OldCmp. Удаление записей старых машин из AD

Автор: Admin | 23.03.2014

Пример пакетной обработки (удаления или отключения) старых записей рабочих станцих AD при помощи утилиты OldCmp из командной строки


Помимо нативного средства очистки AD от устаревших записей в Windows существует более продвинутая утилита OldCmp, которая позволяет отключить или удалить старые компьютеры из домена.

Отчет о машинах, которые не регистрировались в домене более 100 дней:

oldcmp -report -age 100

Отключить машины, которые не регистрировались в домене более 100 дней:

oldcmp -disable -age 100 -safety 50 -forreal

Удалить отключенные машины, которые не регистрировались в домене более 100 дней:

oldcmp -delete -age 100 -safety 50 -forreal

При каждом выполнении OldCmp генерирует HTML отчет в текущей директории

Важно:
Ключи -safety и -forreal введены для безопасности:
safety - количество объектов к которым применяются правила, по дефолту, без явного указания, равно десяти,
forreal - реальное применение действий. Пока этот ключ не указан утилита работает в тестовом режиме и ни какие данные не меняет.

т.е. утилитой можно поиграться не боясь что-то закосячить в AD, пока не будут использоваться данные ключи.
Ну и, естественно, для каких-либо изменений консоль должна быть запущена от имени администратора.

Полный список доступных ключей с примерами:

C:\oldcmp>oldcmp /?

OldCmp V01.05.00cpp Joe Richards ([email protected]) December 2004

Usage:
 OldCmp [switches]


  Switches: (designated by - or /)

   -report        Write report of objects
   -disable       Disable objects
   -delete        Delete objects
                  Delete will only work on disabled objects.
   -move          Move objects, use with newparent.
   -newparent xx  DN for a new parent to move objects to. Can be used
                  with move or disable options.
   -stamp         When used with delete w/ expire account as well
                  The idea being you can see the date it was done then.
   -safety x      How many objects to modify. (Default 10)
                  With this set, stops updating after x mods.
                  I did this because it is very easy to hurt yourself.
   -unsafe        Update ALL of the objects identified.
   -forreal       REALLY MAKE THE MODS, this is the final safety.

   -h host        Host to use. (Default is to autofind DC)
   -s scope       Scope of search. OneLevel, Subtree. (Default Subtree)
   -b basedn      RFC 1779 DN to start search at (Default domain root)
   -users         Work on users instead of computers.
   -realage       Filters out computers/users that have not set their
                  password (or haven't logged on when llts specified).
   -f filter      RFC 2254 LDAP filter (Default is confusing :)
   -af addon      RFC 2254 LDAP filter to add to builtin filter
   -excldn xx     Exclude objects with given string in DN. Multiple
                  strings delimted by semi-colon (;).
   -excldndelim x Specify a delimiter for -excldn, default is (;).
   -t xxx         Timeout value in seconds. (Default 300 seconds)
   -bit           Bitwise operator filter conversion enable
                    :AND:= converts to :1.2.840.113556.1.4.803:=
                    :OR:= converts to :1.2.840.113556.1.4.804:=
   -ps size       Page size. (Default 100)
   -nodc          Exclude DCs from queries
   -norefer       No LDAP referrals

   -onlydisabled  Only disabled accounts (Default All)
   -age x         Min Days Old for password age.  (Default 90 days)
   -maxage x      Max Days Old for password age.  (Default Infinity)
   -llts          If K3 domain in Domain Functional mode uses
                  lastLogonTimeStamp instead of pwdLastSet for age options.

   -format x      Report Format (Default HTML)
                     CSV   - Delimited Text
                     HTML  - Standard HTML
                     DHTML - Dynamic HTML (IE Only)
   -sh            Will autodisplay HTM/HTML/TXT files after run
   -file x        File to write to. (Default oldcmp-.htm
   -append        Append to file instead of overwrite
   -delim x       Delimiter for CSV. (Default ;)
                  Specify TAB for \t (tab character)
   -nolc          Do not normalize machine names to lc - RAW Case
   -nohtmlheader  Don't insert base HTML (title, body...)
   -sort x        Sort by various fields.
   -rsort x       Reverse Sort by various fields.
                     cn    = name
                     pwage = password age
                     age   = object age
                     OS    = operating system version
                     LLTS  = lastLogonTimestamp


  Ex1:
    oldcmp /?
      Display this help

  Ex2a:
    oldcmp -report
      Generate html report of all cmpaccs > 90 days old
  Ex2a:
    oldcmp -report -format dhtml -sh
      Generate dhtml report of all cmpaccs > 90 days old
      Open the report after generating it
  Ex2c:
    oldcmp -report -format csv
      Generate csv report of all cmpaccs > 90 days old

  Ex3a:
    oldcmp -report -age 0
      Generate html report of all cmpaccs
  Ex3b:
    oldcmp -report -age 0 -format csv -delim tab
      Generate csv (tab delimited) report of all cmpaccs

  Ex4:
    oldcmp -report -age 0 -onlydisabled
      Generate html report of all disabled cmpaccs

  Ex5:
    oldcmp -report -age 0 -onlydisabled -sort cn
      Generate html report of all disabled cmpaccs, sort on name

  Ex6:
    oldcmp -delete -age 0 -onlydisabled
      Generate html report of all disabled cmpaccs, sort on pwage
      Will show you what it would try to delete. Only up to 10.

  Ex7:
    oldcmp -delete -age 0 -onlydisabled -safety 100
      Generate html report of all disabled cmpaccs, sort on pwage
      Will show you what it would try to delete. Only up to 100.

  Ex8:
    oldcmp -delete -age 0 -onlydisabled -unsafe
      Generate html report of all disabled cmpaccs, sort on pwage
      Will show you what it would try to delete. All cmpaccs.

  Ex9:
    oldcmp -delete -age 0 -onlydisabled -unsafe -forreal
      Generate html report of all disabled cmpaccs, sort on pwage
      Will REALLY DELETE all accounts identified.

  Ex10:
    oldcmp -disable -unsafe -forreal
      Generate html report of all cmpaccs > 90 days, sort on pwage
      Will REALLY DISABLE all accounts identified.

  Ex11:
    oldcmp -report -sort OS -age 0 -maxage 60
      Generate html report of all cmpaccs still valid, sort on OS

  Ex12:
    oldcmp -report -af "(operatingsystem=Windows XP Professional)" -onlydisabled -age 0
      Generate html report of all disabled Windows XP machines

  Ex13:
    oldcmp -report -b ou=mycmps,dc=domain,dc=com
      Generate html report of cmpaccs >90 days in specified OU



 Note: This tool is VERY POWERFUL and could be VERY DANGEROUS!
       I put a lot of safety locks in it ON PURPOSE!!!

       This thing can be used for quite a bit of different computer
       auditing if you know what you are doing.


 Thanks to many of the members of the activedir.org listserv. Lots
 of good feedback came in from them when they betatested this tool
 for me. Special thanks to Ryan Durant and Bob Free for helping me
 with the DHTML option. It wouldn't have made it this soon without
 that needed assistance. Thanks everyone!


 This software is Freeware. Use it as you wish at your own risk.
 If you have improvement ideas, bugs, or just wish to say Hi, I
 receive email 24x7 and read it in a semi-regular timeframe.
 You can usually find me at [email protected]

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *