Powershell equivalent to deleting a sccm computer object

Similar Messages

• Deleted computer object from SCCM console, so why is it still appearing in SSRS reports?

  We recently divested about 400 computers from our network. I got a list of these computers and deleted them from both Active Directory and in the SCCM Console. I know the deletes were successful because when I search via device name in the SCCM console
  they no longer show up. Yet when I run one of our inventory reports in SSRS I still see several of the devices that I deleted listed there. I thought SSRS represented a" live view" of the SCCM database. If that's true then how can a computer object
  that I deleted in the console still be present in the database? Is there something I'm missing? 

  Okay you are saying to select from v_R_System_Valid instead of v_R_System in my query and that will automatically filter out items I removed in the console? Okay that sounds like what I want, the only problem is my query is selecting form v_GS_COMPUTER_SYSTEM.
  Can I just add "_Valid" to the end of that and achieve the same result?
  Update - Yeah no I tried that and it did not work. Clearly I have a very limited understanding of the SQL views. Interestingly enough Torsten I see you posted a linbk on your blog to a new Microsoft article that documents the SQL views in SCCM 2012. Looking
  at it now...

• Bitlocker to Go and deleted computer object

  When encrypting a USB drive using Bitlocker to Go and storing the recovery information in AD, where does it get stored?  Is it in the computer object like regular Bitlocker?  If so, if the computer is retired or the AD computer account is deleted,
  do you lose the recovery information for that drive?

  Hi,
  Backed up BitLocker recovery information is stored in a child object of the computer object. That is, the computer object is the container for a BitLocker recovery object. If you delete a computer object from AD, you will also delete the BitLocker recovery
  information, which is a child object.
  But you can use AD restore mode to retrieve the deleted object.
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support

• Problems deleting computer objects-because of their subordinate objects

  We are running a 2008 R2 domain.  We have recently removed our techs out of Account Operators because we have read that is best practice.  Our techs now have problems deleting computer account objects that have the msmq active directory objects
  beneath the computer object.  Even if I give the techs full control permissions on those computer objects, they cannot delete them because they cannot delete the msmq subordinate AD objects.  The msmq objects are not showing a security tab, like
  other subordinate objects do.  If I delete the msmq objects with a Domain Admin account, then the techs can delete the computer objects.  Any ideas of how I can fix it so they can delete the msmq objects, without being Account Operators?
  Thanks,
  Dan Heim

  Hello,
  please see
  http://policelli.com/blog/archive/2009/11/06/understanding-adminsdholder-and-protected-groups/ and start with removing the flag for the mentioned accounts. Therefore see "Orphaned AdminSDHolder Objects" in the mentioned article.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• SCCM creating duplicate computer Objects

  Hi
  We have just upgraded from an SCCM 2007 to SCCM 2012. In the old system I had it set up that other members of my team could all add a machine to SCCM adding the MAC address information and then add the machine into AD. once in AD they could assign it
  to security groups for example a windows 7 group. every 10 minutes SCCM would scan AD see the machine name and update the security group information on the computer object that was manually created earlier. based on this if SCCM could see it
  in the Windows 7 group it would move the machine to the Windows 7 collection and then I had an advertisement that would deploy Windows 7.
  On the new system however I add the machine into SCCM with the MAC then add it to AD but I end up with 2 objects one that I added with the MAC but doesn't get updated with the security group information so doesn't get added to the collection and then another
  one created from scanning AD which has the security information but no MAC so wont build. 
  how can I get it to just update the one object?
  thanks

  I create the object in AD so that I can assign a computer security groups like Windows 7 or install office and based on that SCCM moves the machine into various collections. when I then build a machine it will build with the various option set for example
  it will build a machine with Windows 7. I have to also import it into SCCM so I can assign it a MAC address so that when I PXE boot a machine it recognises it.
  I used to be able to under sccm 2007 import it manually into SCCM with the MAC so it would PXE boot and also create an AD computer account with the security groups and in the correct OU so that when it built it would be joined to the domain
  with the correct GP applied. 2007 used to merge the 2 objects or at least detect the machine name already existed and applied the information to the existing objects.  
  its neater for me to do it this way than have everyone doing direct relationships for all machines on collections

• Duplicate Computer objects in SCCM

  Hi,
  I am noticing that now and then I am seeing duplicate computer objects in SCCM 2012. We are using AD discovery and in AD there arent duplicates. Do you know what the cause of having duplicate computers in SCCM is and how to resolve this issue?
  Thank you.

