Symantec Management Platform (Notification Server)

For SMP 7.1, is there a way to automate purging unmanaged systems from the database that haven't changed their computer account password within the last 30 days in the domain?  Purging maintenance in the SMC is only for "managed" clients and the resync for AD Import is only if you delete an object in AD after which this record is supposed to be deleted from the DB thereafter.  However, correct me if I'm wrong, once a machine account is loaded into the database where for whatever reason the Altiris Agent never gets installed, there appears to be no mechanism to automatically purge these records.

I suspect like most, we have a lot of junk in our AD so trying to weed out the older stuff from my CMDB to minimize the target count during my scheduled Altiris Agent pushes.  I've been having to modify my target filter each time to hit unmanaged machines per department since trying to hit all unmanaged workstations takes several hours due to its large number.  I can't wait for our security section to clean up stale computer accounts in AD so have to figure out something else to delete these entries from my DB.

When a machine falls into that state, does it become disabled in AD, as I believe the import rule allows you to exclude disabled computers, which may or may not allow purging to target them, as you have correctly described how it usually targets them? I believe the import rule also allows you to exclude the not reporting scenario too either as an option or as a custom adsi query. The method that will probably work best is to create an adsi filter (search that term to find my connect article), as you can easily match computer objects that are ismanaged=0 and that fall into hour adsi criteria. Thia will then allow you to delete oe change the asset status of the members of that filter. You could probably copy and then modify the spgetcomputerstopurge stored procedure to use that filters sql definition instead, which could then be run as a server side task server sql task or even as a sql agent job.

In fact, forget about the sp and simply create the adsi filter and then automate the insert statement against the itemtodelete table using the guids relating to the members of that filter, as they will then be deleted by a backend process during the early hours. If you wanted to change tge asset status instead of deleting this could be automated too.

Here is my ADSI article:-  https://www-secure.symantec.com/connect/articles/how-create-active-directory-filters-without-using-ad-import-rule

You could use this method to delete the computers from the ADSI filer:-  https://www-secure.symantec.com/connect/downloads/bulk-delete-resources

The SQL you would use is as follows:

SELECT ResourceGuid FROM CollectionMembership WHERE CollectionGuid = 'Guid of ADSI Filter'

The Guid of the ADSI filter can be found by looking at its properties.

As this will only be one filter, you can simply create it via the console right-click method instead of using the Data Connector method.