Prestage Computer Object in Subdomain

Similar Messages

• I have a requirement where I have to give the list of users who can access a specific computer. I am new with PS. Do you have a script to list users that can access a computer object of AD ?

  I have a requirement where I have to give the list of users who can access a specific computer define in AD.
  I am new with PS.
  Do you have a script to list users that can access a computer object of AD ?
  I have executed the following script  but it does not give me the access rights of who can access the computer 'computername'
  How can i have this information. please help
  Import-Module activedirectory
  $computer=get-adcomputer "computername" -properties ntSecurityDescriptor
  $omputer.ntsecurityDescriptor.Access | select-object -expandproperty IdentityReference | sort-object -unique

  I would say that, since the OP has so little info, there are no policies in use.  It there were then this question would never be asked the way it is being asked.
  I had a client call with a letter from their insurance company; an accountant with malpractice insurance.  THey asked the same question inmuch the same way.  "What computer can you users access?"  The question should be more like
  "Do you have a policy that restricts access to computers and do you audit for compliance?"
  I have had other clients whose insurance asked the question in that way.  It produces a better view of what should be happening and how to show compliance.
  I recommend that companies being asked these questions by their legal departments or insurance companies should contract with a god computer security consultant to assist with answering these very tricky questions.  Of course if it is just you boss's
  curiosity  then you may need to discuss his requirements with him in more depth.
  ¯\_(ツ)_/¯

• Bitlocker to Go and deleted computer object

  When encrypting a USB drive using Bitlocker to Go and storing the recovery information in AD, where does it get stored?  Is it in the computer object like regular Bitlocker?  If so, if the computer is retired or the AD computer account is deleted,
  do you lose the recovery information for that drive?

  Hi,
  Backed up BitLocker recovery information is stored in a child object of the computer object. That is, the computer object is the container for a BitLocker recovery object. If you delete a computer object from AD, you will also delete the BitLocker recovery
  information, which is a child object.
  But you can use AD restore mode to retrieve the deleted object.
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support

• Request for info regarding MAC address population in computer objects

   
  Hi,
  I am trying to determine how MAC address information is populated in computer objects. I had assumed initially that the hardware scan would be used, but observation shows this information
  to be obtained prior to any hardware inventory.
  I have laptops that are primarily connected via VPN, and before long their objects lose the internal network interface's MAC address. When I try to rebuild them, they fail to PXE boot. I have
  found that importing a CSV of host / MAC / SMBIOD GUID will update the object (rather than having to delete and recreate it) which works temporarily. The MAC will eventually disappear, and the device fail to PXE boot.
  I have thousands of these devices to manage, and it is already difficult enough having a CAS and two primaries (the windows Deployment Service on a DP only cares about devices in the DPs primary
  site, and so devices that move site are a real pain already, try finding that anywhere in the OSD reference documents!)
  I'm assuming now that this information is pulled from the actual client-server connection, and therefore is dynamic(ish), like IP information. If this is the case, more detail around that process,
  where to find evidence of  that process occurring would be very useful.

  The MAC is updated by hardware inventory and heartbeat discovery. 
  Torsten Meringer | http://www.mssccmfaq.de