  Hi,
  Please refer to the link below:
  ConfigMgr SCCM How to Resolve Duplicate or Conflict Record Issue
  http://anoopcnair.com/2011/04/08/configmgr-sccm-duplicate-record-issue/
  Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SCCM 2012 OSD: Import computer object fails

  Hi,
  Please see this post:
  http://social.technet.microsoft.com/Forums/en-US/6dbd2b38-4dbb-4de3-bb25-e3a30813f108/importing-computer-fails-unable-to-save-changes?forum=configmanagerosd
  We have exactly the same issue: we cannot import a computer object due to the error "Unable to save changes", a query which searches for mac-addresses doesn't reveal the pc-name (which is logic because the sccm 2012 should run an inventory first
  but the pc is not loaded).
  Please advise.
  J.
  Jan Hoedt

  Any chance that the object (where you are trying to add a MAC address) was added to the database by AD group discovery? So the name is already in the database? If so: that's expected.
  If not: CU1 for R2 might fix the problem (it is listed as being fixed)
  Torsten Meringer | http://www.mssccmfaq.de

• Retreive a Deleted/Recycled Computer Object

  I deleted a computer object for a computer that still exists. OOP!
  We recently updated our Domain Controllers and brought our DFL and FFL to 2012 R2.  I have enabled the recycle bin, but NOT before deleted the computer object.  Here is the chronology.
  DFL and FFL Server 2003
  Update DFL and FFL to Server 2008
  Delete Computer Object that I want to get back
  Update DFL And FFL to Server 2012 R2 
  Enable Recycle Bin
  Discover that I deleted a Computer object that I really still need
  So.. here is what I have done:
  Looked in the Active Directory Recycle Bin using ADAM
  Followed instructions to try to use ldp.exe to do a tombstone reanimation.
  I was able to find the object and its information using ldp.exe in the deleted objects container.  It has isDeleted set to True and isRecycled set to true.
  I attempted to delete the isDeleted property and modify the distinguished name.  This did not seem to work.
  I was later reading that it might not be a good idea to do a tombstone reanimation when recycle bin is enabled.  These changes fail and of course I still can't get my object back.
  Is there hope, what should I do next?  I don't want to rejoin the computer to the domain, because I don't know if there are possible references to the SID or some other unique data that is stored in the object I deleted.

  >  2. Followed instructions to try to use ldp.exe to do a tombstone
  >     reanimation.
  Grab sysinternals' adrestore - much easier to handle :)
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Delete Computer object VS Disjoin

  Quick question on AD administration to help resolve an internal debate:
  We're running AD on Windows Server 2008 R2.  One admin states that "deleting doesn't remove all AD objects", and that you need to run a disjoin on the machine first to properly remove the Computer Object.  Can anyone confirm this? 
  Which is the correct way to remove objects in AD?
  It's my understanding that no matter what, you'll end up running a delete command, which marks the object as deleted; this gets replicated to all other DC's, and whenever the tombstone lifetime expires, then a cleanup process will finally and forever remove
  the tombstone objects.  If you don't run a "disjoin" command first, will there be any other lingering objects that need special care and consideration??
  Any info is appreciated.  Thanks much.

  Hi - This is _how_ it works:
  A domain unjoin comes down to the NetUnJoinDomain() API call documented at:
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa370644(v=vs.85).aspx
  There is two scenarios that can happen, either the account get's disabled (by default) if you unjoin using the UI, or it's not disabled leaving out the misnamed flag 'NETSETUP_ACCT_DELETE' that actually means disable and not delete.
  The computer account is only disabled regardless of the flag if the user that performs the unjoin has the rights to disable the computer account in AD, e.g write to the userAccountControl attribute.
  The computer account (object) in AD is never deleted from AD during a unjoin.
  How ever the importance of clean up here is that the computer accounts password is cleared from the LSA during a unjoin, so it can't be used to authenticate against AD in case that the computer account is NOT being disabled for one of the reasons mentioned
  above.
  Deleting the computer object from AD is like deleting any other object in AD, it stays for the TSL until it's ultimately removed from the database.
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Powershell Get-ADUser returns Computer objects as well ???! How to prevent.

