribute "dsquery user/computer -inactive" will query?
> > Hopefully it's the replicated lastLogonTimeStamp... isn't it? :-o
> >
> > Thanks - Gabriele.
> >
> > > > -----Original Message-----
> > > > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > > > owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> > > > Sent: lunedì 16 febbraio 2009 16.22
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: Re: [ActiveDir] dstools to disable inactive
> > users/computers
> > > >
> > > > 'Cos oldcmp.exe is way cooler? :-)
> > > >
> > > > On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net>
> > > > wrote:
> > > > > I would like to disable inactive users and computers by simply
> > > using
> > > > the native dstools via tasksch.exe:
> > > > > Example:
> > > > > dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
> > > > > dsquery computer -inactive 60 -limit 10000 | dsmod computer -
> > > disabled
> > > > yes
> > > > >
> > > > > but I recall I read in this list dstools were not recommended for
> > > > some reasons.... tried to search in the list archive but did not
> > > > find anything relevant.
> > > > >
> > > > > Can someone tell me why it's better not to use dsquery/dsmod?
> > > > >
> > > > > Thanks - Gabriele.
> > > > >
> > > > > List info : http://www.activedir.org/List.aspx
> > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > > > List archive: http://www.activedir.org/ma/default.aspx
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > -----------------------
> > > > Laura E. Hunter
> > > > Architect, Oxford Computer Group
> > > > (http://www.oxfordcomputergroup.com)
> > > > Microsoft MVP, Directory Services
> > > > (https://mvp.support.microsoft.com/profile/laura)
> > > > Author, Active Directory Consultant's Field Guide
> > > > (http://tinyurl.com/7f8ll)
> > > > Author, Active Directory Cookbook, Third Edition
> > > > (http://tinyurl.com/7kp3ct)
> > > > List info : http://www.activedir.org/List.aspx
> > > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > > List archive: http://www.activedir.org/ma/default.aspx
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
| | | |
| listmail
Posts:824
| | 04/05/2009 3:08 PM |
| All I heard was "I would rather use XYZ scripting language or CLI
tools....". It has always been a viable option to use script or CLI tools.
Power Shell is just another CLI option. When my downloads drop to zero then
I know my stuff is obsolete and dead meat. Until then I am paying for a
considerable amount of bandwidth so people have tools that work for them in
the ways that they expect they should work in a fast and efficient manner.
Or as I said in the previous post... Oh there is admin #5.
I think PowerShell will be more popular than say VBScript, but I am far from
willing to bet any money on every or even a majority of admins out there
using it in a daily way other than through GUIs that thunk down to it. We
would have to see a massive shift in the Windows admin demographic I think
for that. I recall going back like 4 or maybe 5 years ago I was shooting
billards at Jillian's with another DS MVP named Jimmy.... or Yimmy to his
friends... His thoughts were he was going to spin up a whole school worth of
classes on PowerShell right away and I was like dude, don't waste your money
now or even in the near future. He might be able to pull it off now but I
still don't think so. It is still niche and will be for a while IMO.
The original purpose that I recall was a great one, replace the long in the
tooth shell with something simpler and more powerful. I think it scope
creeped from there and at the point that some level of knowledge of object
models started getting involved (i.e. class.subclass.subclass.method) it
started closing off a some number of folks just like it did with WMI. If
people wanted to do this stuff in script before, they had the tools, they
just had to take the time to learn just like they have to do with PoS. Does
PoS make it easier? Sure but no easier than it could have been made by
anyone else who made a concerted serious effort to build a good complete
command line experience in any other way or any other language.
What PoS truly gives, IMO, is some new ways at looking at pipelining such as
the on the run live pipelining which I am working out how I handle better in
the current shell and object pipelining which has always been available if
people were willing to serialize the data. I am not saying that is anything
small, it is awesome and in all reality always belonged in the Shell
implementation. But we didn't all of the .NET stuff with the accompanying
fluff to accomplish it. Just someone willing to try and update the shell
MSFT has used for decades. Some of us have been doing Command line pretty
heavily and very effectively for a very very long time. Nice to see others
joining in the fray.
To put it yet another way, I think PowerShell is a good little bit of
evolution, but it is not anywhere near a revolution.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, April 03, 2009 12:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dstools to disable inactive users/computers
My GOD.... someone dared to tell joe that one of his tools is obsolete,
dead meat, while PoSH is THE CHANGE, THE INNOVATION!!!
OK, I prepare myself, get a bag of pop-corn and wait anxiously to watch the
reply
J
Gabriele
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Scha rique
Sent: venerdì 3 aprile 2009 17.25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] dstools to disable inactive users/computers
Joe, your tool was the bomb back in the days...but I would use PoSH now
Here is the meat for deleting inactive computer accounts.
# set the date to be used as a limit - in this example: 90 days earlier than
the current date
$old = (Get-Date).AddDays(-90)
# get the list of computers with the date earlier than this date
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old }
A few variations to this depending on how you want to use the data:
# get a csv report
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old } | select-object Name, ParentContainer, Description,
pwdLastSet | export-csv c:\temp\outdated.csv
# move such computers to another OU
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old } | Move-QADObject -to test.lab/obsolete
# remove the computer records from AD (caution: this actually deletes the
records, run the command with -whatif switch before running without it)
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old } | Remove-QADObject -to test.lab/obsolete
On Fri, Apr 3, 2009 at 9:39 AM, joe <listmail@joeware.net> wrote:
Yes. However you may want to look at oldcmp... 4 out of 5 admins who clean
up computers prefer oldcmp.
http://www.joeware.net/freetools/tools/oldcmp/index.htm
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, April 03, 2009 6:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dstools to disable inactive users/computers
What attribute "dsquery user/computer -inactive" will query?
Hopefully it's the replicated lastLogonTimeStamp... isn't it? :-o
Thanks - Gabriele.
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> > Sent: lunedì 16 febbraio 2009 16.22
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] dstools to disable inactive users/computers
> >
> > 'Cos oldcmp.exe is way cooler? :-)
> >
> > On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net>
> > wrote:
> > > I would like to disable inactive users and computers by simply
> using
> > the native dstools via tasksch.exe:
> > > Example:
> > > dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
> > > dsquery computer -inactive 60 -limit 10000 | dsmod computer -
> disabled
> > yes
> > >
> > > but I recall I read in this list dstools were not recommended for
> > some reasons.... tried to search in the list archive but did not
> > find anything relevant.
> > >
> > > Can someone tell me why it's better not to use dsquery/dsmod?
> > >
> > > Thanks - Gabriele.
> > >
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> > >
> >
> >
> >
> > --
> > -----------------------
> > Laura E. Hunter
> > Architect, Oxford Computer Group
> > (http://www.oxfordcomputergroup.com)
> > Microsoft MVP, Directory Services
> > (https://mvp.support.microsoft.com/profile/laura)
> > Author, Active Directory Consultant's Field Guide
> > (http://tinyurl.com/7f8ll)
> > Author, Active Directory Cookbook, Third Edition
> > (http://tinyurl.com/7kp3ct)
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| robertsingers
Posts:579
| | 04/05/2009 6:04 PM |
| The benefit of joeware vs scripting has always been that oldcmp disables and deletes old computers for you, but there is no script that just does what you want in that space. Same as renaming computers. Netdom renames a computer and it's associated AD object. I spent two days trying without success to get a vbscript script to do that reliably, and I'm not exactly a complete thicky. Two days vs two minutes to check the syntax, there's no comparison.
What I've seen so far is the script repository the vbscript code snippets replicated in powershell. This doesn't actually help any one perform the tasks they need to do. Powershell isn't going to be any good to anyone until there's a free online cookbook for it, that documents the normal tasks your average SysAdmin or organisation should be doing.