• Health rollup to computer object from Microsoft.Windows.ApplicationComponent

  Hi All.
  Trying to author a Management Pack in Authoring Console 2007 R2. And can't get rollup to work as I want.
  Here's the long story.
  I've created:
  A discovery MP witch holds:
  - an abstract class inherited from Microsoft.Windows.Computer, named: "AppX.Cmp.Role"
  - a (seed?) class inherited from the above, named: "AppX.Cmp.Role.Server"
  - a class inherited from "AppX.Cmp.Role.Server" named "App.Cmp.Role.Server.Replicator"
  - a class inherited from "Microsoft.Windows.ApplicationComponent" named: "AppX.Cmp.Role.Server.Replicator.Loginstance"
  - a class of type "Microsoft.SystemCenter.InstanceGroup" named: "AppX.Group"
  - a relationship (system.hosting) where source class is "AppX.Cmp.Role.Server.Replicator" and target class is "AppX.Cmp.Role.Server.Replicator.Loginstance"
  - a registrydiscovery to discover "AppX.Cmp.Role.Server" targeted at "Windows.Operating.System"
  - a scriptdiscovery to discover "AppX.Cmp.Role.Server.Replicator" targeted at "AppX.Cmp.Role.Server"
  - a scriptdiscovery to discover "AppX.Cmp.Role.Server.Replicator.Loginstance" targeted at "AppX.Cmp.Role.Server.Replicator"
  - a groupdiscovery ("Microsoft.SystemCenter.GroupPopulator") target: "AppX.Group" (Microsoft.Windows.Computer)
  - a dependencymonitor targeted at "AppX.Cmp.Role.Server.Replicator" and monitor dependency set to "AppX.Cmp.Role.Server.Replicator.Loginstance", HealthRollup set to "worst state".
  A monitoring MP (depending on the discovery MP) witch holds:
  - a processmonitor targeted to "AppX.Cmp.Role.Server.Replicator" and "replicator.exe"
  - a logfilemonitor targeted to "AppX.Cmp.Role.Server.Replicator.Loginstance"
  - a stateview targeted to "AppX.Group"
  When I kill the "replicator.exe" process the object goes to unhealthy all the way up to "Windows.Computer". But when the logfilemonitor triggers and turns into "unhealthy state" the object in the above view turns RED but not the
  "Windows.Computer" object (looking at the default view "Windows Computers").
  Is it possible to get the "Windows.Computer" object to reflect the "AppX.Cmp.Role.Server.Replicator.Loginstance" state?
  How?

  Sorry about that - its been a long weekend.
  I was quoting from the following;
  "Use the Microsoft.Windows.LocalApplication as
  a base class when your class type represents a local application that shares the resources of the hosting Windows computer with other applications. Unlike theMicrosoft.Windows.ComputerRole class,
  the Microsoft.Windows.LocalApplication class
  type does not automatically roll its health up to the hosting computer."
  http://msdn.microsoft.com/en-us/library/ee533867.aspx
  Would you be able to upload the results if you run the Visio MP diagram generator and possibly the health explorer views and this will help me see how it hangs togther?

• Deleted computer object from SCCM console, so why is it still appearing in SSRS reports?

  We recently divested about 400 computers from our network. I got a list of these computers and deleted them from both Active Directory and in the SCCM Console. I know the deletes were successful because when I search via device name in the SCCM console
  they no longer show up. Yet when I run one of our inventory reports in SSRS I still see several of the devices that I deleted listed there. I thought SSRS represented a" live view" of the SCCM database. If that's true then how can a computer object
  that I deleted in the console still be present in the database? Is there something I'm missing? 

  Okay you are saying to select from v_R_System_Valid instead of v_R_System in my query and that will automatically filter out items I removed in the console? Okay that sounds like what I want, the only problem is my query is selecting form v_GS_COMPUTER_SYSTEM.
  Can I just add "_Valid" to the end of that and achieve the same result?
  Update - Yeah no I tried that and it did not work. Clearly I have a very limited understanding of the SQL views. Interestingly enough Torsten I see you posted a linbk on your blog to a new Microsoft article that documents the SQL views in SCCM 2012. Looking
  at it now...

• Poweshell script for adding the computer object in to SCOM 2012 group.

  Hi Team,
  Is there any way to add the computer object ( csv file) to SCOM 2012 manually created  group.

  Hi,
  In addition, hope the links below be helpful for you:
  Creating and Updating Groups
  http://blogs.msdn.com/b/jakuboleksy/archive/2006/11/15/creating-and-updating-groups.aspx
  Programmatically Creating Groups
  http://blogs.technet.com/b/brianwren/archive/2008/11/18/programmatically-creating-groups.aspx
  Modifying Explicit Group Membership in SCOM 2012 with PowerShell
  http://blogs.msdn.com/b/rslaten/archive/2013/06/27/modifying-explicit-group-membership-in-scom-2012-with-powershell.aspx
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• Problems deleting computer objects-because of their subordinate objects

