Deleting a large number of inactive computer accounts can be a tedious process. Fortunately, there are ways to handle this task programmatically. Here's the code to handle any bulk deletion.
You’ve probably been looking at your Windows-based domains lately and wondering about all those inactive computer accounts. What are some of them? Are they merely shut down for the day, or have they been permanently removed from the network? If you have hundreds or thousands of computer accounts, the thought of tracking them all down and removing them manually is daunting enough to make you forgo the task altogether. Fortunately, there's an easier way.
Finding the password age
Every computer account in a domain has a password. Password management is handled automatically, so many administrators don’t even know of its existence. Computer accounts will change their password at regular intervals; NT 4.0 computers change theirs every seven days, while Windows 2000 computers and higher change theirs every 30 days.
For more information, refer to Microsoft Knowledge Base articles 175468 and 154501. These password change frequency numbers are only the default and can be modified in your environment. Domain controllers do not periodically change their passwords.
If the default password age hasn’t been changed in your environment, it’s safe to assume that any machine that hasn’t changed its password within 30 days is no longer on the network. Granted, there are always exceptions, so when you begin considering the deletion of these accounts, I’d recommend using a threshold of 90 days instead.
So how do you find the password age for all of your computer accounts? We could easily script this, and if you’re interested, check out this Google newsgroup posting. However, there’s a great freeware utility already available for this task: NetPWAge by SystemTools.com (click on the Password Age link). Using this utility, you can generate a tab-delimited text file of all the computer accounts and the age of their passwords by executing the following command:NetPWAge /machines /domain:YOURDOMAINHERE /tabs > ComputerAccts.txt
Now, import this text file into your favorite spreadsheet program. Keep the column headers, but remove any extraneous header lines, and then sort by the Password Age column. Remove all the rows for the active computers (password age of 90 days or less). Next, export the remaining rows of information to a tab-delimited text file called ComputerAcctsToDelete.txt. Intuitively, this file contains all the computer accounts that you want to delete from your domain, and it's the input file for our script in the next section.
Deleting the accounts
Now that you have a listing of all the computer accounts you want to delete, let’s look at building a Visual Basic script that will read in this list and delete each one from the domain.
The bulk of this script revolves around the processes of reading in each line of the input file and performing a task. For more information on these processes, refer to the article "Reset local administrator passwords with VBScript."
Let’s take a look at the lines of the script that pertain to our task of deleting computer accounts. First, let’s examine some of our declared constants.26: Const strDomain = "YOURDOMAINHERE"
30: Const inFilename = "ComputerAcctsToDelete.txt"
31: Const outFilename = "ComputerAcctsDeleted.log"
To delete the accounts, you’ll need to edit line 26 to match their domain location. Line 30 declares the name of the input file (which you created in the previous section), while line 31 declares the name of the log file. The next part of the script makes sure that the user knows what he or she is doing by executing this script:38: ' Present warning to user and verify that user wants to continue.
39: mbAnswer = MsgBox("This operation CANNOT BE UNDONE. Please ensure that the list you are " & _
40: "using To run this script against does not contain any computer names for active computers. " & _
41: "Are you sure you want to continue?", vbYesno, "WARNING!")
42: If mbAnswer = vbNo Then
43: wscript.echo "Script aborted."
44: Else 'continue with remainder of script
45-70: <Do the script here>
71: End If
The meat of the script is here:56: While Not inFile.AtEndOfStream
57: arrayAccountNames = Split(inFile.Readline, vbTab, -1, 1)
58: ' arrayAccountNames(0) contains the computer account name (to delete)
59: strComputerName = arrayAccountNames(0)
60: ' Delete the computer account
61: objDomain.Delete "computer", strComputerName
62: If Err.Number <> 0 Then ' Error when attempting to delete computer
63: outFile.writeline Now() & vbTab & "Unable to delete computer " & strComputerName
64: Else ' Successful deletion
65: outFile.writeline Now() & vbTab & "Computer account " & strComputerName & " deleted."
66: End If
The first line of the file is skipped (contains headers), and then each line in the file is read as input. Lines 58 and 59 read in the first value of the line as the computer name. Line 61 attempts to actually delete the computer account. The remaining lines check for errors, write to the log file, and clear any errors that were encountered. Place the script file and the input file in the same directory, execute, and check the logs when you’re done.
Complete script available for download
If you don't like to type, I've included the completed script in a text file and made it available as a download for TechProGuild members.
Extending tools to user accounts
These utilities can be easily modified to delete user accounts instead of computer accounts. The NetPWAge utility has a /users switch that allows you to create your input file. On line 61, you'd simply change "computer" to "user". Changing variable names, filenames, etc., would also be a good idea to prevent confusion but isn’t technically necessary. Keep in mind that many user accounts are not forced to change passwords. You'll probably want to use different criteria for creating your input file, but if you have a valid list, the modified script works great for user accounts.
Get approval first
Before permanently deleting a bulk list of computers or users, be sure to seek approval from your IT manager, and ensure that you're complying with any company policies that may be in place. As mentioned in the script, this action can’t be undone. But it will save you from an extremely monotonous, repetitive task.