You’ve probably been looking at your Windows-based domains
lately and wondering about all those inactive computer accounts. What are some
of them? Are they merely shut down for the day, or have they been permanently
removed from the network? If you have hundreds or thousands of computer
accounts, the thought of tracking them all down and removing them manually is
daunting enough to make you forgo the task altogether. Fortunately, there’s an
easier way.

Finding the password age

Every computer account in a domain has a password. Password
management is handled automatically, so many administrators don’t even know of
its existence. Computer accounts will change their password at regular
intervals; NT 4.0 computers change theirs every seven days, while Windows 2000
computers and higher change theirs every 30 days.


Note

For more information, refer to Microsoft Knowledge Base
articles 175468 and 154501. These password change frequency numbers are only the
default and can be modified in your environment. Domain controllers do not
periodically change their passwords.


If the default password age hasn’t been changed in your
environment, it’s safe to assume that any machine that hasn’t changed its
password within 30 days is no longer on the network. Granted, there are always
exceptions, so when you begin considering the deletion of these accounts, I’d
recommend using a threshold of 90 days instead.

So how do you find the password age for all of your computer
accounts? We could easily script this, and if you’re interested, check out this
Google newsgroup posting. However, there’s a great freeware
utility already available for this task: NetPWAge by
SystemTools.com
(click on the Password Age link). Using this utility, you can generate a tab-delimited text
file of all the computer accounts and the age of their passwords by executing
the following command:

NetPWAge /machines /domain:YOURDOMAINHERE /tabs > ComputerAccts.txt

Now, import this text file into your favorite spreadsheet
program. Keep the column headers, but remove any extraneous header lines, and
then sort by the Password Age column. Remove all the rows for the active
computers (password age of 90 days or less). Next, export the remaining rows of
information to a tab-delimited text file called ComputerAcctsToDelete.txt.
Intuitively, this file contains all the computer accounts that you want to
delete from your domain, and it’s the input file for our script in the next
section.

Deleting the accounts

Now that you have a listing of all the computer accounts you
want to delete, let’s look at building a Visual Basic script that will read in
this list and delete each one from the domain.

The bulk of this script revolves around the processes of
reading in each line of the input file and performing a task. For more
information on these processes, refer to the article “Reset
local administrator passwords with VBScript.”

Let’s take a look at the lines of the script that pertain to
our task of deleting computer accounts. First, let’s examine some of our
declared constants.

26: Const strDomain = “YOURDOMAINHERE”
30: Const inFilename = “ComputerAcctsToDelete.txt”

31: Const outFilename = “ComputerAcctsDeleted.log”

To delete the accounts, you’ll need to edit line 26 to match
their domain location. Line 30 declares the name of the input file (which you
created in the previous section), while line 31 declares the name of the log
file. The next part of the script makes sure that the user knows what he or she
is doing by executing this script:

38: ‘ Present warning to user and verify that user wants to continue.
39: mbAnswer = MsgBox(“This operation CANNOT BE UNDONE. Please ensure that the list you are ” & _

40: “using To run this script against does not contain any computer names for active computers. ” & _

41: “Are you sure you want to continue?”, vbYesno, “WARNING!”)

42: If mbAnswer = vbNo Then

43: wscript.echo “Script aborted.”

44: Else ‘continue with remainder of script

45-70: <Do the script here>

71: End If

The meat of the script is here:

56: While Not inFile.AtEndOfStream
57: arrayAccountNames = Split(inFile.Readline, vbTab, -1, 1)

58: ‘ arrayAccountNames(0) contains the computer account name (to delete)

59: strComputerName = arrayAccountNames(0)

60: ‘ Delete the computer account

61: objDomain.Delete “computer”, strComputerName

62: If Err.Number <> 0 Then ‘ Error when attempting to delete computer

63: outFile.writeline Now() & vbTab & “Unable to delete computer ” & strComputerName

64: Else ‘ Successful deletion

65: outFile.writeline Now() & vbTab & “Computer account ” & strComputerName & ” deleted.”

66: End If

67: Err.Clear

68: Wend

The first line of the file is skipped (contains headers),
and then each line in the file is read as input. Lines 58 and 59 read in the
first value of the line as the computer name. Line 61 attempts to actually
delete the computer account. The remaining lines check for errors, write to the
log file, and clear any errors that were encountered. Place the script file and
the input file in the same directory, execute, and check the logs when you’re
done.


Complete script available for download

If you don’t like to type, I’ve included the completed
script in a text file and made it available as a download
for TechProGuild members.


Extending tools to user accounts

These utilities can be easily modified to delete user
accounts instead of computer accounts. The NetPWAge utility has a /users switch
that allows you to create your input file. On line 61, you’d simply change “computer”
to “user”. Changing variable names, filenames, etc., would also be a
good idea to prevent confusion but isn’t technically necessary. Keep in mind
that many user accounts are not forced to change passwords. You’ll probably
want to use different criteria for creating your input file, but if you have a
valid list, the modified script works great for user accounts.

Get approval first

Before permanently deleting a bulk list of computers or
users, be sure to seek approval from your IT manager, and ensure that you’re
complying with any company policies that may be in place. As mentioned in the
script, this action can’t be undone. But it will save you from an extremely
monotonous, repetitive task.