Duplicate Computer objects in SCCM

Similar Messages

• SCCM creating duplicate computer Objects

  Hi
  We have just upgraded from an SCCM 2007 to SCCM 2012. In the old system I had it set up that other members of my team could all add a machine to SCCM adding the MAC address information and then add the machine into AD. once in AD they could assign it
  to security groups for example a windows 7 group. every 10 minutes SCCM would scan AD see the machine name and update the security group information on the computer object that was manually created earlier. based on this if SCCM could see it
  in the Windows 7 group it would move the machine to the Windows 7 collection and then I had an advertisement that would deploy Windows 7.
  On the new system however I add the machine into SCCM with the MAC then add it to AD but I end up with 2 objects one that I added with the MAC but doesn't get updated with the security group information so doesn't get added to the collection and then another
  one created from scanning AD which has the security information but no MAC so wont build. 
  how can I get it to just update the one object?
  thanks

  I create the object in AD so that I can assign a computer security groups like Windows 7 or install office and based on that SCCM moves the machine into various collections. when I then build a machine it will build with the various option set for example
  it will build a machine with Windows 7. I have to also import it into SCCM so I can assign it a MAC address so that when I PXE boot a machine it recognises it.
  I used to be able to under sccm 2007 import it manually into SCCM with the MAC so it would PXE boot and also create an AD computer account with the security groups and in the correct OU so that when it built it would be joined to the domain
  with the correct GP applied. 2007 used to merge the 2 objects or at least detect the machine name already existed and applied the information to the existing objects.  
  its neater for me to do it this way than have everyone doing direct relationships for all machines on collections

• Deleted computer object from SCCM console, so why is it still appearing in SSRS reports?

  We recently divested about 400 computers from our network. I got a list of these computers and deleted them from both Active Directory and in the SCCM Console. I know the deletes were successful because when I search via device name in the SCCM console
  they no longer show up. Yet when I run one of our inventory reports in SSRS I still see several of the devices that I deleted listed there. I thought SSRS represented a" live view" of the SCCM database. If that's true then how can a computer object
  that I deleted in the console still be present in the database? Is there something I'm missing? 

  Okay you are saying to select from v_R_System_Valid instead of v_R_System in my query and that will automatically filter out items I removed in the console? Okay that sounds like what I want, the only problem is my query is selecting form v_GS_COMPUTER_SYSTEM.
  Can I just add "_Valid" to the end of that and achieve the same result?
  Update - Yeah no I tried that and it did not work. Clearly I have a very limited understanding of the SQL views. Interestingly enough Torsten I see you posted a linbk on your blog to a new Microsoft article that documents the SQL views in SCCM 2012. Looking
  at it now...

• AD System Group Discovery not updating System OU Name on computer object when computer moves OU

  2 related questions.
  1. We have noticed that computer objects (active clients) in ConfigMgr are not getting their System OU Name discovery data updated when a computer account is moved from one OU to another, and AD System Group Discovery runs. Since we are basing some of our Software Updates collections on AD OU name, these systems are not falling into their required collections.
  2. On a few occasions we are also seeing duplicate computer objects being created. One new record from AD System Discovery, which contains the correct 'new' System OU Name, and one 'old' computer object from before the computer account was moved to a different OU in AD. The heartbeat discovery of this second object is still updating e.g. showing new heartbeats, but the computer object still shows the old System OU Name from before the computer account was moved in AD. If we delete both objects and run a Discovery Data Collection Cycle from the client, and AD System Group Discovery, then we get one new record with the correct 'new' set of System OU names.
  This duplicates issue is happening in both our Central Primary Site and our other child Primary site. Both sites are set to create new client records for duplicate hardware IDs, and there is a possibility we're seeing the duplicate records on machines that have been re-imaged and redeployed at some point.
  It's my understanding that it is AD System Group Discovery that updates the System OU Name property on client objects. We have this set to run every 4 hours. I'm not seeing any errors in the adsysgrp.log. Any idea why discovery is not updating the System OU Name information when a computer account moves OU? As far as I understand it, nothing additional is required to happen from the client end for this property to get updated.

