Desktop

Question

Gravatar
Locked

Old AD computer accounts

By Jacques.Gordon ·
I have inherited an AD 2003 domain with a whole lot of old computer accounts that are not used anymore because those machines have been replaced. The problem is that they are mixed in with the active computer objects. Is there a way I can filter for these accounts?

I'd like to find them without having to mark them all against the actual computers or disabling working objects.

I have tried various dsquery and dsget commands to no avail.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

gravatar
Collapse -

You need to get the lastlogon date out

by neilb@uk In reply to Old AD computer accounts

I don't use dsquery much but I'm puzzled that it doesn't work. Dsquery computer -inactive nweeks is supposed to do exactly what you want. What happens with that command?

It's relatively easy using vbscript or PowerShell but I don't know if you script.

gravatar
Collapse -

dsquery error message

by Jacques.Gordon In reply to You need to get the lastl ...

If I run dsquery computer dc=my,dc=domain -inactive 8

I get an error saying: dsquery failed:The parameter is incorrect.:Windows could not run this query because you are connected to a domain that does not support this query.

We're running Server 2003 with the domain in win2000 functional level. I tried this on my lab machine and it worked fine.

How could I do that using VB, or do you have any other ideas?

gravatar
Collapse -

I don't know how good your scripting is...

by neilb@uk In reply to dsquery error message

vbscript, I used to do as follows in our Windows 2003 domain. I used an LDAP query on each DC but you probably won't need to do that. I used ADO:

Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = oConnection
objCommand.CommandText = sQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 60
objCommand.Properties("Cache Results") = False

strDC = "YourDCname"
strDomain = "Your domain name"
strBase = "LDAP://" & strDC & "/" & strDomain & ">"
strFilter = "(objectClass=computer)"
strAttributes = "distinguishedName,lastLogon,Name"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

objCommand.CommandText = sQuery
Set objRecordSet = objCommand.Execute

That gets all of the computers into a recordset that you can loop through and list out the lastlogondate.

I use PowerShell these days. Far, far easier. I know that it won't run on Windows 2000 but you can access Windows 2000 from a Windows 2003 or XP PowerShell install. You're on your own with this because I can't test it but it's worth installing PS and getting hold of Quest Active Directory Tools for PS. That will let you pull out what you want in seconds. The Quest blurb seems to suggest that it will give you access.

The reason I push PS is for vb you'll have the job of converting the "ticks since 1/1/1601" into something useful! If you reckon you might want to go down this route, post again and I'll set that out.

There is a property "LastLogonTimeStamp" that might do. It's not as accurate.

Neil :)

Because of the way that this page deals with stuff, I've had to remove the "less than", "<" from in front of "LDAP", above, so you could see it.

gravatar
Collapse -

PowerShell

by Jacques.Gordon In reply to I don't know how good you ...

Hi, thanks a lot. I'll give that a shot later.

Will PowerShell run on a Win 2003 DC server in domain 2000 functional level?

If it does then I'll just install that then.

I also need to up our functional level soon anyway.

gravatar
Collapse -

Domain functional level

by wdewey In reply to PowerShell

PowerShell will run since it is dependent on the OS not he AD version. It should return any results that you would get from a windows 2000 domain, but it may be able to get the same results that you would get from a 2003 AD domain. I think the functional level just has to do with communication and replication but I am not 100% on that.

Bill

gravatar
Collapse -

Yes, go with Powershell

by neilb@uk In reply to PowerShell

And be sure to add the Quest AD tools. Add PowerGUI as well. Native PS 1.0 is appalling when dealing with AD.

:)

gravatar
Collapse -

PS1 vs PS2

by Jacques.Gordon In reply to Yes, go with Powershell

Thanks!

I see PS2 for server 2003 is available for download from the MS website. Which version would be better to use?

gravatar
Collapse -

PS2, without a doubt

by neilb@uk In reply to PS1 vs PS2

Still get the Quest tools, though. I'm using PS2 on 2003 without any problems.

http://www.quest.com/powershell/activeroles-server.aspx

gravatar
Collapse -

You CAN show "<"

by TobiF In reply to I don't know how good you ...

If I got it right, then this site will allow some basic html in the posts. On the other hand, this means that the character "less than" < will be seen as the beginning of a long strange tag, thus hiding everything after it, (until you reach a ">").
So you need to enter it as an html-entity: "&lt"

Edit: I just noted that if you edit a post, then you have to re-escape everything again!

gravatar
Collapse -

Hmm . Double post. Must have lost concentration.

by neilb@uk In reply to You CAN show "&lt;"

Couldn't POSSIBLY be the site.

:)

Back to Desktop Forum

Start or search

Related Discussions

Related Forums