Bill Detwiler: Letting old, unused computer accounts sitaround in Active Directory can not only clutter up your OUs but also create asecurity hole.
I'm Bill Detwiler, and during this episode of TR Dojo, I'llshow you how to identify potentially stale computer accounts with dsquery andshow you how to handle the ones you find.
Over time, stale computer accounts can accumulate in ActiveDirectory.
And whether they’re old employee machines that are no longerused or servers that you’ve retired, removing old, unused computer accountsshould be on every Windows admin’s Active Directory housekeeping list.
Now, a quick look at the Object tab of a computer accountwill tell you when the update sequence number (or USN) was updated, but itwon’t tell you the last time the computer logged into the domain.
Luckily, you can get this information with the dsquerycommand.
Now before you run right out and use dsquery to locate stalecomputer accounts, TechRepublic blogger Rick Vanover, (who put this tiptogether) suggests that you do the following:
First, set a threshold of time for stale accounts to beremoved (for example, two months).
Second, instead of immediately deleting the stale accounts,move them to a new organizational unit (OU) and disable them.
And third, set an additional threshold for the staleaccounts you moved to the new OU (say another month) and then delete them.
Now there’s one last factor to keep in mind when determiningif an account is actually stale or not. Remote users who do most, or all, oftheir work through web-based app, may not authenticate to the domain on aregular basis. Their accounts appear to be stale when they actually aren’t. Thus,Rick’s recommendation that you move potentially unused accounts into a new OUinstead of immediately deleting them. The last thing you want is an iratesalesperson that needs to hit the domain the morning of a big pitch.
Dsquery is built into Windows Server 2008, but is onlyavailable if you have the Active Directory Domain Services (AD DS) server roleinstalled.
You can also run it from Windows 7 if you’ve installed theRemote Server Administration Tools for Windows 7.
To run dsquery, open a command prompt with elevatedprivileges and enter a command like the following:
dsquery computer –inactive 8
Here we’re looking for all computer accounts that have beeninactive for eight weeks.
When entered, the command will run again the entire domainof which the computer you’re running it on. And produce output that lookssomething like this.
Now, this is just one of the many ways you can use dsqueryand there are a ton of parameters that you can use to customize your search.
For example, the –o specific the format of the output,-scope can be used to limit the scope of the search, and the -disabledparameter will locate computer accounts that have been disabled.
I’ll link to a full list of dsquery parameters in the blognotes.
Well that does it for this edition of TR Dojo.
For more teachings on YOUR path to becoming an IT Ninja,visit trdojo.techrepublic.com, sign-up for our newsletter, or follow me onTwitter.
Thanks for visiting the TR Dojo.