And an average task isn't something like create an OU (For most people an OU structure is a visual structure and they're going to use a GUI to do it)
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Monday, 6 April 2009 7:01 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dstools to disable inactive users/computers
All I heard was "I would rather use XYZ scripting language or CLI tools....". It has always been a viable option to use script or CLI tools. Power Shell is just another CLI option. When my downloads drop to zero then I know my stuff is obsolete and dead meat. Until then I am paying for a considerable amount of bandwidth so people have tools that work for them in the ways that they expect they should work in a fast and efficient manner.
Or as I said in the previous post... Oh there is admin #5.
I think PowerShell will be more popular than say VBScript, but I am far from willing to bet any money on every or even a majority of admins out there using it in a daily way other than through GUIs that thunk down to it. We would have to see a massive shift in the Windows admin demographic I think for that. I recall going back like 4 or maybe 5 years ago I was shooting billards at Jillian's with another DS MVP named Jimmy.... or Yimmy to his friends... His thoughts were he was going to spin up a whole school worth of classes on PowerShell right away and I was like dude, don't waste your money now or even in the near future. He might be able to pull it off now but I still don't think so. It is still niche and will be for a while IMO.
The original purpose that I recall was a great one, replace the long in the tooth shell with something simpler and more powerful. I think it scope creeped from there and at the point that some level of knowledge of object models started getting involved (i.e. class.subclass.subclass.method) it started closing off a some number of folks just like it did with WMI. If people wanted to do this stuff in script before, they had the tools, they just had to take the time to learn just like they have to do with PoS. Does PoS make it easier? Sure but no easier than it could have been made by anyone else who made a concerted serious effort to build a good complete command line experience in any other way or any other language.
What PoS truly gives, IMO, is some new ways at looking at pipelining such as the on the run live pipelining which I am working out how I handle better in the current shell and object pipelining which has always been available if people were willing to serialize the data. I am not saying that is anything small, it is awesome and in all reality always belonged in the Shell implementation. But we didn't all of the .NET stuff with the accompanying fluff to accomplish it. Just someone willing to try and update the shell MSFT has used for decades. Some of us have been doing Command line pretty heavily and very effectively for a very very long time. Nice to see others joining in the fray.
To put it yet another way, I think PowerShell is a good little bit of evolution, but it is not anywhere near a revolution.
joe
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, April 03, 2009 12:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dstools to disable inactive users/computers
My GOD.... someone dared to tell joe that one of his tools is "obsolete, dead meat", while PoSH is THE CHANGE, THE INNOVATION!!!
OK, I prepare myself, get a bag of pop-corn and wait anxiously to watch the reply...... J
Gabriele
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Scha rique
Sent: venerdì 3 aprile 2009 17.25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] dstools to disable inactive users/computers
Joe, your tool was the bomb back in the days...but I would use PoSH now
Here is the meat for deleting inactive computer accounts.
# set the date to be used as a limit - in this example: 90 days earlier than the current date
$old = (Get-Date).AddDays(-90)
# get the list of computers with the date earlier than this date
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old }
A few variations to this depending on how you want to use the data:
# get a csv report
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | select-object Name, ParentContainer, Description, pwdLastSet | export-csv c:\temp\outdated.csv
# move such computers to another OU
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | Move-QADObject -to test.lab/obsolete
# remove the computer records from AD (caution: this actually deletes the records, run the command with -whatif switch before running without it)
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | Remove-QADObject -to test.lab/obsolete
On Fri, Apr 3, 2009 at 9:39 AM, joe <listmail@joeware.net> wrote:
Yes. However you may want to look at oldcmp... 4 out of 5 admins who clean
up computers prefer oldcmp.
http://www.joeware.net/freetools/tools/oldcmp/index.htm
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, April 03, 2009 6:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dstools to disable inactive users/computers
What attribute "dsquery user/computer -inactive" will query?
Hopefully it's the replicated lastLogonTimeStamp... isn't it? :-o
Thanks - Gabriele.
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> > Sent: lunedì 16 febbraio 2009 16.22
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] dstools to disable inactive users/computers
> >
> > 'Cos oldcmp.exe is way cooler? :-)
> >
> > On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net>
> > wrote:
> > > I would like to disable inactive users and computers by simply
> using
> > the native dstools via tasksch.exe:
> > > Example:
> > > dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
> > > dsquery computer -inactive 60 -limit 10000 | dsmod computer -
> disabled
> > yes
> > >
> > > but I recall I read in this list dstools were not recommended for
> > some reasons.... tried to search in the list archive but did not
> > find anything relevant.
> > >
> > > Can someone tell me why it's better not to use dsquery/dsmod?
> > >
> > > Thanks - Gabriele.
> > >
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> > >
> >
> >
> >
> > --
> > -----------------------
> > Laura E. Hunter
> > Architect, Oxford Computer Group
> > (http://www.oxfordcomputergroup.com)
> > Microsoft MVP, Directory Services
> > (https://mvp.support.microsoft.com/profile/laura)
> > Author, Active Directory Consultant's Field Guide
> > (http://tinyurl.com/7f8ll)
> > Author, Active Directory Cookbook, Third Edition
> > (http://tinyurl.com/7kp3ct)
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal
________________________________
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a no-liability basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
| | | |
| gabriel/tfi
Posts:427
| | 04/06/2009 7:02 AM |
| The issue I see is with users who are permanently based off-site is that it
seems the lastLogonTimeStamp is not updated properly and I even doubt those
machines are able to change their passwords
.
Also
once those accounts are disabled, re-enabling them is not enough as it
seems the credential caching is broken and users report the system saying
the domain is not available.
Any advice here?
Thanks Gabriele.
On Fri, Apr 3, 2009 at 9:39 AM, joe < <mailto:listmail@joeware.net>
listmail@joeware.net> wrote:
Yes. However you may want to look at oldcmp... 4 out of 5 admins who clean
up computers prefer oldcmp.
http://www.joeware.net/freetools/tools/oldcmp/index.htm
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, April 03, 2009 6:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dstools to disable inactive users/computers
What attribute "dsquery user/computer -inactive" will query?
Hopefully it's the replicated lastLogonTimeStamp... isn't it? :-o
Thanks - Gabriele.
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> > Sent: lunedì 16 febbraio 2009 16.22
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] dstools to disable inactive users/computers
> >
> > 'Cos oldcmp.exe is way cooler? :-)
> >
> > On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net>
> > wrote:
> > > I would like to disable inactive users and computers by simply
> using
> > the native dstools via tasksch.exe:
> > > Example:
> > > dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
> > > dsquery computer -inactive 60 -limit 10000 | dsmod computer -
> disabled
> > yes
> > >
> > > but I recall I read in this list dstools were not recommended for
> > some reasons.... tried to search in the list archive but did not
> > find anything relevant.
> > >
> > > Can someone tell me why it's better not to use dsquery/dsmod?
> > >
> > > Thanks - Gabriele.
> > >
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> > >
> >
> >
> >
> > --
> > -----------------------
> > Laura E. Hunter
> > Architect, Oxford Computer Group
> > (http://www.oxfordcomputergroup.com)
> > Microsoft MVP, Directory Services
> > (https://mvp.support.microsoft.com/profile/laura)
> > Author, Active Directory Consultant's Field Guide
> > (http://tinyurl.com/7f8ll)
> > Author, Active Directory Cookbook, Third Edition
> > (http://tinyurl.com/7kp3ct)
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| bsonposh
Posts:409
| | 04/06/2009 8:31 AM |
| Robert,
Nothing can beat the simplicity of a single purpose single task tool. This
is actually where Powershell shines (when designed properly.) That is the
end goal… make everything simple.