  We are running a 2008 R2 domain.  We have recently removed our techs out of Account Operators because we have read that is best practice.  Our techs now have problems deleting computer account objects that have the msmq active directory objects
  beneath the computer object.  Even if I give the techs full control permissions on those computer objects, they cannot delete them because they cannot delete the msmq subordinate AD objects.  The msmq objects are not showing a security tab, like
  other subordinate objects do.  If I delete the msmq objects with a Domain Admin account, then the techs can delete the computer objects.  Any ideas of how I can fix it so they can delete the msmq objects, without being Account Operators?
  Thanks,
  Dan Heim

  Hello,
  please see
  http://policelli.com/blog/archive/2009/11/06/understanding-adminsdholder-and-protected-groups/ and start with removing the flag for the mentioned accounts. Therefore see "Orphaned AdminSDHolder Objects" in the mentioned article.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• SCCM creating duplicate computer Objects

  Hi
  We have just upgraded from an SCCM 2007 to SCCM 2012. In the old system I had it set up that other members of my team could all add a machine to SCCM adding the MAC address information and then add the machine into AD. once in AD they could assign it
  to security groups for example a windows 7 group. every 10 minutes SCCM would scan AD see the machine name and update the security group information on the computer object that was manually created earlier. based on this if SCCM could see it
  in the Windows 7 group it would move the machine to the Windows 7 collection and then I had an advertisement that would deploy Windows 7.
  On the new system however I add the machine into SCCM with the MAC then add it to AD but I end up with 2 objects one that I added with the MAC but doesn't get updated with the security group information so doesn't get added to the collection and then another
  one created from scanning AD which has the security information but no MAC so wont build. 
  how can I get it to just update the one object?
  thanks

  I create the object in AD so that I can assign a computer security groups like Windows 7 or install office and based on that SCCM moves the machine into various collections. when I then build a machine it will build with the various option set for example
  it will build a machine with Windows 7. I have to also import it into SCCM so I can assign it a MAC address so that when I PXE boot a machine it recognises it.
  I used to be able to under sccm 2007 import it manually into SCCM with the MAC so it would PXE boot and also create an AD computer account with the security groups and in the correct OU so that when it built it would be joined to the domain
  with the correct GP applied. 2007 used to merge the 2 objects or at least detect the machine name already existed and applied the information to the existing objects.  
  its neater for me to do it this way than have everyone doing direct relationships for all machines on collections

• Powershell Get-ADUser returns Computer objects as well ???! How to prevent.

  I ran the following script and got a bunch of computer objects in my csv. How to i Prevent this? I already tried using 
  Where-Object{$_.type
  -eq
  "user"} OR
   -filter{type
  -eq
  "user"}
  script:
  Get-ADUser-Filter*-PropertiessamAccountName,accountExpires,Created,LastLogonTimeStamp,Department,physicalDeliveryOfficeName,employeeID,AccountExpirationDate,Manager|
  Where-Object
  {$_.accountexpirationdate
  -lt$timex}
  |
  select
  Name,samAccountName,@{Name="Timestamp";
  Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}},@{n='Date
  Created';e={$_.created}},Department,@{n='Location';e={$_.physicalDeliveryOfficeName}},employeeID,AccountExpirationDate,@{Label='Manager
  sAMAccountName';Expression={(Get-ADUser$_.Manager).sAMAccountName}},@{Label='Manager
  Name';Expression={(Get-ADUser$_.Manager).name}}
  |
  export-csv
  -path$mypath-notypeinformation

  Someone told me the Computer accounts are generic accounts...makes any sense?
  No.
  EDIT: What's the output of this command for one of these computer accounts:
  Get-ADUser ThatComputerAccount | Select *
  Don't retire TechNet! -
  (Don't give up yet - 13,225+ strong and growing)

• Trying to update hidden attibute in AD computer objects.

