Wednesday, March 24, 2010

Delete Stale or Inactive Computer Accounts from Active Directory

Here is an easy way to identify and delete inactive or stale computers in an Active Directory environment.  Using the dsquery command you can easily find all of the computers in the directory that have not been logged into in a given time interval or disabled.

The following command will return all computers that have been inactive or stale for 2 weeks:

dsquery computer –inactive 2

image
The following command will return all disabled computer account information:

dsquery computer –disabled

image

You can combine this output with the dsrm command to delete these objects from Active Directory

dsquery computer –inactive 2 | dsrm -noprompt
dsquery computer –disabled | dsrm -noprompt

image 

dsquery command reference
dsrm command reference

14 comments:

Santhosh...Recently i'm doing assesment on sccm 2012 for my new company. Please provide me there is any download software on sccm 2012 and document for.

You can download System Center Configuration Manager 2012 Beta 2 from the following location:

http://www.microsoft.com/download/en/details.aspx?id=20961

You can also see some System Center Configuration Manager 2012 in the following TechNet link:

http://technet.microsoft.com/en-us/library/gg682041.aspx

Dear Santosh,

Thanks for all your Scripts and tips which makes the admin work easy.

Please help in getting a Domain Controller GP based computer script which can be used to install MS security patches (and other softwares ) to about 400 client machines ..

Really appreciate all your posts.

Thanks
Murali

Thanks Murali.

Please provide more information about requirement.

You can install software using this logic - http://portal.sivarajan.com/2010/05/installing-forefront-client-security.html
http://www.sivarajan.com/scripts/FCS_Install.txt

Hi Santosh,

We have got SCCM configured in client machines and used to get MS security patches and other software installed. Now it has ceased working and need to urgently patch near abt 500+ machies before the IT audit.Please suggest a method.

1.All the machines are added to a Domain.(Users doesn't have admin privilege)
2. Need to get all the patches installed in the respective dates.:)(Patched date should be around two days after it got released from MS)

Please help me with a GP start up script to accomplish the same.

Many Thanks,
Murali

I can also recommend a tool called netwrix inactive users tracker for this. We use this tool and it identifies/automatically deactivates all users who haven’t logged into AD for a specified number of days.

Hi Siva

I have a PDC and BDC in a same location now i want to migrate from old domain to new domain. So i want to ask how can i achieve this thing. Kindly Help

This comment has been removed by the author.

i want to do it on urgent basis. It will be gud for me if you can help me.

I would recommend ASN AD Inactive Account Tracker. Please visit https://www.adsysnet.com/asn-active-directory-inactive-account-tracker-features.aspx

There are many third party products out there. My goal was to provide a solution using built-in options or tools. This is not a place for advertisement.

I would like to share a very prominent application named Lepide active directory cleaner (http://www.lepide.com/active-directory-cleaner/ ) that is equipped with several prominent features and helps to easily locate user accounts that are obsolete or not in use for a long time by defining accurate inactivity period.
Further, you can take appropriate action to remove, disable or move them to another OU, depends upon your requirement.

Post a Comment

Popular Posts

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More