  I ran the following script and got a bunch of computer objects in my csv. How to i Prevent this? I already tried using 
  Where-Object{$_.type
  -eq
  "user"} OR
   -filter{type
  -eq
  "user"}
  script:
  Get-ADUser-Filter*-PropertiessamAccountName,accountExpires,Created,LastLogonTimeStamp,Department,physicalDeliveryOfficeName,employeeID,AccountExpirationDate,Manager|
  Where-Object
  {$_.accountexpirationdate
  -lt$timex}
  |
  select
  Name,samAccountName,@{Name="Timestamp";
  Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}},@{n='Date
  Created';e={$_.created}},Department,@{n='Location';e={$_.physicalDeliveryOfficeName}},employeeID,AccountExpirationDate,@{Label='Manager
  sAMAccountName';Expression={(Get-ADUser$_.Manager).sAMAccountName}},@{Label='Manager
  Name';Expression={(Get-ADUser$_.Manager).name}}
  |
  export-csv
  -path$mypath-notypeinformation

  Someone told me the Computer accounts are generic accounts...makes any sense?
  No.
  EDIT: What's the output of this command for one of these computer accounts:
  Get-ADUser ThatComputerAccount | Select *
  Don't retire TechNet! -
  (Don't give up yet - 13,225+ strong and growing)

• SCCM 2012 R2 task sequence: Move a computer object to different OU

  Hi,
  We migrate from Windows XP to 7.
  During task sequence, we need to be sure the object is moved from one OU to another (XP to Vista OU/policies).
  What is the best way to do this?
  Could be wrong, but it seems that a default task sequence does not move the object although there is a step which explicitely says to put the computer object in a certain OU ("apply network settings").
  Please advise.
  J.
  Jan Hoedt

  Hi you can check this article:
  http://myitforum.com/cs2/blogs/maikkoster/archive/2010/04/08/moving-computers-in-active-directory-during-mdt-deployments-step-by-step.aspx
  Hope this helps.
  Note: This posting is provided 'AS IS' with no warranties or guarantees, and confers no rights. Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable. This helps the community, keeps the forums tidy, and
  recognises useful contributions.

• Looking for help with PowerShell script to delete folders in a Document Library

  I'd like to create a PowerShell script to delete old folders in a Document library that are over 30 days old. Has anyone created something like this?
  Orange County District Attorney

  Hello Sid:
  I am trying to do the same and Iam running the script to delete the subfolders inside a folder  but I have some errors. 
  Could you please take a look?
  _______Script________
  $web = Get-SPWeb -Identity https://myportal.mydomain.com
  $list = $web.GetList("ar_mailingactivity")
  $query =  New-Object Microsoft.SharePoint.SPQuery 
  $camlQuery = '<Where><And><Eq><FieldRef Name="ContentType" /><Value Type="Computed">Folder</Value></Eq><Leq><FieldRef Name="Created" /><Value Type="DateTime"><Today OffsetDays="-30" /></Value></Leq></And></Where>'
  $query.Query = $camlQuery
  $items = $list.GetItems($query)
  for ($intIndex = $items.Count - 1; $intIndex -gt -1; $intIndex--)
     $items.Delete($intIndex);
  ________Errors_______
  Unable to index into an object of type System.Management.Automation.PSMethod.
  At C:\Script.ps1:2 char:22
  + $list =$webGetList <<<< "ar_mailingactivity"]
  + CategoryInfo
  :InvalidOperation: (ar_mailingactivity:String) [], RuntimeException
  + FullyQualifiedErrorID
  :CannotIndex
  You cannot call a method on  a null-valued expression.
  At c:\Script.ps1:6 char:24
  + $items = $list.GetItems <<<< ($query)
  + CategoryInfo
  :InvalidOperation: (GetItems:String) [], RuntimeException
  + FullyQualifiedErrorID
  :InvokeMethodOnNull

• Managing multiple "old" AD computer objects

  So we have implemented a naming convention where the techs just select a location and department during the imaging process for a  machine that is about to be deployed; during that process and the computers are automagically named something like "NYC-FIN-1234567"...
  with 1234567 being the dell asset tag.... pretty nifty Johan(!)
  However... the problem is that once that machine gets re-imaged at the same location and deployed to another team like the marketing folks  (ie."MKT")... it gets the name NYC-MKT-1234567...
  the problem I am seeing is now we have multiple objects in AD with the same asset tag which is causing nightmares for licensing management... NYC-FIN-1234567 & NYC-MKT-1234567 respectively.
  I am working on a PowerShell script that will trim the names down to their respective tags and then compare the list for duplicates - then check  and compare the duplicates properties like "created date" and make a determination and delete
  the older object...
  this checking for duplicates is proving to be a little more difficult and haven't even gotten to the evaluate section yet...  I am still working on my proficiency when it comes to more complex arrays.
  am i going about this the right way or does anyone else have another approach to this conundrum?
  scripting games '14 anyone :p

  all good info!
  Since our AD has less than 3000 workstation objects the 'scaling' is manageable... but could make it a little faster, but alas here is what i have with a couple of tweaks
  i am skimming all computer objects in our 'workstation' OU... and dropping the first two prefixes, and then checking for machines that match... we were originally using "created date" but since we have workstations that have been imaged to say
  a FIN dept and then to a MKT dept and then re-re-imaged back to FIN... the created date doesn't change so i switched to Modified date, and keep the newest one...
  but also as another 'layer' of protection i test-path of the workstation (we run this middle of the day) before disabling it and moving it to a "temp" ou where we can let them sit for a couple weeks in case we had a false positive (thus the ping)
  we can quickly restore that object... i also can just comment out the actual "move and disable command" so it generates me a nice list of machines that would have been deleted so i can do a 'sanity check' before deleting a bunch of vip's machiens
  from AD :)
  #Declare Domain and OU to be Scrubbed - and $dupou is the ou we can let them 'chillout' before deleting on the next run
  $domain = "domain.com"
  $OU = "OU=Workstations,DC=domain,DC=com"
  $CleanupList = "c:\disabled.txt"
  $dupOU = "OU=Duplicates,OU=INACTIVE,DC=domain,DC=com"
  if (test-path $CleanupList) {Remove-Item $CleanupList}
  $delOK = "c:\DelOk.txt"
  if (test-path $delOK) {Remove-Item $delOK}
  #this is the TEMPORARY throttle cap... so it will stop after it finds the amount defined by $cap (so we can phase it in)
  $cap = 10000
  $Global:i = 0
  $sdate = (Get-Date)
  Write-Output "AD Duplicate 'Scrubber' Script started on: "$sdate >> $CleanupList
  Write-output "These Machines were disabled and moved to the Inactive\Duplicates OU in our domain" >> $CleanupList
  Write-Output "--------------------------------------------------------------------------------------------------------------">> $CleanupList
  $comps = (Get-ADComputer -filter * -Server $domain -SearchBase $OU).name
  ForEach ($comp in $comps) {
  if ($global:i -lt $cap) {
  #trim length to just asset tags (last 7 digits)
  $Length = $comp.Length
  $var = $Length - 7
  $tag = $comp.Substring($var,7)
  Write-host -ForegroundColor yellow "Testing asset tag: $tag"
  $x =(Get-ADComputer -Filter "name -like '*$tag'" -Properties DistinguishedName, Modified -Server $domain -SearchBase $OU |Sort-Object -Property Modified)
  if ($x.count -gt 1) {
  $y = ($x.count) -1
  while ($y -ge 1 ) {
  $z = $y - 1
  $x.name[$z] >> $CleanupList
  #added a ping feature to as another level of "protection"
  if (Test-Connection $x.name[$z] -Count 2 -Quiet){
  Write-Output $x.name[$z]" is Online... Skipping"
  $x.name[$z] >> c:\WTF.txt
  }Else {
  #this line below this one is the one that moves and disables... comment out if testing with a # sign or remove when testing compelete
  #Get-ADComputer $x.name[$z] | Move-ADObject -TargetPath $dupOU -PassThru | Disable-ADAccount
  Write-Output $x.name[$z]" is Offline... should delete"
  $global:i++
  $x.name[$z] >> $delOK
  write-host -ForegroundColor Cyan $x.name[$z]" Moved and Disabled - $global:i"
  $y--
  Write-host "------------"
  Write-host -foregroundcolor cyan "$i Computer objects were Disabled and Moved to $dupOU :)"
  #message in the body
  $msg ="Please review the attached list to see the Duplicate machines that were moved and disabled via this script"
  #Recipients
  $mailTo = "shad acker <[email protected]>"
  Send-MailMessage -SmtpServer smtp.domain.com -Attachments $delOK -Body $msg -to $mailTo -From "DuplicateFinder<[email protected]>" -Subject "Computer Duplicates Disabled" -Cc "who ever <[email protected]>"
  not the prettiest or most efficinent but it seems to be working :)

