<img height="1" width="1" src="https://www.facebook.com/tr?id=1529264867168163&amp;ev=PageView &amp;noscript=1">
blog_listing_hero_img.jpg

Finding and Eliminating XP PCs on Your Network

microsoft windows xp stop Windows XP has famously gone End of Life (EOL) on 8th April 2014. Unless you have a special costly agreement with Microsoft, you should already be off of XP and onto something newer (Vista/7/8) or at least actively working on the upgrades.

If you're upgrading computers now, you should be auditing what's out there and making sure nothing is missed. If you've already upgraded all the computers you know about, it's still worth checking to make sure the XP computers are 100% removed. There are a few ways to achieve this, and I suggest getting an understanding of what you're doing at each step rather than running someone else's all-encompassing script and hoping for the best.

Active Directory Connected Computers

PowerShell can easily provide you with details on all computers known to Active Directory (AD). Most, if not all workstations in your environment should be AD connected, so it's a good start. Computers in AD have the operating system information as part of the object, so it's easy to filter and report on.

From the Active Directory Module for Windows PowerShell, you can run the following command:

Get-ADComputer -Filter {OperatingSystemVersion -like "5.1*"}

If you'd like it in a nice table, add | Out-GridView onto the end:

Get-ADComputer -Filter {OperatingSystemVersion -like "5.1*"} | Out-GridView

 Note that the Operating System Version 5.1 is for Windows XP (refer here for a full list of Versions and Operating systems). 

Ideally you'll get no results, which means no XP computers are in AD. You can move onto the next method! For those less fortunate, you'll need to investigate each entry.

The attribute “lastlogondate” is a record of when the object last logged on, but isn’t a visible field without specifying it in your PowerShell command. Here’s the updated command:

Get-ADComputer -Filter {OperatingSystemVersion -like "5.1*"} –properties lastlogondate | Out-GridView

This time you will see the extra LastLogonDate column, and can decide what computers can safely be removed from Active Directory that may not have been around for years.

You can take two approaches with all this information – either deal with it on a case by case information, or just disable all the Windows XP computers. I suggest disabling rather than deleting, as it is easy to re-enable a computer but much harder to register a computer with AD again, especially if you don't have physical access to the device (and you've probably just disabled any way of getting to it remotely). Once you're happy that disabling all these objects has had no impact, you can clean up by deleting them later.

If you're happy to disable all the Windows XP computers in your AD environment, you can run this PowerShell command:

Get-ADComputer -Filter {OperatingSystemVersion -like "5.1*"} | Set-ADComputer -Enabled $false

Then to actually remove them down the track, run this command:

Get-ADComputer -Filter {OperatingSystemVersion -like "5.1*"} | Remove-ADComputer

That covers all your Active Directory computers, but what about others that may be on your network but not domain joined?

Non-Domain Joined Computers

Finding these computers is much harder than the ones you manage through AD. There are two sides to this - finding and dealing with existing XP computers, and blocking XP computers in the future.

Existing XP computers can potentially be found in a few ways, but aren't guaranteed. You're better off implementing the ability to block XP computers as per the next section.

To identify computers worth scanning, your DHCP server is a good place to check.

Any device that has been set to automatically receive an IP address will be registered against your DHCP server. Using the DHCP console, you can navigate to a DHCP server in your environment and view the Address Leases which lists information such as Client IP Address, Unique ID (MAC address) and Name. The Name field is the one worth looking at, as you should be able to easily identify names of devices that don't fit into your normal naming convention, or blank entries.

If a computer was set to have a static IP address, then you're in for a tougher time again. Frequent IP address scans on all valid IP ranges on your network are required to see if anything strange pops up, which you can script or use a utility such as the free Angry IP Scanner.

To try and work out what a device is, another free utility called Nmap can be used. Doing a basic scan is quite easy, and just requires you to enter the IP address in question into the Target field. Clicking "Scan" and waiting for the software to do it's thing should reveal a lot about the device, including hopefully what Operating System is running. This is one of the easiest ways to identify what an unknown device may be, and you'll possibly discover something you didn't even know was on your network.

Some computers will have a software firewall enabled, which will potentially result in an unsuccessful scan. These again would need to be investigated individually, and you may need to resort to checking switch tables to physically track down the device in question.

Blocking Unknown Computers

Blocking XP computers reliably falls into the unknown category, and is a whole project in itself. You'll need to start thinking about technologies such as 802.1X (port based access control). This can either completely block network access based on the criteria you provide, or VLAN those computers off to their own network segment, making them unable to talk to other devices. You can also use Remote Authentication Dial-In User Service (RADIUS) in conjunction with 802.1X to stop non-domain joined computers, where you can configure rules that only grant access if both the user and the computer are known to AD. You will need network infrastructure that supports 802.1X though, namely managed switches.

I hope this gives you a starting point for being aware of how many XP computers are on your network, and some options you have for dealing with them. This is all at the basic level, so if you're looking for something more comprehensive check out ENow's Active Directory Services where you can speak to an expert for advice.