There are a ton of free Powershell sites out there that provide great
scripts. There is even a Powershell repository ww.poshcom.com, but the point
you bring up is valid.
It is not uncommon for people to approach a new language with a something
they are comfortable with. Just because Powershell can look and act sorta
like vbscript does not mean that is how it should be used. That is simply a
stepping stone. There comes a time when the “Power” of objects hits you and
you take a whole new look at what Powershell can buy you.
On Sun, Apr 5, 2009 at 5:58 PM, Robert Singers <robert.singers@dbh.govt.nz>
wrote:
>
> The benefit of joeware vs scripting has always been that oldcmp disables
and deletes old computers for you, but there is no script that just does
what you want in that space. Same as renaming computers. Netdom renames a
computer and it's associated AD object. I spent two days trying without
success to get a vbscript script to do that reliably, and I'm not exactly a
complete thicky. Two days vs two minutes to check the syntax, there's no
comparison.
>
> What I've seen so far is the script repository the vbscript code snippets
replicated in powershell. This doesn't actually help any one perform the
tasks they need to do. Powershell isn't going to be any good to anyone
until there's a free online cookbook for it, that documents the normal tasks
your average SysAdmin or organisation should be doing.
>
> And an average task isn't something like create an OU (For most people an
OU structure is a visual structure and they're going to use a GUI to do it)
>
> ________________________________
> From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of joe
> Sent: Monday, 6 April 2009 7:01 a.m.
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] dstools to disable inactive users/computers
>
> All I heard was "I would rather use XYZ scripting language or CLI
tools....". It has always been a viable option to use script or CLI tools.
Power Shell is just another CLI option. When my downloads drop to zero then
I know my stuff is obsolete and dead meat. Until then I am paying for a
considerable amount of bandwidth so people have tools that work for them in
the ways that they expect they should work in a fast and efficient manner.
>
> Or as I said in the previous post... Oh there is admin #5.
>
> I think PowerShell will be more popular than say VBScript, but I am far
from willing to bet any money on every or even a majority of admins out
there using it in a daily way other than through GUIs that thunk down to it.
We would have to see a massive shift in the Windows admin demographic I
think for that. I recall going back like 4 or maybe 5 years ago I was
shooting billards at Jillian's with another DS MVP named Jimmy.... or Yimmy
to his friends... His thoughts were he was going to spin up a whole school
worth of classes on PowerShell right away and I was like dude, don't waste
your money now or even in the near future. He might be able to pull it off
now but I still don't think so. It is still niche and will be for a while
IMO.
>
> The original purpose that I recall was a great one, replace the long in
the tooth shell with something simpler and more powerful. I think it scope
creeped from there and at the point that some level of knowledge of object
models started getting involved (i.e. class.subclass.subclass.method) it
started closing off a some number of folks just like it did with WMI. If
people wanted to do this stuff in script before, they had the tools, they
just had to take the time to learn just like they have to do with PoS. Does
PoS make it easier? Sure but no easier than it could have been made by
anyone else who made a concerted serious effort to build a good complete
command line experience in any other way or any other language.
>
> What PoS truly gives, IMO, is some new ways at looking at pipelining such
as the on the run live pipelining which I am working out how I handle
better in the current shell and object pipelining which has always been
available if people were willing to serialize the data. I am not saying that
is anything small, it is awesome and in all reality always belonged in the
Shell implementation. But we didn't all of the .NET stuff with the
accompanying fluff to accomplish it. Just someone willing to try and update
the shell MSFT has used for decades. Some of us have been doing Command line
pretty heavily and very effectively for a very very long time. Nice to see
others joining in the fray.
>
> To put it yet another way, I think PowerShell is a good little bit of
evolution, but it is not anywhere near a revolution.
>
>
> joe
>
>
> --
> O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
>
>
> ________________________________
> From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> Sent: Friday, April 03, 2009 12:23 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] dstools to disable inactive users/computers
>
> My GOD.... someone dared to tell joe that one of his tools is “obsolete,
dead meat”, while PoSH is THE CHANGE, THE INNOVATION!!!
>
>
>
> OK, I prepare myself, get a bag of pop-corn and wait anxiously to watch
the reply…… J
>
>
>
> Gabriele
>
>
>
> From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Scha rique
> Sent: venerdì 3 aprile 2009 17.25
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] dstools to disable inactive users/computers
>
>
>
> Joe, your tool was the bomb back in the days...but I would use PoSH now
>
> Here is the meat for deleting inactive computer accounts.
>
> # set the date to be used as a limit - in this example: 90 days earlier
than the current date
>
> $old = (Get-Date).AddDays(-90)
>
> # get the list of computers with the date earlier than this date
>
> Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old }
>
> A few variations to this depending on how you want to use the data:
>
> # get a csv report
>
> Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old } | select-object Name, ParentContainer, Description,
pwdLastSet | export-csv c:\temp\outdated.csv
>
> # move such computers to another OU
>
> Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old } | Move-QADObject -to test.lab/obsolete
>
> # remove the computer records from AD (caution: this actually deletes the
records, run the command with -whatif switch before running without it)
>
> Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old } | Remove-QADObject -to test.lab/obsolete
>
>
> On Fri, Apr 3, 2009 at 9:39 AM, joe <listmail@joeware.net> wrote:
>
> Yes. However you may want to look at oldcmp... 4 out of 5 admins who clean
> up computers prefer oldcmp.
>
> http://www.joeware.net/freetools/tools/oldcmp/index.htm
>
>
> joe
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
>
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> Sent: Friday, April 03, 2009 6:02 AM
> To: ActiveDir@mail.activedir.org
>
> Subject: RE: [ActiveDir] dstools to disable inactive users/computers
>
> What attribute "dsquery user/computer -inactive" will query?
> Hopefully it's the replicated lastLogonTimeStamp... isn't it? :-o
>
> Thanks - Gabriele.
>
> > > -----Original Message-----
> > > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > > owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> > > Sent: lunedì 16 febbraio 2009 16.22
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] dstools to disable inactive users/computers
> > >
> > > 'Cos oldcmp.exe is way cooler? :-)
> > >
> > > On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net>
> > > wrote:
> > > > I would like to disable inactive users and computers by simply
> > using
> > > the native dstools via tasksch.exe:
> > > > Example:
> > > > dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
> > > > dsquery computer -inactive 60 -limit 10000 | dsmod computer -
> > disabled
> > > yes
> > > >
> > > > but I recall I read in this list dstools were not recommended for
> > > some reasons.... tried to search in the list archive but did not
> > > find anything relevant.
> > > >
> > > > Can someone tell me why it's better not to use dsquery/dsmod?
> > > >
> > > > Thanks - Gabriele.
> > > >
> > > > List info : http://www.activedir.org/List.aspx
> > > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > > List archive: http://www.activedir.org/ma/default.aspx
> > > >
> > >
> > >
> > >
> > > --
> > > -----------------------
> > > Laura E. Hunter
> > > Architect, Oxford Computer Group
> > > (http://www.oxfordcomputergroup.com)
> > > Microsoft MVP, Directory Services
> > > (https://mvp.support.microsoft.com/profile/laura)
> > > Author, Active Directory Consultant's Field Guide
> > > (http://tinyurl.com/7f8ll)
> > > Author, Active Directory Cookbook, Third Edition
> > > (http://tinyurl.com/7kp3ct)
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
> ________________________________
> This e-mail message has been scanned for Viruses and cleared by NetIQ
MailMarshal
> ________________________________
>
> ________________________________
> Please Note:
>
> The information contained in this email message and any attached files may
be confidential and subject to privilege. Any opinions expressed in this
message are not necessarily those of the Department of Building and Housing.
