How to find and remove old computer accounts from your domain
When a domain has been around, sometimes you find after a while that a number machine accounts may be found in Active Directory, but the machines no longer exist in the domain. This means your AD is not consistent, because of 'stale computer accounts'. Of course to maintain a clean forest, we need to get rid of these 'dead' computer accounts.
Finding these accounts is the trick, and you need to be sure the accounts are not being used, otherwise you may end up with some cranky users! To do this we'll use what Windows provides us with, and to make sure no-one gets hurt in the process, we'll clean the AD up in a number of phases, only the last phase is 'destructive'.
- Find the computer accounts
- Confirm them to be correct
- Disable them
- Remove them
The first step of course is the most fun, for this we use the hardly known commands; 'dsquery' and 'dsget'. These commands, together with dsmod dsadd and dsrm form a set of very powerful commands you can use to modify the AD from the command prompt.
For our purposes we use something like:
dsquery computer -inactive 8 -limit 3000
By the way, if you would simply like to count them:
dsquery computer -inactive 8 -limit 3000 | find /c "-"
note that we have addad the 3000 limit to ensure we get all the accounts needed (we have less than 3000) otherwise you'll only get an answer of 100 accounts returned.
This example show us all the inactive computer accounts, older than 8 weeks. If you would like to confirm this you can do the following:
dsquery computer DC=domain,DC=com -stalepwd 56 -limit 1400
The output should be quite similar. Now that we know what computers need to be removed, lets disable them, simply pipe the information to dsmod to modify their status:
dsquery computer DC=fs31,DC=vwf,DC=vwfs-ad -stalepwd 56 -limit 1400 | dsmod computer -disabled yes
to be disabled.
Now just sit and wait for maybe a week or two, if no-one calls to report problems, you're OK
;-). Now we simply remove the disabled accounts:
dsquery computer DC=fs31,DC=vwf,DC=vwfs-ad –disabled | dsrm
You're done
LinkBack URL
About LinkBacks
