Solved How to? Audit machines on the network but not on domain

December 3, 2014 at 13:03:35
Specs: Windows 7, varies
Is there a way to audit for a list of machines on the network but not on the domain? My company moved from a domain that is no longer accessible, lets call it AAA, to our new permanent domain BBB. I've noticed that we have a lot of users still on the AAA domain. Is there a way to get a list of computers that are on our network but not on our domain?.

Some people think cucumbers taste better pickled.


See More: How to? Audit machines on the network but not on domain

Report •


✔ Best Answer
December 3, 2014 at 23:48:55
It's certainly true that the old machines will be using cached credentials. But they will be unable to access any resources on the new domain. If they don't use any such resources, does it really matter if they are logging on to the new domain or not? If it does (e.g. to impose group policies) then you have to look at each computer. (You're going to have to do that when you want to join them to the new domain anyway.)

Alternatively, create a shared folder that you give everyone access to; send an email to all your users asking them to put a small text file containing their name in that folder. Then wait and see who doesn't do so, or who complains that they can't; those are the users that you need to visit.

Edit: Another thought - (assuming that your computers are using DHCP) look at the list of clients registered by your DHCP server and compare that with the computers registered in Active Directory.

message edited by ijack



#1
December 3, 2014 at 13:53:43
I think this post may be in the wrong forum so please answer a quick question and if it is in fact in the wrong forum, we'll get it moved to the correct one.

What exactly is it you wish to audit on these computers?

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#2
December 3, 2014 at 14:20:53
I want to know if there is a way to find all of the computer names that are still on the original domain so that I can move them to the current domain. Preferably without having to talk to 200 people.

Some people think cucumbers taste better pickled.


Report •

#3
December 3, 2014 at 14:38:42
I'm surprised that you haven't been inundated with complaints from users who can't sign on, or can't access your network resources, if the original domain is no longer accessible.

If you know the names of all the computers you just need to look for those that aren't registered in the new domain. If you don't know the names, and where they are located, then how are you going to track them down physically? An audit of your Active Directory should soon show you which users haven't logged on to it recently; those are the ones whose computers aren't on the new domain.


Report •

Related Solutions

#4
December 3, 2014 at 14:50:46
The company we were did not have computers using a name convention(first initial last name). They were random IDs. For example computer name: XYZ123-1

I agree that they shouldn't be able to log on at all but I think the way they were cut off from the domain has allowed them to continue use of the machines.

The active domain uses one password for all solutions. These computers on the old domain are still using the same password they had when they were cut off from the old domain. Leading me to believe that the machines have cached the credentials and are allowing access on these cached credentials.

Some people think cucumbers taste better pickled.


Report •

#5
December 3, 2014 at 15:19:08
If this is indeed an Active Directory domain then all domain PC's will need to contact the DC in order to be authenticated. From the sounds of it, you have two domains and some clients are connecting to the old, others the new.

I suspect you're going to have to go around machine by machine and remove the ones still attached to the old domain from it, and then join them to the new domain. Although you could probably just shut the DC(s) down for the old domain and wait for users to call you when they can't login.

This is the wrong place for this post, it should be in one of the "Windows Server" forums, but I'm not moving it as I find I'm quite interested in what's going on here.

It's been a while since I did any domain admin duties so my MS and AD skills are rusting. But, we do have some guys who do this day in and day out that hang in this particular forum and hopefully, they'll jump in with some suggestions.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#6
December 3, 2014 at 23:48:55
✔ Best Answer
It's certainly true that the old machines will be using cached credentials. But they will be unable to access any resources on the new domain. If they don't use any such resources, does it really matter if they are logging on to the new domain or not? If it does (e.g. to impose group policies) then you have to look at each computer. (You're going to have to do that when you want to join them to the new domain anyway.)

Alternatively, create a shared folder that you give everyone access to; send an email to all your users asking them to put a small text file containing their name in that folder. Then wait and see who doesn't do so, or who complains that they can't; those are the users that you need to visit.

Edit: Another thought - (assuming that your computers are using DHCP) look at the list of clients registered by your DHCP server and compare that with the computers registered in Active Directory.

message edited by ijack


Report •

Ask Question