All technical opinions are offered on a ‘no-liability’ basis. This message
and any files transmitted with it are confidential and solely for the use of
the intended recipient. If you are not the intended recipient, you are
notified that any use, disclosure or copying of this email is unauthorised.
If you have received this email in error, please notify us immediately by
reply email and delete the original and any attachment(s). Thank you.
>
> ________________________________
| | | |
| bsonposh
Posts:409
| | 04/06/2009 8:45 AM |
| joe,
Powershell marries the GUI with the CLI. The goal is provide consistency in
the data that is return regardless if you are more comfortable with the CLI
or the GUI. Powershell was never meant to simply be a shell. It was never
meant to be simply a scripting language or just developement platform. It is
a management platform. It provides all of that.
As for "joe" admin... I think you over estimate their worth. An admin that
refuses to learn to automate will simply find a new career or live on the
street. GUI automation is fragile at best. True automation comes from the
CLI and scripting. Enter "Powershell" it allows Admin's that are more
comfortable with GUI to stay in the GUI most of the time, but provides a
consistent behavior when they need to drop down to the shell.
A side note on adoption: Powershell has more than 3million downloads and it
now the primary management platform for Microsoft, Citrix, Quest, and even
VMWare. Not to mention the 100s of other companies that are using it.
p.s. Just to clarify for everyones sake... I think joe's tool are rock solid
and will have a place in my (yes my) toolbox for years to come.
----------------------------
ADWS, the new LDAP! LDAP is dead... live with it!
On Sun, Apr 5, 2009 at 3:00 PM, joe <listmail@joeware.net> wrote:
> All I heard was "I would rather use XYZ scripting language or CLI
> tools....". It has always been a viable option to use script or CLI tools.
> Power Shell is just another CLI option. When my downloads drop to zero then
> I know my stuff is obsolete and dead meat. Until then I am paying for a
> considerable amount of bandwidth so people have tools that work for them in
> the ways that they expect they should work in a fast and efficient manner.
>
> Or as I said in the previous post... Oh there is admin #5.
>
> I think PowerShell will be more popular than say VBScript, but I am far
> from willing to bet any money on every or even a majority of admins out
> there using it in a daily way other than through GUIs that thunk down to it.
> We would have to see a massive shift in the Windows admin demographic I
> think for that. I recall going back like 4 or maybe 5 years ago I was
> shooting billards at Jillian's with another DS MVP named Jimmy.... or Yimmy
> to his friends... His thoughts were he was going to spin up a whole school
> worth of classes on PowerShell right away and I was like dude, don't waste
> your money now or even in the near future. He might be able to pull it off
> now but I still don't think so. It is still niche and will be for a while
> IMO.
>
> The original purpose that I recall was a great one, replace the long in the
> tooth shell with something simpler and more powerful. I think it scope
> creeped from there and at the point that some level of knowledge of object
> models started getting involved (i.e. class.subclass.subclass.method) it
> started closing off a some number of folks just like it did with WMI. If
> people wanted to do this stuff in script before, they had the tools, they
> just had to take the time to learn just like they have to do with PoS. Does
> PoS make it easier? Sure but no easier than it could have been made by
> anyone else who made a concerted serious effort to build a good complete
> command line experience in any other way or any other language.
>
> What PoS truly gives, IMO, is some new ways at looking at pipelining such
> as the on the run live pipelining which I am working out how I handle
> better in the current shell and object pipelining which has always been
> available if people were willing to serialize the data. I am not saying that
> is anything small, it is awesome and in all reality always belonged in the
> Shell implementation. But we didn't all of the .NET stuff with the
> accompanying fluff to accomplish it. Just someone willing to try and update
> the shell MSFT has used for decades. Some of us have been doing Command line
> pretty heavily and very effectively for a very very long time. Nice to see
> others joining in the fray.
>
> To put it yet another way, I think PowerShell is a good little bit of
> evolution, but it is not anywhere near a revolution.
>
>
> joe
>
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
>
> ------------------------------
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Gabriele Scolaro
> *Sent:* Friday, April 03, 2009 12:23 PM
>
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] dstools to disable inactive users/computers
>
> My GOD.... someone dared to tell joe that one of his tools is
> “obsolete, dead meat”, while PoSH is THE CHANGE, THE INNOVATION!!!
>
>
>
> OK, I prepare myself, get a bag of pop-corn and wait anxiously to watch the
> reply…… J
>
>
>
> Gabriele
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Scha rique
> *Sent:* venerdì 3 aprile 2009 17.25
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] dstools to disable inactive users/computers
>
>
>
> Joe, your tool was the bomb back in the days...but I would use PoSH now
>
> Here is the meat for deleting inactive computer accounts.
>
> # set the date to be used as a limit - in this example: 90 days earlier
> than the current date
>
> $old = (Get-Date).AddDays(-90)
>
> # get the list of computers with the date earlier than this date
>
> Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
> $_.pwdLastSet -le $old }
>
> A few variations to this depending on how you want to use the data:
>
> # get a csv report
>
> Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
> $_.pwdLastSet -le $old } | select-object Name, ParentContainer, Description,
> pwdLastSet | export-csv c:\temp\outdated.csv
>
> # move such computers to another OU
>
> Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
> $_.pwdLastSet -le $old } | Move-QADObject -to test.lab/obsolete
>
> # remove the computer records from AD (caution: this actually deletes the
> records, run the command with -whatif switch before running without it)
>
> Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
> $_.pwdLastSet -le $old } | Remove-QADObject -to test.lab/obsolete
>
>
> On Fri, Apr 3, 2009 at 9:39 AM, joe <listmail@joeware.net> wrote:
>
> Yes. However you may want to look at oldcmp... 4 out of 5 admins who clean
> up computers prefer oldcmp.
>
> http://www.joeware.net/freetools/tools/oldcmp/index.htm
>
>
> joe
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
>
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> Sent: Friday, April 03, 2009 6:02 AM
> To: ActiveDir@mail.activedir.org
>
> Subject: RE: [ActiveDir] dstools to disable inactive users/computers
>
> What attribute "dsquery user/computer -inactive" will query?
> Hopefully it's the replicated lastLogonTimeStamp... isn't it? :-o
>
> Thanks - Gabriele.
>
> > > -----Original Message-----
> > > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > > owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> > > Sent: lunedì 16 febbraio 2009 16.22
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] dstools to disable inactive users/computers
> > >
> > > 'Cos oldcmp.exe is way cooler? :-)
> > >
> > > On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net>
> > > wrote:
> > > > I would like to disable inactive users and computers by simply
> > using
> > > the native dstools via tasksch.exe:
> > > > Example:
> > > > dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
> > > > dsquery computer -inactive 60 -limit 10000 | dsmod computer -
> > disabled
> > > yes
> > > >
> > > > but I recall I read in this list dstools were not recommended for
> > > some reasons.... tried to search in the list archive but did not
> > > find anything relevant.
> > > >
> > > > Can someone tell me why it's better not to use dsquery/dsmod?
> > > >
> > > > Thanks - Gabriele.
