Unclaimed Computer on Domain

  • Last Post 04 September 2016
Rajeev Chauhan posted this 01 September 2016

What are the directive/policies/options normally used for Unclaimed Computers on Domain.
1. Limit reservable bandwidth.
2. Computer password policy.

Order By: Standard | Newest | Votes
jeremyts posted this 02 September 2016

By “unclaimed computers” do you mean old/stale computer objects in Active Directory?






Rajeev Chauhan posted this 02 September 2016

Not old/slate. We have some of system where people are not taking ownership of system


PARRIS posted this 02 September 2016

Can you please elaborate as to what you actually mean?


“Laying half an egg” without context makes it impossible for myself and others to assist when and where we can.






Mark Parris


Active Directory, Cloud Identity & Security Consultancy.


MVP Enterprise Mobility | MCM Directory Services

Mobile: +44 7801 690596

E-mail: mark@xxxxxxxxxxxxxxxx


Twitter |

Blog |

| Skype |




jeremyts posted this 02 September 2016




How can a system not have an owner? Do you mean like a kiosk machine?



Rajeev Chauhan posted this 02 September 2016

Idea is for all machine which are not claimed move it to separate ou. deprecate system performance. Concept is same when machine are left under default computer container.


PARRIS posted this 02 September 2016

Do you mean, you want to know who created the computer account and subsequently who the PC belongs to/is being utilised by?



Mark Parris


Active Directory & Cloud Security Consultancy.


MVP Enterprise Mobility | MCM Directory Services

Mobile: +44 7801


E-mail: mark@xxxxxxxxxxxxxxxx 


Twitter | Blog | LinkedIn | Skype |About.me



barkills posted this 02 September 2016

We have this concept, so I’m familiar with the scenario. However, I’m unclear on what exactly is being asked about this scenario. My read of the original post

is that there were two examples of possible policies, although frankly, it is a stretch of my imagination to interpret it that way.


In the case that rambling a bit about our environment and this scenario will possibly answer the OP’s question, I’ll keep going.


We have this scenario in two different flavors.


In one domain, all computers are managed by a single service, but they can be added by any user. Computers must be “claimed” within 7 days or the computer account

is deleted automatically. This behavior is documented. In this case, “claimed” means: Moved to the right OU for the kind of service needed (with GPOs that provide that service differentiation), budget supplied, department supplied so there is a clear chain

of authority for issues related to that computer.


In another domain, computers are managed by a variety of delegated OUs. Computer account should be pre-created in your own delegated OU. When a computer account

is not pre-created, it ends up in what I fondly call the Dagobah swamp, which is an OU with a restrictive GPO. That restrictive GPO includes a logon banner informing the user that they messed up adding the computer (in nicer language), and only permits OU

admins and the built-in local admin to actually logon locally (or over the network). In other words, the computer in the Dagobah swamp becomes a brick that can be rescued by a Jedi, but not by a mere mortal. This approach quickly trains delegated OU customers

to pre-create computer accounts. Some amount of random users do end up there, but it generally isn’t a problem. We will “rescue” computers from the swamp and move them to the right OU, but if it became a regular activity, we’d likely have some serious conversations

with the perpetrator’s management.





Rajeev Chauhan posted this 02 September 2016

thanks. We have the same issues as stated. Presently we are not doing any deletions.


ken posted this 04 September 2016

What do you mean by “claimed”? How does someone “claim” a machine?




You know which machines are “claimed” (via whatever process/system you have)


You know all the machines present in AD


You can calculate the delta every week/day/hour/minute and move them to another OU



None of this is a problem technically. What is missing is background information on your processes/systems, and any sort of requirements or context

to your question.