Wednesday, June 27

Finding unused computers in the AD


Recently, one of our customer is asking, how can we managed the computer accounts in AD? We want to delete the account that is not active.

This can be hard if:

1) You are still using Windows NT4, 2000 domain
2) Your Windows 2003 domain is not in Windows 2003 domain functional level

You can run the query:

dsquery computer forestroot -inactive (NoOfWeek)

What if i am not using Windows 2003 AD?

You can find more information using joeware utility - OldCmp

get it from

Exchange 2007 with other directory services

The fact of today enterprise environment, we will have multiple directory services - we are working on with one customer which would like to integrate with OpenLDAP.

Both AD and the OpenLDAP has its own defination of "identity", eg: Name, title, department, password +++ Thus, managing those become complex - users need to remember multiple logons with multiple passwords.

In response to this problem, Microsoft developed Microsoft Metadirectory Services to previde the syncronization. Now, it is called MIIS - Microsoft Identity Integration Server.

To further clarify, MIIS has two versions. IIFP (Identity Integration Feature Pack) is free for Windows 2003 Enterprise edition. It can integrate between multiple Active Directory forest.

The other one will need license and SQL. It provide metadirectory function that enable to synchronize, provision, deprovision identity information across a wide variety of directory services, include Novell E-directory, LDAP, Exchange 5.5, Samba, SAP and more...