I have inherited an AD 2003 domain with a whole lot of old computer accounts that are not used anymore because those machines have been replaced. The problem is that they are mixed in with the active computer objects. Is there a way I can filter for these accounts?
I'd like to find them without having to mark them all against the actual computers or disabling working objects.
I have tried various dsquery and dsget commands to no avail.
This conversation is currently closed to new comments.
I don't use dsquery much but I'm puzzled that it doesn't work. Dsquery computer -inactive nweeks is supposed to do exactly what you want. What happens with that command?
It's relatively easy using vbscript or PowerShell but I don't know if you script.
If I run dsquery computer dc=my,dc=domain -inactive 8
I get an error saying: dsquery failed:The parameter is incorrect.:Windows could not run this query because you are connected to a domain that does not support this query.
We're running Server 2003 with the domain in win2000 functional level. I tried this on my lab machine and it worked fine.
How could I do that using VB, or do you have any other ideas?
objCommand.CommandText = sQuery Set objRecordSet = objCommand.Execute
That gets all of the computers into a recordset that you can loop through and list out the lastlogondate.
I use PowerShell these days. Far, far easier. I know that it won't run on Windows 2000 but you can access Windows 2000 from a Windows 2003 or XP PowerShell install. You're on your own with this because I can't test it but it's worth installing PS and getting hold of Quest Active Directory Tools for PS. That will let you pull out what you want in seconds. The Quest blurb seems to suggest that it will give you access.
The reason I push PS is for vb you'll have the job of converting the "ticks since 1/1/1601" into something useful! If you reckon you might want to go down this route, post again and I'll set that out.
There is a property "LastLogonTimeStamp" that might do. It's not as accurate.
Neil :)
Because of the way that this page deals with stuff, I've had to remove the "less than", "<" from in front of "LDAP", above, so you could see it.
PowerShell will run since it is dependent on the OS not he AD version. It should return any results that you would get from a windows 2000 domain, but it may be able to get the same results that you would get from a 2003 AD domain. I think the functional level just has to do with communication and replication but I am not 100% on that.
If I got it right, then this site will allow some basic html in the posts. On the other hand, this means that the character "less than" < will be seen as the beginning of a long strange tag, thus hiding everything after it, (until you reach a ">"). So you need to enter it as an html-entity: "<"
Edit: I just noted that if you edit a post, then you have to re-escape everything again!
If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.
Old AD computer accounts
I'd like to find them without having to mark them all against the actual computers or disabling working objects.
I have tried various dsquery and dsget commands to no avail.