...Because someone's gotta tell the story...


To return to the main Blog List, click Full Blog Listing.


Active Directory
Domain Controller

Removing old computer accounts in Active Directory

Monday, January 12, 2009 in Active Directory (Views: 2090)
Let's talk about Active Directory, and how people in IT don't do the housecleaning they are supposed to do. If I had a dollar for every time I heard "We have procedures in place to take care of old accounts", I would probably be rich, even in this economy.

So, what is the biggest problem companies face with Active Directory? Not cleaning up old computer accounts. In this article, I am going to talk about how Active Directory validates computer accounts, and how you can not only detect these stale accounts, but take action on them.

First of all, computers are much like users. They have accounts, and live in a group called "Domain Computers". This, of course, does not count Domain Controllers. Unlike users, computer accounts will reset their password (without being prompted of course) with Active Directory every 30 days. If a computer has been off the network long enough, then it knows to regenerate it's computer password and sync with AD.

There are 2 commands in DS you will need to know:

1. DSQuery: This tool queries Active Directory for information in such as user objects, groups, or whatever. In this case, computer accounts that have not checked in for xxxx time.

2. DSMod: This tool allows you to take action on items found in DSQuery.

Here are some examples of how this all works:

DSQuery Examples:

1. Finding computers that have not been active in the last 6 months (24 weeks)

Dsquery computer domainroot -inactive 24 -limit 0 -scope subtree

2. Finding computers that haven't changed their passwords in the last 90 days

(default is 30)

Dsquery computer domainroot -stalepwd 90 -limit 0 -scope subtree

DSMod Example:

You can then use dsmod with dsquery and an input file.

Here is one example of how to take an input file and process computer objects.

This command will process the input file, filename.txt, disable the computer accounts, and then move the computer accounts to the new OU.

for /f "delims=&" %%d in (filename.txt) do (

dsmod computer %%d -disabled yes

dsmove %%d -newparent “ou=ou_to_move_computers_to,dc=yourdsdomain,dc=com”



Related Blogs You May Be Interested In:

To leave a comment, please log in and/or register.