> > > >
> > > > List info : http://www.activedir.org/List.aspx
> > > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > > List archive: http://www.activedir.org/ma/default.aspx
> > > >
> > >
> > >
> > >
> > > --
> > > -----------------------
> > > Laura E. Hunter
> > > Architect, Oxford Computer Group
> > > (http://www.oxfordcomputergroup.com)
> > > Microsoft MVP, Directory Services
> > > (https://mvp.support.microsoft.com/profile/laura)
> > > Author, Active Directory Consultant's Field Guide
> > > (http://tinyurl.com/7f8ll)
> > > Author, Active Directory Cookbook, Third Edition
> > > (http://tinyurl.com/7kp3ct)
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
| | | |
| darren
Posts:392
| | 04/06/2009 11:33 AM |
| Actually Brandon, I dont entirely agree with this, despite the fact that I
am fully convinced of the value of Powershell. As someone who writes both
GUI and CLI-based tools, the whole model of building Powershell first and
then building GUI on top of it may make sense to Microsoft and a few other
vendors, but to me its a relatively inefficient way of going. Typically
when Im building management tools, Im building the core business logic
first, and then I can build the right interface for the job, be it
Powershell, COM, GUI, etc. I have yet to find a compelling reason why I
would take the Powershell stuff that Ive done, and build the GUI on top of
it, instead of the underlying business logic that Powershell uses, directly.
It may be out there, but I havent seen it.
And I think it overstates things to say that Powershell is a management
platform. WMI is a management platform, SNMP is a management platform and
there are others. Powershell is a consumer of management platforms.
I also think your proclamations of the death of the GUI-driven admin are a
bit premature. I think that if you look at the evolution of systems
management as its evolved in the distributed world, GUI-driven Runbook
Automation (RBA) is absolutely the future for managing these systems in a
more predictable and reliable way. Yes, under the covers these tools may be
using Powershell and similar tools but ultimately the GUI gives admins a
drag and drop way to create change processes with workflows that
command-line tools alone cannot provide.
Anyway, I think there is value in both a CLI and GUI world, and
proclamations of the death or imperial rise of either are probably a little
more hype than reality.
My .02
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Automate Group Policy audits and changes with the GPExpert
Scripting Toolkit http://www.sdmsoftware.com/group_policy_scripting
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brandon Shell
Sent: Monday, April 06, 2009 5:39 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] dstools to disable inactive users/computers
joe,
Powershell marries the GUI with the CLI. The goal is provide consistency in
the data that is return regardless if you are more comfortable with the CLI
or the GUI. Powershell was never meant to simply be a shell. It was never
meant to be simply a scripting language or just developement platform. It is
a management platform. It provides all of that.
As for "joe" admin... I think you over estimate their worth. An admin that
refuses to learn to automate will simply find a new career or live on the
street. GUI automation is fragile at best. True automation comes from the
CLI and scripting. Enter "Powershell" it allows Admin's that are more
comfortable with GUI to stay in the GUI most of the time, but provides a
consistent behavior when they need to drop down to the shell.
A side note on adoption: Powershell has more than 3million downloads and it
now the primary management platform for Microsoft, Citrix, Quest, and even
VMWare. Not to mention the 100s of other companies that are using it.
p.s. Just to clarify for everyones sake... I think joe's tool are rock solid
and will have a place in my (yes my) toolbox for years to come.
----------------------------
ADWS, the new LDAP! LDAP is dead... live with it!
On Sun, Apr 5, 2009 at 3:00 PM, joe <listmail@joeware.net> wrote:
All I heard was "I would rather use XYZ scripting language or CLI
tools....". It has always been a viable option to use script or CLI tools.
Power Shell is just another CLI option. When my downloads drop to zero then
I know my stuff is obsolete and dead meat. Until then I am paying for a
considerable amount of bandwidth so people have tools that work for them in
the ways that they expect they should work in a fast and efficient manner.
Or as I said in the previous post... Oh there is admin #5.
I think PowerShell will be more popular than say VBScript, but I am far from
willing to bet any money on every or even a majority of admins out there
using it in a daily way other than through GUIs that thunk down to it. We
would have to see a massive shift in the Windows admin demographic I think
for that. I recall going back like 4 or maybe 5 years ago I was shooting
billards at Jillian's with another DS MVP named Jimmy.... or Yimmy to his
friends... His thoughts were he was going to spin up a whole school worth of
classes on PowerShell right away and I was like dude, don't waste your money
now or even in the near future. He might be able to pull it off now but I
still don't think so. It is still niche and will be for a while IMO.
The original purpose that I recall was a great one, replace the long in the
tooth shell with something simpler and more powerful. I think it scope
creeped from there and at the point that some level of knowledge of object
models started getting involved (i.e. class.subclass.subclass.method) it
started closing off a some number of folks just like it did with WMI. If
people wanted to do this stuff in script before, they had the tools, they
just had to take the time to learn just like they have to do with PoS. Does
PoS make it easier? Sure but no easier than it could have been made by
anyone else who made a concerted serious effort to build a good complete
command line experience in any other way or any other language.
What PoS truly gives, IMO, is some new ways at looking at pipelining such as
the on the run live pipelining which I am working out how I handle better in
the current shell and object pipelining which has always been available if
people were willing to serialize the data. I am not saying that is anything
small, it is awesome and in all reality always belonged in the Shell
implementation. But we didn't all of the .NET stuff with the accompanying
fluff to accomplish it. Just someone willing to try and update the shell
MSFT has used for decades. Some of us have been doing Command line pretty
heavily and very effectively for a very very long time. Nice to see others
joining in the fray.
To put it yet another way, I think PowerShell is a good little bit of
evolution, but it is not anywhere near a revolution.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, April 03, 2009 12:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dstools to disable inactive users/computers
My GOD.... someone dared to tell joe that one of his tools is obsolete,
dead meat, while PoSH is THE CHANGE, THE INNOVATION!!!
OK, I prepare myself, get a bag of pop-corn and wait anxiously to watch the
reply
J
Gabriele
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Scha rique
Sent: venerdì 3 aprile 2009 17.25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] dstools to disable inactive users/computers
Joe, your tool was the bomb back in the days...but I would use PoSH now
Here is the meat for deleting inactive computer accounts.
# set the date to be used as a limit - in this example: 90 days earlier than
the current date
$old = (Get-Date).AddDays(-90)
# get the list of computers with the date earlier than this date
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old }
A few variations to this depending on how you want to use the data:
# get a csv report
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old } | select-object Name, ParentContainer, Description,
pwdLastSet | export-csv c:\temp\outdated.csv
# move such computers to another OU
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old } | Move-QADObject -to test.lab/obsolete
# remove the computer records from AD (caution: this actually deletes the
records, run the command with -whatif switch before running without it)
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
$_.pwdLastSet -le $old } | Remove-QADObject -to test.lab/obsolete
On Fri, Apr 3, 2009 at 9:39 AM, joe <listmail@joeware.net> wrote:
Yes. However you may want to look at oldcmp... 4 out of 5 admins who clean
up computers prefer oldcmp.
http://www.joeware.net/freetools/tools/oldcmp/index.htm
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, April 03, 2009 6:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dstools to disable inactive users/computers
What attribute "dsquery user/computer -inactive" will query?
Hopefully it's the replicated lastLogonTimeStamp... isn't it? :-o
Thanks - Gabriele.
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> > Sent: lunedì 16 febbraio 2009 16.22
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] dstools to disable inactive users/computers
> >
> > 'Cos oldcmp.exe is way cooler? :-)
> >
> > On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net>
> > wrote:
> > > I would like to disable inactive users and computers by simply
> using
> > the native dstools via tasksch.exe:
> > > Example:
> > > dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
> > > dsquery computer -inactive 60 -limit 10000 | dsmod computer -
> disabled
> > yes
> > >
> > > but I recall I read in this list dstools were not recommended for
> > some reasons.... tried to search in the list archive but did not
> > find anything relevant.
> > >
> > > Can someone tell me why it's better not to use dsquery/dsmod?