  The only thing I can think of would be ad sys group discovery not running at the site where the client is assigned to?
  "Everyone is an expert at something" Kim Oppalfens Configmgr expert for lack of any other expertise. http://www.scug.be/blogs/sccm
  HI Everyone..
  ANy reply or correct answer to this question???
  Same problem even i have. Duplicate machine names created when machine moved to different sites.
  And also, AD sys group discovery running on all the sites (i have 4 sites).
  System Security analyst at CapG

• SCCM 2012 OSD: Import computer object fails

  Hi,
  Please see this post:
  http://social.technet.microsoft.com/Forums/en-US/6dbd2b38-4dbb-4de3-bb25-e3a30813f108/importing-computer-fails-unable-to-save-changes?forum=configmanagerosd
  We have exactly the same issue: we cannot import a computer object due to the error "Unable to save changes", a query which searches for mac-addresses doesn't reveal the pc-name (which is logic because the sccm 2012 should run an inventory first
  but the pc is not loaded).
  Please advise.
  J.
  Jan Hoedt

  Any chance that the object (where you are trying to add a MAC address) was added to the database by AD group discovery? So the name is already in the database? If so: that's expected.
  If not: CU1 for R2 might fix the problem (it is listed as being fixed)
  Torsten Meringer | http://www.mssccmfaq.de

• SCCM 2012 R2 task sequence: Move a computer object to different OU

  Hi,
  We migrate from Windows XP to 7.
  During task sequence, we need to be sure the object is moved from one OU to another (XP to Vista OU/policies).
  What is the best way to do this?
  Could be wrong, but it seems that a default task sequence does not move the object although there is a step which explicitely says to put the computer object in a certain OU ("apply network settings").
  Please advise.
  J.
  Jan Hoedt

  Hi you can check this article:
  http://myitforum.com/cs2/blogs/maikkoster/archive/2010/04/08/moving-computers-in-active-directory-during-mdt-deployments-step-by-step.aspx
  Hope this helps.
  Note: This posting is provided 'AS IS' with no warranties or guarantees, and confers no rights. Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable. This helps the community, keeps the forums tidy, and
  recognises useful contributions.

• Powser Shell Script to Purge Computer Records from SCCM

  Hello!
  I have built a collection in Configuration Manager to bring in a list of computers that have duplicate names. Here is the query that I am using.
  select R.ResourceID,R.ResourceType,R.Name,R.SMSUniqueIdentifier,R.ResourceDomainORWorkgroup,R.Client from SMS_R_System as r   full join
  SMS_R_System as s1 on s1.ResourceId = r.ResourceId   full join SMS_R_System as s2 on s2.Name = s1.Name   where s1.Name = s2.Name and s1.ResourceId != s2.ResourceId
  I am building a PowerShell Script to obtain the names of the computer resources stored in the above SCCM 2012 collection and place them in a variable. Next,
  I want to obtain the computer resources (e.g., ddr records) and store them in a 2ed variable using the first variable to pipe in the data. I am using a “ForEach” looping construct to accomplish this. Lastly, I want to purge the computers records from the Configuration
  Manager database that are stored in the second variable which came from the computers names of the specified SCCM collection. I am attempting to use this line of code within my loop to purge the computer records from SCCM:
  $compObject.psbase.syncroot | % { $_.psbase.delete()
  Here is a
  blog I found suggesting this line of code.
  What I have discovered is rather interesting. My script works as intended, but even though the correct records  ARE
  being purged. The above line of code is returning an error.
  You cannot call a method on a null-valued expression.
  At line:18 char:35 + $compObject.psbase.syncroot | % { $_.psbase.delete() }
  +                                   ~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
      + FullyQualifiedErrorId : InvokeMethodOnNull
  I have a few questions:
  Does anyone know why this is occurring?
  Is there a different approach or code I should be using instead to purge the collected data?
  Here is my full script:
  #// required parameters
  $SCCMServer
  = "MySiteServer"
  $sitename
  = "PS1"
  $collectionID
  = "PS1009c8"
  #// Obtain collection members from $collectionID
  $SMSClients
  = Get-WmiObject
  -Query "SELECT * FROM SMS_FullCollectionMembership WHERE CollectionID='$collectionID' order by name" 
  -ComputerName $SCCMServer
  -Namespace  "ROOT\SMS\site_$sitename"
  #//looping construct to loop through all the colection members
  ForEach ($SMSclient
  in $SMSclients) {
  #// Loads computer records one at a time into $compobject variable using a ForEachloop to be deleted
  $compObject
  = get-wmiobject
  -query "select * from SMS_R_SYSTEM WHERE Name='$($smsclient.name)'"
  -computername $SCCMServer
  -namespace "ROOT\SMS\site_$sitename"
  #// Delete’s computer objects one at a time in $compObject variable from CM12 database
  $compObject.psbase.syncroot
  | % {
  $_.psbase.delete() }
  --Tony

