Ok, for those of you that have to deal with replacing users’ computers,
laptops, etc, I have a request for ideas.
Our computers here are in our AD domain, and have some software on them
that is a ‘per install’ license.
When it’s time to replace computers, the new one replaces the old, and
the old one is supposed to be removed from our domain so our inventory
software will set this machine to retired and free up the software
license. The machine then goes into our high density storage until the
hard drive gets wiped, then it goes to ‘long term’ storage before it
goes to an auction.
Problem is, the support people that do the computer replacement
apparently don’t want to do the steps necessary with the old pc after
it’s been replaced. Apparently they don’t feel they have the time to
do this, which then it becomes a several day process to take care of
all the machines that need done.
Anyone know of any ‘automated’ way to do this, where a script or
something is run on the pc and it gets removed from our domain, and
gets the licensed software uninstalled?
There seem to be a few here for doing the remove-from-AD part: https://goo.gl/ALX2cU : )[/color]
So my response to Susan’s comment is…
Kicker still becomes getting our support people to run them.
We have a weekly meeting between us and our support people, I have a
feeling I will be attacking the hornet’s nest with a bat as well as a
flame thrower.
I was wondering if it was in-house support. Good luck with that
meeting.
Once you’ve batch removed the computers from AD, at the end of that
script add a list of chained uninstall executables for the software
that needs to be removed. You’d have to know if any of them request a
reboot after uninstall, or bring up some announcement of the
uninstall being done that would need to be okayed, but once that was
sorted out and the script for the uninstall part was worked out, it
should probably work quite well. Testing it on a few of the computers
should give enough info on the details and timing that needs to be
included in the script.
You could even have the script create a file on the server at a
location of choice, named after the computer name, that would
indicate an error state or success for each part of the process. Then
you’d know if there were any computers that required manual
intervention.
In theory that’s all possible. I once did lots of things via batch
scripts that were somewhat similar. They didn’t involve dealing with
AD, but they installed and uninstalled and changed registry entries
and reported back.
You just need routines to FIRST check to make sure it’s one of the
computers you want it to run on, and if not, to just stop.
In-house support should have been able to figure out something like
that. Just make sure if they try to, that they run it by you first,
so they don’t end up removing every computer from AD and uninstalling
all software from all computers on the system. LOL
Oh, and as for them having to run it, if you have a list of the
computer names, couldn’t you just create a startup script that
contains the “remove from AD and uninstall these programs” script,
and batch copy that to the list of computers? I know that was a
really easy thing to do with Netware, because I did it regularly for
awhile.
If I remember correctly, on one system I added to startup script of
all computers a check to see if it was one of the computers that
needed whatever was to be done, and if it was, a file on root was
created that was a yes or no flag file. It was quite easy under
Netware to copy a batch file to all computers. Then the startup
script of all computers was again edited, but this time to check for
the state of the flag file, and based on that state, to then proceed
to execute the script file or to delete it.
The results of the actions were piped into a file for each computer,
and then another script combined all of the individual report files
into a single report file so I could easily see the results of the
procedure. If I recall correctly, I put a spacer of some sort between
each file as it was combined with the others, and then had a macro
that pulled that all into WordPerfect and sorted it however desired.
Anyway, just some ideas. I used to love doing that sort of thing. The
happiest moments for me were when I’d hit the enter key to start a
process that might take an hour, and walk away while the computer did
all the work. LOL
Oh, and as for them having to run it, if you have a list of the
computer names, couldn’t you just create a startup script that
contains the “remove from AD and uninstall these programs” script,
and batch copy that to the list of computers? I know that was a
really easy thing to do with Netware, because I did it regularly for
awhile.
If I remember correctly, on one system I added to startup script of
all computers a check to see if it was one of the computers that
needed whatever was to be done, and if it was, a file on root was
created that was a yes or no flag file. It was quite easy under
Netware to copy a batch file to all computers. Then the startup
script of all computers was again edited, but this time to check for
the state of the flag file, and based on that state, to then proceed
to execute the script file or to delete it.
The results of the actions were piped into a file for each computer,
and then another script combined all of the individual report files
into a single report file so I could easily see the results of the
procedure. If I recall correctly, I put a spacer of some sort between
each file as it was combined with the others, and then had a macro
that pulled that all into WordPerfect and sorted it however desired.
Anyway, just some ideas. I used to love doing that sort of thing. The
happiest moments for me were when I’d hit the enter key to start a
process that might take an hour, and walk away while the computer did
all the work. LOL[/color]
So my response to Susan’s comment is…
I’m digging around trying to find uninstall strings for the software
that’s licensed per install, seeing if I can come up with some type of
script to at least get that stuff removed from replaced machines for
now anyway.