> > >
> > > Thanks - Gabriele.
> > >
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> > >
> >
> >
> >
> > --
> > -----------------------
> > Laura E. Hunter
> > Architect, Oxford Computer Group
> > (http://www.oxfordcomputergroup.com
<http://www.oxfordcomputergroup.com/> )
> > Microsoft MVP, Directory Services
> > (https://mvp.support.microsoft.com/profile/laura)
> > Author, Active Directory Consultant's Field Guide
> > (http://tinyurl.com/7f8ll)
> > Author, Active Directory Cookbook, Third Edition
> > (http://tinyurl.com/7kp3ct)
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| bsonposh
Posts:409
| | 04/06/2009 12:11 PM |
| Darren,
If you do anything with Scale, automation should be a required feature. If
you are not within that scope, then your point is valid. The problem is now
people don't want to learn 1000s of ways to do something. If
most everything I use requires Powershell and I am giving the option of a
Powershell based app or another app that requires I learn something else...
what do think I am going to chose?
Powershell may not meet your definition of a management platform, but that
is clearly the the job it does. Sorta like HTTP is now considered a
transport protocol. It simply abstracts and makes access to a collection of
management interfaces (i.e. WMI, SNMP, COM, and .NET.) It may be a higher
layer, but it is still a management platform.
Now, I never said GUI-driven Admins are dead... actually I believe
Powershell empowers them to do their job better. What I said (or meant to
say) was that Admins that refuse to learn to automate will soon find
themselves out of a job. If you had 10 admins, 8 that refuse to leave the
GUI for any task and 2 that have learned to automate. You have to fire 5...
which five do you are going to keep?
Simply put... we have lived in a dream world for the last 8 or so years
where IT jobs were a dime a dozen. That no longer seems to be the case.
People have to go.. the question is who.
B
On Mon, Apr 6, 2009 at 11:25 AM, Darren Mar-Elia <darren@sdmsoftware.com>wrote:
> Actually Brandon, I don’t entirely agree with this, despite the fact that
> I am fully convinced of the value of Powershell. As someone who writes both
> GUI and CLI-based tools, the whole model of building Powershell first and
> then building GUI on top of it may make sense to Microsoft and a few other
> vendors, but to me it’s a relatively inefficient way of going. Typically
> when I’m building management tools, I’m building the core business logic
> first, and then I can build the right interface for the job, be it
> Powershell, COM, GUI, etc. I have yet to find a compelling reason why I
> would take the Powershell stuff that I’ve done, and build the GUI on top of
> it, instead of the underlying business logic that Powershell uses, directly.
> It may be out there, but I haven’t seen it.
>
>
>
> And I think it overstates things to say that Powershell is a management
> platform. WMI is a management platform, SNMP is a management platform and
> there are others. Powershell is a consumer of management platforms.
>
>
>
> I also think your proclamations of the death of the GUI-driven admin are a
> bit premature. I think that if you look at the evolution of systems
> management as its evolved in the distributed world, GUI-driven Runbook
> Automation (RBA) is absolutely the future for managing these systems in a
> more predictable and reliable way. Yes, under the covers these tools may be
> using Powershell and similar tools but ultimately the GUI gives admins a
> drag and drop way to create change processes with workflows that
> command-line tools alone cannot provide.
>
>
>
> Anyway, I think there is value in both a CLI and GUI world, and
> proclamations of the death or imperial rise of either are probably a little
> more hype than reality.
>
>
>
> My .02
>
>
>
> Darren
>
>
>
>
>
>
>
> ****
>
> Darren Mar-Elia
>
> CTO & Founder
>
> SDM Software, Inc.
>
> "*The Group Policy Experts"*
>
> www.sdmsoftware.com
>
> Automate Group Policy audits and changes with the *GPExpert™*
>
> *Scripting Toolkit* http://www.sdmsoftware.com/group_policy_scripting
>
>
>
>
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Brandon Shell
> *Sent:* Monday, April 06, 2009 5:39 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] dstools to disable inactive users/computers
>
>
>
> joe,
>
>
>
> Powershell marries the GUI with the CLI. The goal is provide consistency in
> the data that is return regardless if you are more comfortable with the CLI
> or the GUI. Powershell was never meant to simply be a shell. It was never
> meant to be simply a scripting language or just developement platform. It is
> a management platform. It provides all of that.
>
>
>
> As for "joe" admin... I think you over estimate their worth. An admin that
> refuses to learn to automate will simply find a new career or live on the
> street. GUI automation is fragile at best. True automation comes from the
> CLI and scripting. Enter "Powershell" it allows Admin's that are more
> comfortable with GUI to stay in the GUI most of the time, but provides a
> consistent behavior when they need to drop down to the shell.
>
>
>
> A side note on adoption: Powershell has more than 3million downloads and it
> now the primary management platform for Microsoft, Citrix, Quest, and even
> VMWare. Not to mention the 100s of other companies that are using it.
>
>
>
> p.s. Just to clarify for everyones sake... I think joe's tool are rock
> solid and will have a place in my (yes my) toolbox for years to come.
>
>
>
> ----------------------------
>
> ADWS, the new LDAP! LDAP is dead... live with it!
>
> On Sun, Apr 5, 2009 at 3:00 PM, joe <listmail@joeware.net> wrote:
>
> All I heard was "I would rather use XYZ scripting language or CLI
> tools....". It has always been a viable option to use script or CLI tools.
> Power Shell is just another CLI option. When my downloads drop to zero then
> I know my stuff is obsolete and dead meat. Until then I am paying for a
> considerable amount of bandwidth so people have tools that work for them in
> the ways that they expect they should work in a fast and efficient manner.
>
>
>
> Or as I said in the previous post... Oh there is admin #5.
>
>
>
> I think PowerShell will be more popular than say VBScript, but I am far
> from willing to bet any money on every or even a majority of admins out
> there using it in a daily way other than through GUIs that thunk down to it.
> We would have to see a massive shift in the Windows admin demographic I
> think for that. I recall going back like 4 or maybe 5 years ago I was
> shooting billards at Jillian's with another DS MVP named Jimmy.... or Yimmy
> to his friends... His thoughts were he was going to spin up a whole school
> worth of classes on PowerShell right away and I was like dude, don't waste
> your money now or even in the near future. He might be able to pull it off
> now but I still don't think so. It is still niche and will be for a while
> IMO.
>
>
>
> The original purpose that I recall was a great one, replace the long in the
> tooth shell with something simpler and more powerful. I think it scope
> creeped from there and at the point that some level of knowledge of object
> models started getting involved (i.e. class.subclass.subclass.method) it
> started closing off a some number of folks just like it did with WMI. If
> people wanted to do this stuff in script before, they had the tools, they
> just had to take the time to learn just like they have to do with PoS. Does
> PoS make it easier? Sure but no easier than it could have been made by
> anyone else who made a concerted serious effort to build a good complete
> command line experience in any other way or any other language.
>
>
>
> What PoS truly gives, IMO, is some new ways at looking at pipelining such
> as the on the run live pipelining which I am working out how I handle
> better in the current shell and object pipelining which has always been
> available if people were willing to serialize the data. I am not saying that
> is anything small, it is awesome and in all reality always belonged in the
> Shell implementation. But we didn't all of the .NET stuff with the
> accompanying fluff to accomplish it. Just someone willing to try and update
> the shell MSFT has used for decades. Some of us have been doing Command line
> pretty heavily and very effectively for a very very long time. Nice to see
> others joining in the fray.
>
>
>
> To put it yet another way, I think PowerShell is a good little bit of
> evolution, but it is not anywhere near a revolution.