  Daniel
  Have you ever used Orchestrator to kick off your Powershell scripts? I am using System Center 2012 R2 Orchestrator, and trying to use the "Run .Net Script" action to launch my Powershell code, but the process is failing.  When I run the code
  from within PowerShell and RunBook Tester the code executes as it should. When I run it from the RunBook I receive this error:
  Exception calling "Delete" with "0" argument(s): "Generic failure "
  Just curious if you had any thoughts why my code was blowing up in an Orchestrator RunBook when it works fine within PowerShell? My full code is below.
  #// required parameters
  $SCCMServer = "MySiteServer"
  $sitename = "PS1"
  $collectionID = "PS1009c8"
  #// Obtain collection members from $collectionID
  $SMSClients = Get-WmiObject -Query "SELECT * FROM SMS_FullCollectionMembership WHERE CollectionID='$collectionID' order by name" -ComputerName $SCCMServer -Namespace "ROOT\SMS\site_$sitename"
  #//looping construct to loop through all the colection members
  ForEach ($SMSclient in $SMSclients) {
  #// Obtains and deletes the SCCM computer records one at a time using a ForEachloop
  Get-WmiObject -query "select * from SMS_R_SYSTEM WHERE Name='$($smsclient.name)'" -computername $SCCMServer -namespace "ROOT\SMS\site_$sitename" |
  ForEach-Object { $_.Delete() }

• Managing multiple "old" AD computer objects

  So we have implemented a naming convention where the techs just select a location and department during the imaging process for a  machine that is about to be deployed; during that process and the computers are automagically named something like "NYC-FIN-1234567"...
  with 1234567 being the dell asset tag.... pretty nifty Johan(!)
  However... the problem is that once that machine gets re-imaged at the same location and deployed to another team like the marketing folks  (ie."MKT")... it gets the name NYC-MKT-1234567...
  the problem I am seeing is now we have multiple objects in AD with the same asset tag which is causing nightmares for licensing management... NYC-FIN-1234567 & NYC-MKT-1234567 respectively.
  I am working on a PowerShell script that will trim the names down to their respective tags and then compare the list for duplicates - then check  and compare the duplicates properties like "created date" and make a determination and delete
  the older object...
  this checking for duplicates is proving to be a little more difficult and haven't even gotten to the evaluate section yet...  I am still working on my proficiency when it comes to more complex arrays.
  am i going about this the right way or does anyone else have another approach to this conundrum?
  scripting games '14 anyone :p

  all good info!
  Since our AD has less than 3000 workstation objects the 'scaling' is manageable... but could make it a little faster, but alas here is what i have with a couple of tweaks
  i am skimming all computer objects in our 'workstation' OU... and dropping the first two prefixes, and then checking for machines that match... we were originally using "created date" but since we have workstations that have been imaged to say
  a FIN dept and then to a MKT dept and then re-re-imaged back to FIN... the created date doesn't change so i switched to Modified date, and keep the newest one...
  but also as another 'layer' of protection i test-path of the workstation (we run this middle of the day) before disabling it and moving it to a "temp" ou where we can let them sit for a couple weeks in case we had a false positive (thus the ping)
  we can quickly restore that object... i also can just comment out the actual "move and disable command" so it generates me a nice list of machines that would have been deleted so i can do a 'sanity check' before deleting a bunch of vip's machiens
  from AD :)
  #Declare Domain and OU to be Scrubbed - and $dupou is the ou we can let them 'chillout' before deleting on the next run
  $domain = "domain.com"
  $OU = "OU=Workstations,DC=domain,DC=com"
  $CleanupList = "c:\disabled.txt"
  $dupOU = "OU=Duplicates,OU=INACTIVE,DC=domain,DC=com"
  if (test-path $CleanupList) {Remove-Item $CleanupList}
  $delOK = "c:\DelOk.txt"
  if (test-path $delOK) {Remove-Item $delOK}
  #this is the TEMPORARY throttle cap... so it will stop after it finds the amount defined by $cap (so we can phase it in)
  $cap = 10000
  $Global:i = 0
  $sdate = (Get-Date)
  Write-Output "AD Duplicate 'Scrubber' Script started on: "$sdate >> $CleanupList
  Write-output "These Machines were disabled and moved to the Inactive\Duplicates OU in our domain" >> $CleanupList
  Write-Output "--------------------------------------------------------------------------------------------------------------">> $CleanupList
  $comps = (Get-ADComputer -filter * -Server $domain -SearchBase $OU).name
  ForEach ($comp in $comps) {
  if ($global:i -lt $cap) {
  #trim length to just asset tags (last 7 digits)
  $Length = $comp.Length
  $var = $Length - 7
  $tag = $comp.Substring($var,7)
  Write-host -ForegroundColor yellow "Testing asset tag: $tag"
  $x =(Get-ADComputer -Filter "name -like '*$tag'" -Properties DistinguishedName, Modified -Server $domain -SearchBase $OU |Sort-Object -Property Modified)
  if ($x.count -gt 1) {
  $y = ($x.count) -1
  while ($y -ge 1 ) {
  $z = $y - 1
  $x.name[$z] >> $CleanupList
  #added a ping feature to as another level of "protection"
  if (Test-Connection $x.name[$z] -Count 2 -Quiet){
  Write-Output $x.name[$z]" is Online... Skipping"
  $x.name[$z] >> c:\WTF.txt
  }Else {
  #this line below this one is the one that moves and disables... comment out if testing with a # sign or remove when testing compelete
  #Get-ADComputer $x.name[$z] | Move-ADObject -TargetPath $dupOU -PassThru | Disable-ADAccount
  Write-Output $x.name[$z]" is Offline... should delete"
  $global:i++
  $x.name[$z] >> $delOK
  write-host -ForegroundColor Cyan $x.name[$z]" Moved and Disabled - $global:i"
  $y--
  Write-host "------------"
  Write-host -foregroundcolor cyan "$i Computer objects were Disabled and Moved to $dupOU :)"
  #message in the body
  $msg ="Please review the attached list to see the Duplicate machines that were moved and disabled via this script"
  #Recipients
  $mailTo = "shad acker <[email protected]>"
  Send-MailMessage -SmtpServer smtp.domain.com -Attachments $delOK -Body $msg -to $mailTo -From "DuplicateFinder<[email protected]>" -Subject "Computer Duplicates Disabled" -Cc "who ever <[email protected]>"
  not the prettiest or most efficinent but it seems to be working :)

