Windows

Identify stale Active Directory computer accounts with dsquery

Active Directory domains are in constant need of housekeeping. Rick Vanover shows one way to identify potentially stale computer accounts in Active Directory.

One frustrating housekeeping task for Active Directory is ensuring that old computer accounts (usually servers, desktop PCs, or laptops within Active Directory) are removed. A quick look at the Object tab of a computer account will tell you when the update sequence number (USN) was updated, but not the last time the computer logged into the domain. Some possible reasons why stale computer accounts get into Active Directory include a test virtual machine is disposed, an old server is retired, or a server is upgraded and the old one is held onto just in case.

There are a couple of ways to identify whether a computer account in Active Directory is stale. The approach I recommend is setting up a policy for your Active Directory domain that explains the rules; basically, if a computer account of any type doesn't log on for a specified amount of time, the computer account may be subject to removal.

The issue here is remote systems, such as a laptop where the corresponding user may be able to do everything they need via a web application; you should give this some thought before performing wholesale account deletions. Further, I recommend the following staged approach if there are a lot of questions about the Active Directory domain, and basic housekeeping needs to be done:

  1. Set a threshold of time for stale accounts to be removed (for example, two months).
  2. Move the potentially stale accounts to a new organizational unit (OU) and disable them.
  3. Run an additional threshold for stale accounts that have been in this OU for one additional month and delete them.

In my personal lab, I ran the dsquery command to see how many computer accounts have been idle for two months (represented as eight weeks in this command as illustrated in Figure A). Figure A

Click the image to enlarge.

The command dsquery computer -inactive 8 will run for the entire domain of the computer in question. Additional parameters, such as querying only specified OUs, can be performed to target certain areas such as old server accounts. If one of the computers in the result subsequently log its computer account onto Active Directory, dsquery would not return it on the next iteration should its activity now be within the threshold. As a safety measure, you can run this report quarterly and identify the consistently inactive accounts to clean it up in stages and to further get a handle on your computer account behavior.

For more information about dsquery, read the TechRepublic article SolutionBase: Using the Dsquery command in Windows Server 2003.

How do you manage stale computer accounts in Active Directory? Let us know in the discussion.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

13 comments
michaelalphine
michaelalphine

To manage this AD cleanup task automatically, I tried this automated solution from Lepide i.e., (http://www.lepide.com/active-directory-cleaner/) and it worked fine for me. This application easily locate user accounts that are obsolete or not in use for a long time. Therefore, we can define users account inactivity period to consider for obsoleting or inactive and remove, disable or move them to another OU, depends upon requirement.

NEJInstr
NEJInstr

dsquery does provide some insight for an administrator as to which devices might be under-utilized, or no longer utilized. It is primarily dependent on the last logon feature to determine this however. In many cases last logon doesnt fully indicate the status of a device on the domain. (ie autologs, devices that run continuously without a logon, etc ) I created a program called ADPinger which aims to compliment dsquery and other tools to provide an administrator with a comprehensive health status of devices within Active Directory. You can try it for yourself at: http://techthoughts.jakemorrison.name/adpinger

Monkworks
Monkworks

If the remote or (home user) never authenticate's with AD the PC/laptop will appear to be stale. In our case we find some users can work for weeks and not actually authenticate with AD in some cases. If other authentication tools are in play it gets worse. A remote computer that uses Safeguard for example and lets say the computer is removed in error and it was a remote computer..that piece of hardware may end up having to travel to the head office location to be re connected to the domain..in some cases... $$

ctfoppen
ctfoppen

Hi I would like to know how do you go about doing the following. Creating a script to identify stale computers (8 Weeks) and moving the identified computers to an OU called Disabled Computers once moved to the container the Computer gets disabled automatically. (Powershell and Cmd based script)

mgehrls
mgehrls

I use a utility called OldCmp, looks at either password age or LLTS, can export to csv, html, dhtml, etc. It will disable accounts and then you can run it again in 30 days to delete the disabled accounts. Can also be used against user accounts. http://www.joeware.net/freetools/tools/oldcmp/index.htm

markbrashear
markbrashear

I added a line to dump the results in a text file "dsquery computer ???inactive 16 >c:\textfile.txt"

perry
perry

If you only want computernames then use dsquery computer -inactive 8 -o samid

AstroCreep
AstroCreep

2008 R2 DCs but at 2003 functional level. What functional level are you at, DWalker88001 and jshelton? What happens when you type dsquery /? Did you try to specify an OU? Might want to give that a shot too.

jshelton
jshelton

Same here simple 2003 domain setup. "dsquery computer" works fine, but does not with the inactive switch?

DWalker88001
DWalker88001

Tells me that I am connected to a domain that doesn't support this query. Hmm... it's a domain controller on Windows 2003, not replicated or anything else. Very simple setup.

Neon Samurai
Neon Samurai

Also provides some interesting information when doing your MS-LDAP house cleaning.

HAL 9000
HAL 9000

Try reposting this in the 'Q&A' forum. The 'Discussion' forum is for matters of general discussion, not specific problems in search of a solution. The 'Water Cooler' is for non-technical discussions. You can submit a question to 'Q&A' here: http://www.techrepublic.com/forum/questions/post?tag=mantle_skin;content There are TR members who specifically seek out problems in need of a solution. Although there is some overlap between the forums, you'll find more of those members in 'Q&A' than in 'Discussions' or 'Water Cooler'. Be sure to use the voting buttons to provide your feedback. Voting a '+' does not necessarily mean that a given response contained the complete solution to your problem, but that it served to guide you toward it. This is intended to serve as an aid to those who may in the future have a problem similar to yours. If they have a ready source of reference available, perhaps won't need to repeat questions previously asked and answered. If a post did contain the solution to your problem, you can also close the question by marking the helpful post as "The Answer".

Editor's Picks