Skip to main content
 

Logo-Text

Search
Home
  
ServerCare home > Posts > How to find and remove old computer accounts from your domain  

 

 

November 19
How to find and remove old computer accounts from your domain

When a domain has been around, sometimes you find after a while that a number machine accounts may be found in Active Directory, but the machines no longer exist in the domain. This means your AD is not consistent, because of 'stale computer accounts'. Of course to maintain a clean forest, we need to get rid of these 'dead' computer accounts.

Finding these accounts is the trick, and you need to be sure the accounts are not being used, otherwise you may end up with some cranky users! To do this we'll use what Windows provides us with, and to make sure no-one gets hurt in the process. The procedure to clean up the AD up can be done in a number of phases, and only the last phase is 'destructive', so don't worry!

By the way; this works for 2003 domains and higher...

This is our workflow: 

  1. Find the computer accounts
  2. Confirm them to be correct
  3. Disable them
  4. wait...
  5. Remove them

The first step of course is the most fun, for this we use the little known commands; 'dsquery' and 'dsget'. These commands, together with 'dsmod', 'dsadd' and 'dsrm' form a set of very powerful commands you can use to modify Active Directory from the command prompt.

For our purposes we use something like:

dsquery computer -inactive 8 -limit 3000

This command returns all stale computer accounts from the Active Directory domain that have not been 'seen' by the domain controllers for a period of 8 weeks.

By the way, if you would simply like to count them:

dsquery computer -inactive 8 -limit 3000 | find /c "-"

This assumes each computername has a "-" dash in its name though, your machines might have another naming standard.

note that we have added the 3000 limit to ensure we get all the accounts needed (we have less than 3000) otherwise you'll only get an answer of 100 accounts returned.

This example show us all the inactive computer accounts, older than 8 weeks. If you would like to confirm this you can do the following:

dsquery computer DC=domain,DC=com -stalepwd 56 -limit 1400

This shows us all the computer account that have not changed their password for over 56 days.

The output should be quite similar. Now that we know what computers need to be removed, lets disable them, simply pipe the information to dsmod to modify their status:

dsquery computer DC=domain,DC=com, -stalepwd 56 -limit 1400 | dsmod computer -disabled yes

to be disabled. If you have travelers in your company that may not visit the office for over two months you may want to use somewhat different numbers...

We simply disabled the account, so we can always enable them again.

Now just sit and wait for maybe a week or two, if no-one calls to report problems, you're OK

;-). Now we simply remove the disabled accounts:

dsquery computer DC=domain,DC=com –disabled | dsrm

As you can see; this query simply reports all the disabled computer accounts in AD and pipes that information to the DSRM command, which deletes them.

You're done!

Take some time to find out more about these special dsget dsquery etc. commands and become an AD expert! You'll find that they can be really powerfull. Of course when using 2008 you may want to consifer looking into powershell and the get-aduser and get-adcomputer commands, which gives you even more flexibility. In addition you may want to check out Joe's OldCmp tool. 

Comments

Save me a lot of time.

Great work!!!
 on 8/20/2010 18:52

Computer Specialist (Software)

Thanks a lot.
I was able to identify more than 1000 old accounts on our domain. Working on deleting them. Helps a lot.
 on 10/6/2010 23:57

Very useful

Thanks a lot.
A big time saver and eay way to spring clean.
 on 2/8/2011 1:25

Thanks!!!

This was great.  Like the first hit on Google too.

Helped me save some precious hours!!!
 on 5/19/2011 16:26

It did exacty what I've looked for!

Thank you very much! Gr8 job!
 on 12/19/2011 14:04

Brillaint

Fantastic, covered very well and exactly what a newb like me needs :)
 on 2/20/2012 23:08

Very cool, thanks!!

I've recently been tasked with cleaning up our directory and this was a huge help. Thank you! I was wondering if it is possble to omit specific OU from its parent that is being reported on?
 on 4/18/2012 1:21

Awesome Stuff

Hi,
Thanks a lot guys this worked great
 on 11/21/2012 8:38

Thanks for this very useful info

I have racked my brain on how to cleanup our AD computers.
Thanks for this cautious and effective approach.
 on 12/21/2012 22:49

helpful and easy way provide, thanks a lot

helpful and easy way provide, thanks a lot
 on 1/15/2013 10:44
1 - 10Next

Add Comment

Spam Filter *


Please enter 4982 in this field. This will help prevent SPAM.

Title


Body *


Attachments