• Set Computer Variables on "unknown" computer object

  Hi all,
  we are using unknown Computer support for OSD. When the OSD process started, there is a new record created called "unknown" for every machine. 
  Our OSD Process consists of a workflow running in the background on System Center Orchestrator, collecting a few more values from other systems like ITSM. To interface with the currently running OSD of a Machine, we write down Computer Variables on the device
  object (visible in SCCM Console then) which can be used in the task sequence.
  Well, this is how it worked for us with "known" computer but with "unknown" computer it seems that we can't set variables on the "unknown" device object in that state.
  Is this per design ? Can't I set any variable on the object self during "unknown" phase? 
  After OSD is done, the computer object is updated to reflect its name and we now can set variables, but indeed to late. 
  Could you confirm that this is per design ? Any workaround ?
  Thanks

  This is not documented as far as I know, but I guess that it is by design since those 'unknown' objects are transient. I also think that the client (once in the 'unknown state' does not download policies again so that those variable additions will never
  make it to the client).
  Workaround? Most likely yes, but this requires deep knowledge of what you want to achieve exactly.
  Torsten Meringer | http://www.mssccmfaq.de

• Renaming deployed systems while retaining the Client object in SCCM

  After deploying a system, we re-name it from the default MININT-xxxxxxxx name, depending on which office the system will be going to.  Usually, this creates no issue in the SCCM 2012 R2 console, but sometimes we see systems which show as having "No"
  Client, but with the Last Status as "Complete".  We can wait for the AD, Network, and Heartbeat Discovery to re-discover the system, but sometimes even after a week, there's no change.  The systems are on the network (sleep, hibernate,
  & hybrid sleep are all disabled).  Manually right-clicking the client in the Devices view & selecting "Install Client" doesn't help.  Perhaps choose the option to "Uninstall existing Configuration Manager client before the
  client is installed" ?  We also see some "Unknown" computer objects which we delete.  Are these related to the re-naming the computers ?
  Thanks

  The object you are seeing is probably a stale one that doesn't match up to the actual one in the DB. You can always confirm this by matching client's GUID with the one in the console for the resource.
  Also, whenever you rename a system, always run a data discovery cycle on the client. This will update the corresponding resource in ConfigMgr (or create a new one). WHat is your heartbeat interval set at? I always recommend no less than once every day.
  How about naming the systems correctly in the first place though? All this takes is populating the OSDComputerName variable which can be done in many different ways.
  Jason | http://blog.configmgrftw.com