That’s a good start! The internet or the website of the software
might also have a list of command line switches for uninstalls that
might make them completely unattended. : )
That’s a good start! The internet or the website of the software
might also have a list of command line switches for uninstalls that
might make them completely unattended. : )[/color]
So my response to Susan’s comment is…
Found some of that for our anti-virus software plus our inventory
agent. One I’d really like to do is ms office, but holy cow does that
look like a PITA.
while I have nothing to do with AD (I’m a very happy Linux camper ), we face similar problems, especially since the support staff is external.
Typically, the fellows replacing the computer log in as a specific “wipe this host” user, with login scripts taking care of most of the steps. In your case, it sounds like that would be unregistering the system from AD, and then to actually wipe the disk, as that would have to be done anyhow in order to auction the machine.
If wiping takes too long, then have some local admin or the users (though extra measures would have to be taken if you hand out the password for that “wipe” user - i.e. checking against a server-based list of machines that are in for a wipe) log in as a last step, the day before replacement.
Thanks for the links! Got something working to remove office as well
as our anti-virus software. Granted I still have to get the people
replacing computers here to run this when the old computer is replaced.
while I have nothing to do with AD (I’m a very happy Linux camper
), we face similar problems, especially since the support staff is
external.
Typically, the fellows replacing the computer log in as a specific
“wipe this host” user, with login scripts taking care of most of the
steps. In your case, it sounds like that would be unregistering the
system from AD, and then to actually wipe the disk, as that would
have to be done anyhow in order to auction the machine.
If wiping takes too long, then have some local admin or the users
(though extra measures would have to be taken if you hand out the
password for that “wipe” user - i.e. checking against a server-based
list of machines that are in for a wipe) log in as a last step, the
day before replacement.
Regards,
Jens[/color]
So my response to jmozdzen’s comment is…
Kicker here is, when a new pc is placed, the user support staff here
usually wants to keep the computer intact for 2 weeks to a month after
replacement, just in case the user had something on the local drive
that got missed.
I know I know we do preach to our users to not save anything locally,
seems to fall on deaf ears.
Your strongest argument might be that once all of those computers are
unplugged and put into storage, it will be much more labor-intensive
to do it.
I’m pretty sure if the timing were figured out, that you or they
could come up with a batch file to perform the entire process and
copy a desktop icon to all of the systems that would copy the batch
file from the server. Then all they’d have to do is click an icon on
the desktop to get it going.
With a little planning on their part, by the time they’d set up a
couple of the new systems, the process would probably be done on the
old ones, and they’d just need to unplug the old, remove and skootch
the new systems in their place and plug them in.
I can’t wait to hear how the meeting goes. Best of luck! : )
Kicker here is, when a new pc is placed, the user support staff here
usually wants to keep the computer intact for 2 weeks to a month after
replacement, just in case the user had something on the local drive
that got missed.
I know I know we do preach to our users to not save anything locally,
seems to fall on deaf ears.[/color]
I’m a big fan of scripting. And Powershell - though a little^wvery
ugly is extremely versatile.
Removal from AD can be scripted, as can the uninstall of most programs.
Depending on the ‘per install’ license monitoring, it may actually be
possibly to use a script to remove the computer come the database of
consumed licenses and then wipe the computer.
Most of the license databases I’ve come across will automatically
remove stale records - if this is the case, then wiping the computer
is easier than dealing with uninstalls.
I would personally set up a pxe boot and get something like ZCM or MDT
to take an image of the computer, then lay down a blank image on the
machine.
You now have a backup of the machine in question, and the machine is
wiped.
The advantage of this solution is they only need to handle the machine
once, it requires minimal user interaction and you don’t need to keep
the machine.
Disadvantage being the storage space for the images - but you can get a
cheap NAS with lots of disk, and it can be a PITA opening up the image
to extract individual files.
If you go down the scripted uninstall route, it can become a
significant maintenance overhead and potential point of failure as
software changes. I’d have a group in AD which is called
‘depreciatedComputer’ and the policy would be that when a computer is
removed, it gets added to this group. A group policy would run a
script on all machines that checks to see if it is a member of this
group and then runs a series of decommissioning scripts.
This does mean that someone needs to log in to the machine, and does
need to check that all of the scripts ran. Then later the machine has
to be wiped.
Your strongest argument might be that once all of those computers are
unplugged and put into storage, it will be much more labor-intensive
to do it.[/color]
So my response to Susan’s comment is…
That argument has been made over and over, I think it doesn’t really
concern them since we to our computer swap once a year, so it’s not on
the front burner most of the time.
), we face similar problems, especially since the support staff is external.