Active Directory Computer (Create, Manage, Delete, Query)

Use the Active Directory Computer Tasks to create an Active Directory Computer account; or to change, delete or query all Active Directory computer accounts:

  • in a specific Active Directory folder (optionally including subfolders).
  • with a computer name that matches a specific wildcard pattern.
  • with a specific value for a specific Computer property.
  • with a specific number of days since last login.

With Create Active Directory Computer, you can create an Active Directory Computer account with a specific name in a specific Organizational Unit, and you can determine which users or groups can join this computer to a domain.

With Manage Active Directory Computer, you can set and change the properties and group memberships of Active Directory Computer accounts. For example, you can target a group of Active Directory Computer accounts and set their location; or you can add a new group membership to all target Active Directory Computer accounts. New group memberships can be added or existing group memberships can be removed. Alternatively, set a list of existing group memberships to replace the existing memberships of the target Active Directory Computer accounts. You can also set a group as the primary group.

With Delete Active Directory Computer, you can delete Active Directory Computer accounts. Combined with the filter on number of days since last login, for example, you can use this Task to clean up Active Directory Computers that have not been used for a given length of time.

With Query Active Directory Computer, you can obtain overviews of all Active Directory computer accounts, filtered by Organizational Unit, by computer name, property value and/or number of days since last login.

Configuration

  • If you are going to run the Task on a Domain controller, you can leave the Domain controller field on the Settings tab empty and select Local Agent (domain controller) instead.
  • On the Settings tab, computer name refers to the pre-Windows 2000 name.
  • In the Filter by property field, use wildcards only in combination with the operators LIKE and NOT LIKE.
  • When you configure a Task to change or delete Active Directory Computers that match a set of criteria, there is a risk that more Active Directory Computer accounts are targeted than expected. By selecting the option Fail this Task if the number of items affected exceeds [x], you can create a safety net that prevents undesired results.
  • The Task Query Active Directory Computer may take a long time if the queried Organizational Unit contains many items. This is particularly the case if the query retrieves the Number of days since last login, the Computer property Last logon date, or the Computer property Last logon server. It is possible to abort long running Active Directory Query Tasks. It may take around 10 seconds for the abort to be detected by the Agent, after which the Job will fail with status Aborted.
  • Long running Active Directory Tasks that update, move or delete Active Directory objects cannot be aborted - the Task will always run until it is completed.
  • When you browse for a specific OU, this information is automatically pasted in the relevant field and takes the following format: OU=IT,OU=Amsterdam,OU=Netherlands,DC=d-energy,DC=local. However, if you set a parameter in this field, the data will have to be provided at the moment of input - in the correct format. To provide an example of the format, copy a sample path and paste it as the default value for the relevant parameter. With the Input setting Show previous value, the example will be shown whenever input is required for the parameter.
  • In Tasks to set Active Directory properties for Active Directory objects, the variable %username% will be resolved as the name of the user under which the Ivanti Automation Agent runs. If you want to refer to the actual user name of the target Active Directory object instead, for example when you are setting a user's home drive using the Task Manage Active Directory User, use the variable %accountname%. This will be resolved as the pre-Windows 2000 user name of the Active Directory User, Computer, Group or Object that is being managed. This option is not available for Organizational Units.
  • The execution speed of Active Directory Queries may depend on the number of additional Active Directory properties that are to be reported in the query. On the Computer Properties tab, you can select a maximum number of 90 Active Directory properties.
  • When browsing for an Organizational Unit, the list of Organizational Units that is shown depends on the Security context and the Domain controller. If the Domain controller field is empty, the list of Organizational Units depends on the Domain.