• AMT Computer Object Creation in Out of Band Management

  Just configured our Out of Band Management / AMT settings and we're getting all our AMT systems provisioned successfully. I've noticed that now, in SCCM 2012, the AMT object that gets created are Computer objects in AD. Their objectCategory is
  CN=Computer,CN=Schema,CN=Configuration,DC=mydomain,DC=com
  Back in the SCCM 2007 days, They were Person objects in AD. We still have some in AD.
  CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=com
  Is this the default setting or do I have the option to change it?
  Orange County District Attorney

  Since no one has answer this post, I recommend opening  a support case with CSS as they can work with you to solve this problem.
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• Duplicate Resource Objects  are displayed while provisioning the resource

  Duplicate Resource Objects are displayed while provisioning the resource to organization after creating a new workflow through export and import process.
  A workfolw already exists in the environment and I am trying to replicate the work flow with a different name . So i import all the components related to provisioning workflow rename the names of the components and make the necessary changes and import it back. after this I am getting Duplicate Resource Objects being displayed while provisioning the resource to organization .plz help.its urgent

  I have tried this process thrice not able to solve this problem ......unchecking allow multiple ..i don t think matters as this is provisioning to org ...n what i am telling is the list from which u select the resources to be provisioned --that list shows duplicate resource object names at a time..Each time I import an xml the number of same resource object names being displayed in the list increases ...So If I have imported three workflows then (say Resorce Object AD) appears thrice in the list. I have not given the resource objects same name in all the workflows for this to happen
  Sahana

• I have a requirement where I have to give the list of users who can access a specific computer. I am new with PS. Do you have a script to list users that can access a computer object of AD ?

  I have a requirement where I have to give the list of users who can access a specific computer define in AD.
  I am new with PS.
  Do you have a script to list users that can access a computer object of AD ?
  I have executed the following script  but it does not give me the access rights of who can access the computer 'computername'
  How can i have this information. please help
  Import-Module activedirectory
  $computer=get-adcomputer "computername" -properties ntSecurityDescriptor
  $omputer.ntsecurityDescriptor.Access | select-object -expandproperty IdentityReference | sort-object -unique

  I would say that, since the OP has so little info, there are no policies in use.  It there were then this question would never be asked the way it is being asked.
  I had a client call with a letter from their insurance company; an accountant with malpractice insurance.  THey asked the same question inmuch the same way.  "What computer can you users access?"  The question should be more like
  "Do you have a policy that restricts access to computers and do you audit for compliance?"
  I have had other clients whose insurance asked the question in that way.  It produces a better view of what should be happening and how to show compliance.
  I recommend that companies being asked these questions by their legal departments or insurance companies should contract with a god computer security consultant to assist with answering these very tricky questions.  Of course if it is just you boss's
  curiosity  then you may need to discuss his requirements with him in more depth.
  ¯\_(ツ)_/¯

• Bitlocker to Go and deleted computer object

  When encrypting a USB drive using Bitlocker to Go and storing the recovery information in AD, where does it get stored?  Is it in the computer object like regular Bitlocker?  If so, if the computer is retired or the AD computer account is deleted,
  do you lose the recovery information for that drive?

  Hi,
  Backed up BitLocker recovery information is stored in a child object of the computer object. That is, the computer object is the container for a BitLocker recovery object. If you delete a computer object from AD, you will also delete the BitLocker recovery
  information, which is a child object.
  But you can use AD restore mode to retrieve the deleted object.
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support

• Request for info regarding MAC address population in computer objects

   
  Hi,
  I am trying to determine how MAC address information is populated in computer objects. I had assumed initially that the hardware scan would be used, but observation shows this information
  to be obtained prior to any hardware inventory.
  I have laptops that are primarily connected via VPN, and before long their objects lose the internal network interface's MAC address. When I try to rebuild them, they fail to PXE boot. I have
  found that importing a CSV of host / MAC / SMBIOD GUID will update the object (rather than having to delete and recreate it) which works temporarily. The MAC will eventually disappear, and the device fail to PXE boot.
  I have thousands of these devices to manage, and it is already difficult enough having a CAS and two primaries (the windows Deployment Service on a DP only cares about devices in the DPs primary
  site, and so devices that move site are a real pain already, try finding that anywhere in the OSD reference documents!)
  I'm assuming now that this information is pulled from the actual client-server connection, and therefore is dynamic(ish), like IP information. If this is the case, more detail around that process,
  where to find evidence of  that process occurring would be very useful.

  The MAC is updated by hardware inventory and heartbeat discovery. 
  Torsten Meringer | http://www.mssccmfaq.de