Identify stale Active Directory computer accounts with dsquery

Active Directory domains are in constant need of housekeeping. Rick Vanover shows one way to identify potentially stale computer accounts in Active Directory.

One frustrating housekeeping task for Active Directory is ensuring that old computer accounts (usually servers, desktop PCs, or laptops within Active Directory) are removed. A quick look at the Object tab of a computer account will tell you when the update sequence number (USN) was updated, but not the last time the computer logged into the domain. Some possible reasons why stale computer accounts get into Active Directory include a test virtual machine is disposed, an old server is retired, or a server is upgraded and the old one is held onto just in case.

There are a couple of ways to identify whether a computer account in Active Directory is stale. The approach I recommend is setting up a policy for your Active Directory domain that explains the rules; basically, if a computer account of any type doesn't log on for a specified amount of time, the computer account may be subject to removal.

The issue here is remote systems, such as a laptop where the corresponding user may be able to do everything they need via a web application; you should give this some thought before performing wholesale account deletions. Further, I recommend the following staged approach if there are a lot of questions about the Active Directory domain, and basic housekeeping needs to be done:

  1. Set a threshold of time for stale accounts to be removed (for example, two months).
  2. Move the potentially stale accounts to a new organizational unit (OU) and disable them.
  3. Run an additional threshold for stale accounts that have been in this OU for one additional month and delete them.
In my personal lab, I ran the dsquery command to see how many computer accounts have been idle for two months (represented as eight weeks in this command as illustrated in Figure A). Figure A

Click the image to enlarge.

The command dsquery computer -inactive 8 will run for the entire domain of the computer in question. Additional parameters, such as querying only specified OUs, can be performed to target certain areas such as old server accounts. If one of the computers in the result subsequently log its computer account onto Active Directory, dsquery would not return it on the next iteration should its activity now be within the threshold. As a safety measure, you can run this report quarterly and identify the consistently inactive accounts to clean it up in stages and to further get a handle on your computer account behavior.

For more information about dsquery, read the TechRepublic article SolutionBase: Using the Dsquery command in Windows Server 2003.

How do you manage stale computer accounts in Active Directory? Let us know in the discussion.