• AD System Group Discovery not updating System OU Name on computer object when computer moves OU

  2 related questions.
  1. We have noticed that computer objects (active clients) in ConfigMgr are not getting their System OU Name discovery data updated when a computer account is moved from one OU to another, and AD System Group Discovery runs. Since we are basing some of our Software Updates collections on AD OU name, these systems are not falling into their required collections.
  2. On a few occasions we are also seeing duplicate computer objects being created. One new record from AD System Discovery, which contains the correct 'new' System OU Name, and one 'old' computer object from before the computer account was moved to a different OU in AD. The heartbeat discovery of this second object is still updating e.g. showing new heartbeats, but the computer object still shows the old System OU Name from before the computer account was moved in AD. If we delete both objects and run a Discovery Data Collection Cycle from the client, and AD System Group Discovery, then we get one new record with the correct 'new' set of System OU names.
  This duplicates issue is happening in both our Central Primary Site and our other child Primary site. Both sites are set to create new client records for duplicate hardware IDs, and there is a possibility we're seeing the duplicate records on machines that have been re-imaged and redeployed at some point.
  It's my understanding that it is AD System Group Discovery that updates the System OU Name property on client objects. We have this set to run every 4 hours. I'm not seeing any errors in the adsysgrp.log. Any idea why discovery is not updating the System OU Name information when a computer account moves OU? As far as I understand it, nothing additional is required to happen from the client end for this property to get updated.

  The only thing I can think of would be ad sys group discovery not running at the site where the client is assigned to?
  "Everyone is an expert at something" Kim Oppalfens Configmgr expert for lack of any other expertise. http://www.scug.be/blogs/sccm
  HI Everyone..
  ANy reply or correct answer to this question???
  Same problem even i have. Duplicate machine names created when machine moved to different sites.
  And also, AD sys group discovery running on all the sites (i have 4 sites).
  System Security analyst at CapG

• Request for info regarding MAC address population in computer objects

   
  Hi,
  I am trying to determine how MAC address information is populated in computer objects. I had assumed initially that the hardware scan would be used, but observation shows this information
  to be obtained prior to any hardware inventory.
  I have laptops that are primarily connected via VPN, and before long their objects lose the internal network interface's MAC address. When I try to rebuild them, they fail to PXE boot. I have
  found that importing a CSV of host / MAC / SMBIOD GUID will update the object (rather than having to delete and recreate it) which works temporarily. The MAC will eventually disappear, and the device fail to PXE boot.
  I have thousands of these devices to manage, and it is already difficult enough having a CAS and two primaries (the windows Deployment Service on a DP only cares about devices in the DPs primary
  site, and so devices that move site are a real pain already, try finding that anywhere in the OSD reference documents!)
  I'm assuming now that this information is pulled from the actual client-server connection, and therefore is dynamic(ish), like IP information. If this is the case, more detail around that process,
  where to find evidence of  that process occurring would be very useful.

  The MAC is updated by hardware inventory and heartbeat discovery. 
  Torsten Meringer | http://www.mssccmfaq.de