  I am trying to update my AD computers using PowerShell to read the items from a CSV file. I have successfully updated the Description and other standard items, but I cannot get the non-common
  hidden attributes to updated. I am very green on PowerShell. I'm not even sure I'm using the correct commands.
  The contents of the CSV file looks like as below:
  Name = preexisting Computer object name
  Description = Information I want to place in the description field (Non-hidden \ standard)
  comment = Information I want to place in the comments field (Hidden field)
  name,description,comment
  Computer1,Computer Model - 123456789 - Office 1111,Comment1
  Computer2,Computer Model - 234567891 - Office 1112,Comment2
  Computer2,Computer Model - 345678912 - Office 1113,Comment3
  Below is the script:
  # Update Computer Description and Comments
  Import-module ActiveDirectory  
  Import-CSV "C:\temp\Computers.csv" | % {
  $Computer = $_.name 
  $Description = $_.description 
  $Comment = $_.comment
  Set-ADComputer $Computer  -description $Description
  Set-ADComputer $Computer  -comment $Comment

  To set comments on non-standard items you need to do something like this:
  Set-ADComputer Computername -replace @{Comment="Test1"}
  [email protected]
  Thank you Richard.  The information worked well.  I modified it slightly to retrieve the information from the CSV file as seen below:
  Set-ADComputer $Computer -replace @{Comment=$Comment}

• Logoncount Attribute on Computer objects in Active Directory

  Hello,
  I have one question about the logoncount Attribute on Active Directory objects. As I understood on user objects this attribute counts the number of logons per DC (because it is not replicating).
  My question is:
  What exactly is count here on computer objects?
  I can see that on a Domain Controller computer object the logoncount is high for the DC itself and low on the other DC objects.
  Thank you.
  Regards
  Dennis

  Here is an old thread.  You will see some of the explanation from our own Richard :)
  http://www.techtalkz.com/windows-server-2003/500367-attributes-update-during-computer-logon.html
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.

• Managing multiple "old" AD computer objects

  So we have implemented a naming convention where the techs just select a location and department during the imaging process for a  machine that is about to be deployed; during that process and the computers are automagically named something like "NYC-FIN-1234567"...
  with 1234567 being the dell asset tag.... pretty nifty Johan(!)
  However... the problem is that once that machine gets re-imaged at the same location and deployed to another team like the marketing folks  (ie."MKT")... it gets the name NYC-MKT-1234567...
  the problem I am seeing is now we have multiple objects in AD with the same asset tag which is causing nightmares for licensing management... NYC-FIN-1234567 & NYC-MKT-1234567 respectively.
  I am working on a PowerShell script that will trim the names down to their respective tags and then compare the list for duplicates - then check  and compare the duplicates properties like "created date" and make a determination and delete
  the older object...
  this checking for duplicates is proving to be a little more difficult and haven't even gotten to the evaluate section yet...  I am still working on my proficiency when it comes to more complex arrays.
  am i going about this the right way or does anyone else have another approach to this conundrum?
  scripting games '14 anyone :p

