Пример пакетной обработки (удаления или отключения) старых записей рабочих станцих AD при помощи утилиты OldCmp из командной строки
Помимо нативного средства очистки AD от устаревших записей в Windows существует более продвинутая утилита OldCmp, которая позволяет отключить или удалить старые компьютеры из домена.
Отчет о машинах, которые не регистрировались в домене более 100 дней:
oldcmp -report -age 100
Отключить машины, которые не регистрировались в домене более 100 дней:
oldcmp -disable -age 100 -safety 50 -forreal
Удалить отключенные машины, которые не регистрировались в домене более 100 дней:
oldcmp -delete -age 100 -safety 50 -forreal
При каждом выполнении OldCmp генерирует HTML отчет в текущей директории
Важно:
Ключи -safety
и -forreal
введены для безопасности:
safety
- количество объектов к которым применяются правила, по дефолту, без явного указания, равно десяти,
forreal
- реальное применение действий. Пока этот ключ не указан утилита работает в тестовом режиме и ни какие данные не меняет.
т.е. утилитой можно поиграться не боясь что-то закосячить в AD, пока не будут использоваться данные ключи.
Ну и, естественно, для каких-либо изменений консоль должна быть запущена от имени администратора.
Полный список доступных ключей с примерами:
C:\oldcmp>oldcmp /? OldCmp V01.05.00cpp Joe Richards ([email protected]) December 2004 Usage: OldCmp [switches] Switches: (designated by - or /) -report Write report of objects -disable Disable objects -delete Delete objects Delete will only work on disabled objects. -move Move objects, use with newparent. -newparent xx DN for a new parent to move objects to. Can be used with move or disable options. -stamp When used with delete w/ expire account as well The idea being you can see the date it was done then. -safety x How many objects to modify. (Default 10) With this set, stops updating after x mods. I did this because it is very easy to hurt yourself. -unsafe Update ALL of the objects identified. -forreal REALLY MAKE THE MODS, this is the final safety. -h host Host to use. (Default is to autofind DC) -s scope Scope of search. OneLevel, Subtree. (Default Subtree) -b basedn RFC 1779 DN to start search at (Default domain root) -users Work on users instead of computers. -realage Filters out computers/users that have not set their password (or haven't logged on when llts specified). -f filter RFC 2254 LDAP filter (Default is confusing :) -af addon RFC 2254 LDAP filter to add to builtin filter -excldn xx Exclude objects with given string in DN. Multiple strings delimted by semi-colon (;). -excldndelim x Specify a delimiter for -excldn, default is (;). -t xxx Timeout value in seconds. (Default 300 seconds) -bit Bitwise operator filter conversion enable :AND:= converts to :1.2.840.113556.1.4.803:= :OR:= converts to :1.2.840.113556.1.4.804:= -ps size Page size. (Default 100) -nodc Exclude DCs from queries -norefer No LDAP referrals -onlydisabled Only disabled accounts (Default All) -age x Min Days Old for password age. (Default 90 days) -maxage x Max Days Old for password age. (Default Infinity) -llts If K3 domain in Domain Functional mode uses lastLogonTimeStamp instead of pwdLastSet for age options. -format x Report Format (Default HTML) CSV - Delimited Text HTML - Standard HTML DHTML - Dynamic HTML (IE Only) -sh Will autodisplay HTM/HTML/TXT files after run -file x File to write to. (Default oldcmp-.htm -append Append to file instead of overwrite -delim x Delimiter for CSV. (Default ;) Specify TAB for \t (tab character) -nolc Do not normalize machine names to lc - RAW Case -nohtmlheader Don't insert base HTML (title, body...) -sort x Sort by various fields. -rsort x Reverse Sort by various fields. cn = name pwage = password age age = object age OS = operating system version LLTS = lastLogonTimestamp Ex1: oldcmp /? Display this help Ex2a: oldcmp -report Generate html report of all cmpaccs > 90 days old Ex2a: oldcmp -report -format dhtml -sh Generate dhtml report of all cmpaccs > 90 days old Open the report after generating it Ex2c: oldcmp -report -format csv Generate csv report of all cmpaccs > 90 days old Ex3a: oldcmp -report -age 0 Generate html report of all cmpaccs Ex3b: oldcmp -report -age 0 -format csv -delim tab Generate csv (tab delimited) report of all cmpaccs Ex4: oldcmp -report -age 0 -onlydisabled Generate html report of all disabled cmpaccs Ex5: oldcmp -report -age 0 -onlydisabled -sort cn Generate html report of all disabled cmpaccs, sort on name Ex6: oldcmp -delete -age 0 -onlydisabled Generate html report of all disabled cmpaccs, sort on pwage Will show you what it would try to delete. Only up to 10. Ex7: oldcmp -delete -age 0 -onlydisabled -safety 100 Generate html report of all disabled cmpaccs, sort on pwage Will show you what it would try to delete. Only up to 100. Ex8: oldcmp -delete -age 0 -onlydisabled -unsafe Generate html report of all disabled cmpaccs, sort on pwage Will show you what it would try to delete. All cmpaccs. Ex9: oldcmp -delete -age 0 -onlydisabled -unsafe -forreal Generate html report of all disabled cmpaccs, sort on pwage Will REALLY DELETE all accounts identified. Ex10: oldcmp -disable -unsafe -forreal Generate html report of all cmpaccs > 90 days, sort on pwage Will REALLY DISABLE all accounts identified. Ex11: oldcmp -report -sort OS -age 0 -maxage 60 Generate html report of all cmpaccs still valid, sort on OS Ex12: oldcmp -report -af "(operatingsystem=Windows XP Professional)" -onlydisabled -age 0 Generate html report of all disabled Windows XP machines Ex13: oldcmp -report -b ou=mycmps,dc=domain,dc=com Generate html report of cmpaccs >90 days in specified OU Note: This tool is VERY POWERFUL and could be VERY DANGEROUS! I put a lot of safety locks in it ON PURPOSE!!! This thing can be used for quite a bit of different computer auditing if you know what you are doing. Thanks to many of the members of the activedir.org listserv. Lots of good feedback came in from them when they betatested this tool for me. Special thanks to Ryan Durant and Bob Free for helping me with the DHTML option. It wouldn't have made it this soon without that needed assistance. Thanks everyone! This software is Freeware. Use it as you wish at your own risk. If you have improvement ideas, bugs, or just wish to say Hi, I receive email 24x7 and read it in a semi-regular timeframe. You can usually find me at [email protected]