When a domain has been around, sometimes you find after a while that a number machine accounts may be found in Active Directory, but the machines no longer exist in the domain. This means your AD is not consistent, because of 'stale computer accounts'. Of course to maintain a clean forest, we need to get rid of these 'dead' computer accounts.
Finding these accounts is the trick, and you need to be sure the accounts are not being used, otherwise you may end up with some cranky users! To do this we'll use what Windows provides us with, and to make sure no-one gets hurt in the process. The procedure to clean up the AD up can be done in a number of phases, and only the last phase is 'destructive', so don't worry!
By the way; this works for 2003 domains and higher...
This is our workflow:
- Find the computer accounts
- Confirm them to be correct
- Disable them
- Remove them
The first step of course is the most fun, for this we use the little known commands; 'dsquery' and 'dsget'. These commands, together with 'dsmod', 'dsadd' and 'dsrm' form a set of very powerful commands you can use to modify Active Directory from the command prompt.
For our purposes we use something like:
dsquery computer -inactive 8 -limit 3000
This command returns all stale computer accounts from the Active Directory domain that have not been 'seen' by the domain controllers for a period of 8 weeks.
By the way, if you would simply like to count them:
dsquery computer -inactive 8 -limit 3000 | find /c "-"
This assumes each computername has a "-" dash in its name though, your machines might have another naming standard.
note that we have added the 3000 limit to ensure we get all the accounts needed (we have less than 3000) otherwise you'll only get an answer of 100 accounts returned.
This example show us all the inactive computer accounts, older than 8 weeks. If you would like to confirm this you can do the following:
dsquery computer DC=domain,DC=com -stalepwd 56 -limit 1400
This shows us all the computer account that have not changed their password for over 56 days.
The output should be quite similar. Now that we know what computers need to be removed, lets disable them, simply pipe the information to dsmod to modify their status:
dsquery computer DC=domain,DC=com, -stalepwd 56 -limit 1400 | dsmod computer -disabled yes
to be disabled. If you have travelers in your company that may not visit the office for over two months you may want to use somewhat different numbers...
We simply disabled the account, so we can always enable them again.
Now just sit and wait for maybe a week or two, if no-one calls to report problems, you're OK
;-). Now we simply remove the disabled accounts:
dsquery computer DC=domain,DC=com –disabled | dsrm
As you can see; this query simply reports all the disabled computer accounts in AD and pipes that information to the DSRM command, which deletes them.
Take some time to find out more about these special dsget dsquery etc. commands and become an AD expert! You'll find that they can be really powerfull. Of course when using 2008 you may want to consifer looking into powershell and the get-aduser and get-adcomputer commands, which gives you even more flexibility. In addition you may want to check out Joe's OldCmp tool.