>
>
>
>
>
> joe
>
>
>
>
>
> --
>
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
>
>
>
>
> ------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Gabriele Scolaro
>
> *Sent:* Friday, April 03, 2009 12:23 PM
>
>
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] dstools to disable inactive users/computers
>
>
>
> My GOD.... someone dared to tell joe that one of his tools is “obsolete,
> dead meat”, while PoSH is THE CHANGE, THE INNOVATION!!!
>
>
>
> OK, I prepare myself, get a bag of pop-corn and wait anxiously to watch the
> reply…… J
>
>
>
> Gabriele
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Scha rique
> *Sent:* venerdì 3 aprile 2009 17.25
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] dstools to disable inactive users/computers
>
>
>
> Joe, your tool was the bomb back in the days...but I would use PoSH now
>
> Here is the meat for deleting inactive computer accounts.
>
> # set the date to be used as a limit - in this example: 90 days earlier
> than the current date
>
> $old = (Get-Date).AddDays(-90)
>
> # get the list of computers with the date earlier than this date
>
> Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
> $_.pwdLastSet -le $old }
>
> A few variations to this depending on how you want to use the data:
>
> # get a csv report
>
> Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
> $_.pwdLastSet -le $old } | select-object Name, ParentContainer, Description,
> pwdLastSet | export-csv c:\temp\outdated.csv
>
> # move such computers to another OU
>
> Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
> $_.pwdLastSet -le $old } | Move-QADObject -to test.lab/obsolete
>
> # remove the computer records from AD (caution: this actually deletes the
> records, run the command with -whatif switch before running without it)
>
> Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {
> $_.pwdLastSet -le $old } | Remove-QADObject -to test.lab/obsolete
>
> On Fri, Apr 3, 2009 at 9:39 AM, joe <listmail@joeware.net> wrote:
>
> Yes. However you may want to look at oldcmp... 4 out of 5 admins who clean
> up computers prefer oldcmp.
>
> http://www.joeware.net/freetools/tools/oldcmp/index.htm
>
>
> joe
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
>
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> Sent: Friday, April 03, 2009 6:02 AM
> To: ActiveDir@mail.activedir.org
>
> Subject: RE: [ActiveDir] dstools to disable inactive users/computers
>
> What attribute "dsquery user/computer -inactive" will query?
> Hopefully it's the replicated lastLogonTimeStamp... isn't it? :-o
>
> Thanks - Gabriele.
>
> > > -----Original Message-----
> > > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > > owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> > > Sent: lunedì 16 febbraio 2009 16.22
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] dstools to disable inactive users/computers
> > >
> > > 'Cos oldcmp.exe is way cooler? :-)
> > >
> > > On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net>
> > > wrote:
> > > > I would like to disable inactive users and computers by simply
> > using
> > > the native dstools via tasksch.exe:
> > > > Example:
> > > > dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
> > > > dsquery computer -inactive 60 -limit 10000 | dsmod computer -
> > disabled
> > > yes
> > > >
> > > > but I recall I read in this list dstools were not recommended for
> > > some reasons.... tried to search in the list archive but did not
> > > find anything relevant.
> > > >
> > > > Can someone tell me why it's better not to use dsquery/dsmod?
> > > >
> > > > Thanks - Gabriele.
> > > >
> > > > List info : http://www.activedir.org/List.aspx
> > > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > > List archive: http://www.activedir.org/ma/default.aspx
> > > >
> > >
> > >
> > >
> > > --
> > > -----------------------
> > > Laura E. Hunter
> > > Architect, Oxford Computer Group
> > > (http://www.oxfordcomputergroup.com)
> > > Microsoft MVP, Directory Services
> > > (https://mvp.support.microsoft.com/profile/laura)
> > > Author, Active Directory Consultant's Field Guide
> > > (http://tinyurl.com/7f8ll)
> > > Author, Active Directory Cookbook, Third Edition
> > > (http://tinyurl.com/7kp3ct)
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
>
>
| | | |
| colemancraig1
Posts:51
| | 04/06/2009 5:44 PM |
| Pass the pop-corn please...I am all out.
I couldn't resist.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, April 03, 2009 12:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dstools to disable inactive users/computers
My GOD.... someone dared to tell joe that one of his tools is "obsolete, dead meat", while PoSH is THE CHANGE, THE INNOVATION!!!
OK, I prepare myself, get a bag of pop-corn and wait anxiously to watch the reply......
Gabriele
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Scha rique
Sent: venerdì 3 aprile 2009 17.25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] dstools to disable inactive users/computers
Joe, your tool was the bomb back in the days...but I would use PoSH now
Here is the meat for deleting inactive computer accounts.
# set the date to be used as a limit - in this example: 90 days earlier than the current date
$old = (Get-Date).AddDays(-90)
# get the list of computers with the date earlier than this date
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old }
A few variations to this depending on how you want to use the data:
# get a csv report
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | select-object Name, ParentContainer, Description, pwdLastSet | export-csv c:\temp\outdated.csv
# move such computers to another OU
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | Move-QADObject -to test.lab/obsolete
# remove the computer records from AD (caution: this actually deletes the records, run the command with -whatif switch before running without it)
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | Remove-QADObject -to test.lab/obsolete
On Fri, Apr 3, 2009 at 9:39 AM, joe <listmail@joeware.net<mailto:listmail@joeware.net>> wrote:
Yes. However you may want to look at oldcmp... 4 out of 5 admins who clean
up computers prefer oldcmp.
http://www.joeware.net/freetools/tools/oldcmp/index.htm
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>
[mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Gabriele Scolaro
Sent: Friday, April 03, 2009 6:02 AM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] dstools to disable inactive users/computers
What attribute "dsquery user/computer -inactive" will query?
Hopefully it's the replicated lastLogonTimeStamp... isn't it? :-o
Thanks - Gabriele.
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-<mailto:ActiveDir->
> > owner@mail.activedir.org<mailto:owner@mail.activedir.org>] On Behalf Of Laura E. Hunter
> > Sent: lunedì 16 febbraio 2009 16.22
> > To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
> > Subject: Re: [ActiveDir] dstools to disable inactive users/computers
> >
> > 'Cos oldcmp.exe is way cooler? :-)
> >
> > On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net<mailto:gabro@gabro.net>>
> > wrote:
> > > I would like to disable inactive users and computers by simply
> using
> > the native dstools via tasksch.exe:
> > > Example:
> > > dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
> > > dsquery computer -inactive 60 -limit 10000 | dsmod computer -
> disabled
> > yes
> > >
> > > but I recall I read in this list dstools were not recommended for
> > some reasons.... tried to search in the list archive but did not
> > find anything relevant.
> > >
> > > Can someone tell me why it's better not to use dsquery/dsmod?
> > >
> > > Thanks - Gabriele.
> > >
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> > >
> >
> >
> >
> > --
> > -----------------------
> > Laura E. Hunter
> > Architect, Oxford Computer Group
> > (http://www.oxfordcomputergroup.com)
> > Microsoft MVP, Directory Services
> > (https://mvp.support.microsoft.com/profile/laura)
> > Author, Active Directory Consultant's Field Guide
> > (http://tinyurl.com/7f8ll)
> > Author, Active Directory Cookbook, Third Edition
> > (http://tinyurl.com/7kp3ct)
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| robertsingers
Posts:579
| | 04/06/2009 6:20 PM |
| I'll have to disagree with you Brandon about what happens with an SA who refuses to automate. My experience is that they don't move on, that the good people get fed up of them and move on, and you have the dead sea effect comes into play. Then you end up with more consultants coming through an organisation, making things even more inconsistent.
