Home / Blogs / TR Dojo
Follow this blog:
RSS
Email Alert

TR Dojo

Find unused computer accounts in Active Directory with dsquery

By
July 7, 2011, 8:47 AM PDT

Takeaway: Bill Detwiler shows you how to find stale AD computer accounts using dsquery and suggest ways to handle the ones you uncover.

Over time, stale computer accounts can accumulate in Active Directory. And whether they’re old employee machines that are no longer used or servers that you’ve retired, letting these accounts sit around in Active Directory can not only clutter up your OUs but also create a security hole.

Removing old, unused computer accounts should be on every Windows admin’s Active Directory housekeeping list. During this week’s episode of TR Dojo, I show you how to identify potentially stale computer accounts with dsquery and show you how to handle the ones you find.

July 5, 2011, 8:33 AM PDT | Length:00:04:15

View Transcript

Which of the following best describes how you handle dormant AD computer accounts?

Check out the following TR Dojo episodes for more Active Directory tips:

For those who prefer text to video, click the View Transcript link below the video player window or check out Rick Vanover’s article, “Identify stale Active Directory computer accounts with dsquery,” on which this video is based.

You can also sign up to receive the latest TR Dojo lessons through one or more of the following methods:

Get IT Tips, news, and reviews delivered directly to your inbox by subscribing to TechRepublic’s free newsletters.

Bill Detwiler

About Bill Detwiler

Bill Detwiler is Head Technology Editor of TechRepublic. Previously, he worked as a Support Tech and IT Manager in the social research and energy industries.

Bill Detwiler

Bill Detwiler
Bill Detwiler is Head Technology Editor for TechRepublic. Previously he worked as a Technical Support Associate and Information Technology Manager in the social research and energy industries. Bill is a Microsoft Certified Professional with experience in Windows administration, data management, desktop support, and system security.

Bill Detwiler

Bill Detwiler
Bill Detwiler has nothing to disclose. He doesn't hold investments in the technology companies he covers.

Transcript

Bill Detwiler: Letting old, unused computer accounts sitaround in Active Directory can not only clutter up your OUs but also create asecurity hole.

I'm Bill Detwiler, and during this episode of TR Dojo, I'llshow you how to identify potentially stale computer accounts with dsquery andshow you how to handle the ones you find.

Over time, stale computer accounts can accumulate in ActiveDirectory.

And whether they’re old employee machines that are no longerused or servers that you’ve retired, removing old, unused computer accountsshould be on every Windows admin’s Active Directory housekeeping list.

Now, a quick look at the Object tab of a computer accountwill tell you when the update sequence number (or USN) was updated, but itwon’t tell you the last time the computer logged into the domain.

Luckily, you can get this information with the dsquerycommand.

Now before you run right out and use dsquery to locate stalecomputer accounts, TechRepublic blogger Rick Vanover, (who put this tiptogether) suggests that you do the following:

First, set a threshold of time for stale accounts to beremoved (for example, two months).

Second, instead of immediately deleting the stale accounts,move them to a new organizational unit (OU) and disable them.

And third, set an additional threshold for the staleaccounts you moved to the new OU (say another month) and then delete them.

Now there’s one last factor to keep in mind when determiningif an account is actually stale or not. Remote users who do most, or all, oftheir work through web-based app, may not authenticate to the domain on aregular basis. Their accounts appear to be stale when they actually aren’t. Thus,Rick’s recommendation that you move potentially unused accounts into a new OUinstead of immediately deleting them. The last thing you want is an iratesalesperson that needs to hit the domain the morning of a big pitch.

Dsquery is built into Windows Server 2008, but is onlyavailable if you have the Active Directory Domain Services (AD DS) server roleinstalled.

You can also run it from Windows 7 if you’ve installed theRemote Server Administration Tools for Windows 7.

To run dsquery, open a command prompt with elevatedprivileges and enter a command like the following:

dsquery computer –inactive 8

Here we’re looking for all computer accounts that have beeninactive for eight weeks.

When entered, the command will run again the entire domainof which the computer you’re running it on. And produce output that lookssomething like this.

Now, this is just one of the many ways you can use dsqueryand there are a ton of parameters that you can use to customize your search.

For example, the –o specific the format of the output,-scope can be used to limit the scope of the search, and the -disabledparameter will locate computer accounts that have been disabled.

I’ll link to a full list of dsquery parameters in the blognotes.

Well that does it for this edition of TR Dojo.

For more teachings on YOUR path to becoming an IT Ninja,visit trdojo.techrepublic.com, sign-up for our newsletter, or follow me onTwitter.

Thanks for visiting the TR Dojo.

7
Comments
Add Your Opinion

Join the conversation!

Follow via:
RSS
Email Alert

Keep Up with TechRepublic

Discover more newsletters

Follow us however you choose!

Media Gallery

View All

Hot Questions

Ask a Question
View All

Hot Discussions

Start a Discussion

Blog Archive