Skip to main content

Stale AD Object Cleanup

When production workload VMs in a DJI Frame account are created (due to a publish or an increase in the max capacity of a production pool), the production workload VMs are added to the specified Windows Active Directory as computer objects. Each time there is a publish (for non-persistent DJI Frame accounts) or if the max capacity of a production pool is reduced, workload VMs are terminated. However, the corresponding AD computer objects are not automatically removed from the Windows domain. Administrators have the following options to clean up stale computer objects in their Active Directory environment.

Manual

Domain administrators can periodically run the following PowerShell scripts to identify and remove stale computer objects in their domain, where stale computer objects are defined as computer objects that have not been logged in for a defined period of time. These scripts must be run with a Windows domain user with the proper Windows domain privileges to query the domain controller for the first PowerShell script and to delete computer objects from the domain for the second PowerShell script.

If the script detects any computers belonging to the Windows domain OU specified in $OU that have not logged into the domain for “x” days as defined by the variable $DaysInactive, the computer object will be listed.

#Set OU and inactive days interval to match your organization requirements
$DaysInactive = 60
$OU = "OU=FRAME-AWS-QA-TEST-2,OU=VDI,OU=Computers,OU=Frame,DC=frame,DC=demo"

#Search for inactive computer objects and show results in a powershell table
$Time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonDate -SearchBase $OU | Ft Name,DistinguishedName,LastLogonDate -AutoSize

To find the computers belonging to the Windows domain OU specified in $OU that have not logged into the domain for “x” days as defined by the variable $DaysInactive and remove them from the Windows domain, the Windows administrator can execute (or setup a scheduled task to execute):

#Set OU and inactive days interval to match your organization requirements
$DaysInactive = 60
$OU = "OU=FRAME-AWS-QA-TEST-2,OU=VDI,OU=Computers,OU=Frame,DC=frame,DC=demo"

#Search for inactive computer objects and delete them (confirmation needed)
$Time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonDate -SearchBase $OU | Remove-ADComputer -confirm:$false

Automatic

Frame provides a feature for administrators who wish to automatically delete the Active Directory computer object associated with the Frame instance. Once the feature is enabled, an AD computer object will be automatically deleted when the instance is terminated (as part of the Publish process or when reducing Max Instances for an Instance Pool). Before enabling this feature, administrators should consider the following:

Prerequisites

  • While this feature can be enabled presently, the associated Account must be upgraded to Frame Server 8.7 for computer object deletion to execute.
  • The service account specified within Account Dashboard > Settings > Domain Settings must have permissions to delete computer objects within the specified domain as mentioned in step 10 of the Domain Controller Prep document.
Known Limitation

This feature requires at least one AD domain-joined instance to be available within the Account in order to execute the computer object deletion. As a result, this feature is not triggered during the Account Termination process or in scenarios where the Max Instances setting is set to 0 across all available Instance Pools.

Enable/Disable Automatic Removal of AD Computer Objects

This feature is automatically enabled for all new domain-joined accounts created after May 4, 2023.

If you wish to enable this feature on an older account or disable it, simply navigate to the Account Dashboard where the domain is configured. From there, navigate to Settings > Domain Settings and enable/disable the toggle, as shown below:

Remove AD computer objects for terminated test/production instances