At the [other other other] Evil Empire I had several customers where my team didn't actually do what we were contracted to do, but instead fixed the botched jobs and mistakes of their SAs. Their employers knew the score but either they didn't have enough to get rid of them or they didn't have the will to do it. I think job protection laws in the US are fair weaker than elsewhere in the world. In NZ Govt it's extremely hard to fire someone, Australia has stronger job protection laws than NZ. I have no idea about Europe but I doubt turning over SAs to fix the problem is ever going to happen.
BTW poshcom.com doesn't resolve to anything for me so I googled powershell repository and powershell community. I didn't find any sites that say if you want to do x, use y or anything of the like. There are lots of nerdy powershell discussion forums and esoteric cmdlets.
This isn't even a problem of CLI vs GUI or people's level of comfort with either. It's about providing ready solutions. robocopy, netdom, oldcmp, and adfind are going to continue to be extremely popular because the provide quick solution.
Look at most Enterprise Architecture frameworks and you'll find common patterns and standards at the very base of the frameworks supporting them. If you want a fundametal change of the way people manage their systems you need well documented and safe common patterns for the common tasks that need to be done. Until you have that Powershell hasn't even crossed the starting line.
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brandon Shell
Sent: Tuesday, 7 April 2009 12:39 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] dstools to disable inactive users/computers
joe,
Powershell marries the GUI with the CLI. The goal is provide consistency in the data that is return regardless if you are more comfortable with the CLI or the GUI. Powershell was never meant to simply be a shell. It was never meant to be simply a scripting language or just developement platform. It is a management platform. It provides all of that.
As for "joe" admin... I think you over estimate their worth. An admin that refuses to learn to automate will simply find a new career or live on the street. GUI automation is fragile at best. True automation comes from the CLI and scripting. Enter "Powershell" it allows Admin's that are more comfortable with GUI to stay in the GUI most of the time, but provides a consistent behavior when they need to drop down to the shell.
A side note on adoption: Powershell has more than 3million downloads and it now the primary management platform for Microsoft, Citrix, Quest, and even VMWare. Not to mention the 100s of other companies that are using it.
p.s. Just to clarify for everyones sake... I think joe's tool are rock solid and will have a place in my (yes my) toolbox for years to come.
----------------------------
ADWS, the new LDAP! LDAP is dead... live with it!
On Sun, Apr 5, 2009 at 3:00 PM, joe <listmail@joeware.net> wrote:
All I heard was "I would rather use XYZ scripting language or CLI tools....". It has always been a viable option to use script or CLI tools. Power Shell is just another CLI option. When my downloads drop to zero then I know my stuff is obsolete and dead meat. Until then I am paying for a considerable amount of bandwidth so people have tools that work for them in the ways that they expect they should work in a fast and efficient manner.
Or as I said in the previous post... Oh there is admin #5.
I think PowerShell will be more popular than say VBScript, but I am far from willing to bet any money on every or even a majority of admins out there using it in a daily way other than through GUIs that thunk down to it. We would have to see a massive shift in the Windows admin demographic I think for that. I recall going back like 4 or maybe 5 years ago I was shooting billards at Jillian's with another DS MVP named Jimmy.... or Yimmy to his friends... His thoughts were he was going to spin up a whole school worth of classes on PowerShell right away and I was like dude, don't waste your money now or even in the near future. He might be able to pull it off now but I still don't think so. It is still niche and will be for a while IMO.
The original purpose that I recall was a great one, replace the long in the tooth shell with something simpler and more powerful. I think it scope creeped from there and at the point that some level of knowledge of object models started getting involved (i.e. class.subclass.subclass.method) it started closing off a some number of folks just like it did with WMI. If people wanted to do this stuff in script before, they had the tools, they just had to take the time to learn just like they have to do with PoS. Does PoS make it easier? Sure but no easier than it could have been made by anyone else who made a concerted serious effort to build a good complete command line experience in any other way or any other language.
What PoS truly gives, IMO, is some new ways at looking at pipelining such as the on the run live pipelining which I am working out how I handle better in the current shell and object pipelining which has always been available if people were willing to serialize the data. I am not saying that is anything small, it is awesome and in all reality always belonged in the Shell implementation. But we didn't all of the .NET stuff with the accompanying fluff to accomplish it. Just someone willing to try and update the shell MSFT has used for decades. Some of us have been doing Command line pretty heavily and very effectively for a very very long time. Nice to see others joining in the fray.
To put it yet another way, I think PowerShell is a good little bit of evolution, but it is not anywhere near a revolution.
joe
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, April 03, 2009 12:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dstools to disable inactive users/computers
My GOD.... someone dared to tell joe that one of his tools is "obsolete, dead meat", while PoSH is THE CHANGE, THE INNOVATION!!!
OK, I prepare myself, get a bag of pop-corn and wait anxiously to watch the reply...... J
Gabriele
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Scha rique
Sent: venerdì 3 aprile 2009 17.25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] dstools to disable inactive users/computers
Joe, your tool was the bomb back in the days...but I would use PoSH now
Here is the meat for deleting inactive computer accounts.
# set the date to be used as a limit - in this example: 90 days earlier than the current date
$old = (Get-Date).AddDays(-90)
# get the list of computers with the date earlier than this date
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old }
A few variations to this depending on how you want to use the data:
# get a csv report
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | select-object Name, ParentContainer, Description, pwdLastSet | export-csv c:\temp\outdated.csv
# move such computers to another OU
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | Move-QADObject -to test.lab/obsolete
# remove the computer records from AD (caution: this actually deletes the records, run the command with -whatif switch before running without it)
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | Remove-QADObject -to test.lab/obsolete
On Fri, Apr 3, 2009 at 9:39 AM, joe <listmail@joeware.net> wrote:
Yes. However you may want to look at oldcmp... 4 out of 5 admins who clean
up computers prefer oldcmp.
http://www.joeware.net/freetools/tools/oldcmp/index.htm
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, April 03, 2009 6:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dstools to disable inactive users/computers
What attribute "dsquery user/computer -inactive" will query?
Hopefully it's the replicated lastLogonTimeStamp... isn't it? :-o
Thanks - Gabriele.
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> > Sent: lunedì 16 febbraio 2009 16.22
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] dstools to disable inactive users/computers
> >
> > 'Cos oldcmp.exe is way cooler? :-)
> >
> > On Mon, Feb 16, 2009 at 9:16 AM, Gabriele Scolaro <gabro@gabro.net>
> > wrote:
> > > I would like to disable inactive users and computers by simply
> using
> > the native dstools via tasksch.exe:
> > > Example:
> > > dsquery user -inactive 60 -limit 5000 | dsmod user -disabled yes
> > > dsquery computer -inactive 60 -limit 10000 | dsmod computer -
> disabled
> > yes
> > >
> > > but I recall I read in this list dstools were not recommended for
> > some reasons.... tried to search in the list archive but did not
> > find anything relevant.
> > >
> > > Can someone tell me why it's better not to use dsquery/dsmod?
> > >
> > > Thanks - Gabriele.
> > >
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> > >
> >
> >
> >
> > --
> > -----------------------
> > Laura E. Hunter
> > Architect, Oxford Computer Group
> > (http://www.oxfordcomputergroup.com <http://www.oxfordcomputergroup.com/> )
> > Microsoft MVP, Directory Services
> > (https://mvp.support.microsoft.com/profile/laura)
> > Author, Active Directory Consultant's Field Guide
> > (http://tinyurl.com/7f8ll)
> > Author, Active Directory Cookbook, Third Edition
> > (http://tinyurl.com/7kp3ct)
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal
________________________________
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a no-liability basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
| | | |
|
|