  all good info!
  Since our AD has less than 3000 workstation objects the 'scaling' is manageable... but could make it a little faster, but alas here is what i have with a couple of tweaks
  i am skimming all computer objects in our 'workstation' OU... and dropping the first two prefixes, and then checking for machines that match... we were originally using "created date" but since we have workstations that have been imaged to say
  a FIN dept and then to a MKT dept and then re-re-imaged back to FIN... the created date doesn't change so i switched to Modified date, and keep the newest one...
  but also as another 'layer' of protection i test-path of the workstation (we run this middle of the day) before disabling it and moving it to a "temp" ou where we can let them sit for a couple weeks in case we had a false positive (thus the ping)
  we can quickly restore that object... i also can just comment out the actual "move and disable command" so it generates me a nice list of machines that would have been deleted so i can do a 'sanity check' before deleting a bunch of vip's machiens
  from AD :)
  #Declare Domain and OU to be Scrubbed - and $dupou is the ou we can let them 'chillout' before deleting on the next run
  $domain = "domain.com"
  $OU = "OU=Workstations,DC=domain,DC=com"
  $CleanupList = "c:\disabled.txt"
  $dupOU = "OU=Duplicates,OU=INACTIVE,DC=domain,DC=com"
  if (test-path $CleanupList) {Remove-Item $CleanupList}
  $delOK = "c:\DelOk.txt"
  if (test-path $delOK) {Remove-Item $delOK}
  #this is the TEMPORARY throttle cap... so it will stop after it finds the amount defined by $cap (so we can phase it in)
  $cap = 10000
  $Global:i = 0
  $sdate = (Get-Date)
  Write-Output "AD Duplicate 'Scrubber' Script started on: "$sdate >> $CleanupList
  Write-output "These Machines were disabled and moved to the Inactive\Duplicates OU in our domain" >> $CleanupList
  Write-Output "--------------------------------------------------------------------------------------------------------------">> $CleanupList
  $comps = (Get-ADComputer -filter * -Server $domain -SearchBase $OU).name
  ForEach ($comp in $comps) {
  if ($global:i -lt $cap) {
  #trim length to just asset tags (last 7 digits)
  $Length = $comp.Length
  $var = $Length - 7
  $tag = $comp.Substring($var,7)
  Write-host -ForegroundColor yellow "Testing asset tag: $tag"
  $x =(Get-ADComputer -Filter "name -like '*$tag'" -Properties DistinguishedName, Modified -Server $domain -SearchBase $OU |Sort-Object -Property Modified)
  if ($x.count -gt 1) {
  $y = ($x.count) -1
  while ($y -ge 1 ) {
  $z = $y - 1
  $x.name[$z] >> $CleanupList
  #added a ping feature to as another level of "protection"
  if (Test-Connection $x.name[$z] -Count 2 -Quiet){
  Write-Output $x.name[$z]" is Online... Skipping"
  $x.name[$z] >> c:\WTF.txt
  }Else {
  #this line below this one is the one that moves and disables... comment out if testing with a # sign or remove when testing compelete
  #Get-ADComputer $x.name[$z] | Move-ADObject -TargetPath $dupOU -PassThru | Disable-ADAccount
  Write-Output $x.name[$z]" is Offline... should delete"
  $global:i++
  $x.name[$z] >> $delOK
  write-host -ForegroundColor Cyan $x.name[$z]" Moved and Disabled - $global:i"
  $y--
  Write-host "------------"
  Write-host -foregroundcolor cyan "$i Computer objects were Disabled and Moved to $dupOU :)"
  #message in the body
  $msg ="Please review the attached list to see the Duplicate machines that were moved and disabled via this script"
  #Recipients
  $mailTo = "shad acker <[email protected]>"
  Send-MailMessage -SmtpServer smtp.domain.com -Attachments $delOK -Body $msg -to $mailTo -From "DuplicateFinder<[email protected]>" -Subject "Computer Duplicates Disabled" -Cc "who ever <[email protected]>"
  not the prettiest or most efficinent but it seems to be working :)

• Duplicate Computer objects in SCCM

  Hi,
  I am noticing that now and then I am seeing duplicate computer objects in SCCM 2012. We are using AD discovery and in AD there arent duplicates. Do you know what the cause of having duplicate computers in SCCM is and how to resolve this issue?
  Thank you.

  Hi,
  Please refer to the link below:
  ConfigMgr SCCM How to Resolve Duplicate or Conflict Record Issue
  http://anoopcnair.com/2011/04/08/configmgr-sccm-duplicate-record-issue/
  Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Editing Computer object "info" attribute in AD

  Hi.
  I need to make it possible for users to update the AD computer object of the machine they are logged onto.
  To be able to do this I need to grant users write access to the "info" attribute of computer objects in AD. My problem is that I cannot figure out what permission entry to set to allow for users to apply "info".
  Does anyone know what permission entry on the "Computers" OU object to use to set delegated rights for "Domain users" to be able to edit the "info" attribute on each computer object?
  I am trying to achieve much of the same as described in this article, but I need to edit the "info" attribute...
  http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_24097287.html
  /Tord Bergset

  Greetings!
  Use 'Delegation Wizard' and select 'Create a custom task to delegate'. After that only choose
  'Computer Objects' and assign below rights:
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?