Skip to main content desktop
Try Now

Living With an AD Hoarder? How To Keep Your Room Clean

Shane CorellianShane Corellian

In IT, there are many ‘rooms’ that seem to get cluttered faster than usual. This is certainly the case with  AD (Active Directory). Unfortunately, many of us are sysadmins in a company or organization that simply won’t let us purge old AD accounts. It’s kind of like being an 18 year old and moving in with that weird aunt who is, by any definition, a hoarder. Oh, and she expects you to keep your room clean even as she piles your 29-year-old cousin’s baby clothes all over the floor in his old bedroom where you are supposed to sleep.

Speaking From Experience

I’ve seen a lot of PDQ Inventory installations in my day. Whether from screenshots sent with support tickets to actual customer visits (I always love those). The first thing I often notice is dozens (if not hundreds) of “offline” computers littered all over the place. Many of these computers haven’t been scanned in over a year. I always ask, “Are these computers still being used, or have they been decommissioned”? The answer is almost always some variation of: “Yeah, all these computers no longer exist, but I’m not allowed to delete any of them.” 

With AD in mind, I have a few suggestions for “keeping a clean house” even when you’re living with a hoarder. 

Scenario One: 

Obviously, if you can delete the computer, then delete it. If you can’t, then are you allowed to Disable it (in AD). If so, disable it and make sure that PDQ Inventory isn’t set to import disabled computers.

Move Computers Accounts to New OU

Can you move the old computer to a different OU? Perhaps one called “Graveyard for people who are too attached to things” or something passive-aggressive like that. Make sure that OU is EXCLUDED from the sync.

If you can’t move the computer to a particular OU, then ask, “Are you allowed to make the computer a member of a special Security Group?” After all, a computer can only be in one OU, but it can be a member of many groups.

The same rules apply here. Add it to a group (remember that, by default, you have to tell a group that it can contain computer objects in AD). Set AD Sync to exclude that group.

If That Doesn't Work

If you aren’t able to do any of these things, then you have a few options. One of them is to send you resume to PDQ. We’re hiring non-hoarder sysadmins. The other is to mark the system as a No Scan system. This way, you at least can edit it a little and make it look a bit better.

Ready to get started with PDQ Deploy & Inventory? Work less, automate more.

Start your 14-day free trial
Sign up in seconds

Don't miss the next post!

SeriousSAM - Vulnerability Exposes Registry Data Files To Low Privileged Users

Microsoft continues to keep us on our toes. Their latest vulnerability is granting standard users access to sensitive Registry database files. Time for a workaround.
© 2021 Corporation
  • PDQ Deploy ®
  • PDQ Inventory ®
  • Enterprise SL
  • Pricing
  • Downloads
  • Licensing
  • Buy