Weeding out old computers from AD using the 'modified' date

S

spr

I'm trying to get rid of old computer objects from my OU. I have approx 100+
machines that no longer exist but don't have a list of which ones to delete.
I want to use the 'modified' field but I first need to know what it takes
for this field to be updated, so I dont disable any active machines.
 
G

Guest

One way to go about this is to see when the machines last had their secure
channel password changed. By default the secure channel password is changed
every 7 days. As a rule of thumb, if the password has not changed in over 60
days, then you have a pretty good idea that the machines no longer exist.

You can use a free utility called netpwage - here is a link that explains it..
http://www.jsifaq.com/SUBH/tip3900/rh3988.htm

Hope this helps.

Jason Silva
 
S

spr

JSilva said:
One way to go about this is to see when the machines last had their secure
channel password changed. By default the secure channel password is
changed
every 7 days. As a rule of thumb, if the password has not changed in over
60
days, then you have a pretty good idea that the machines no longer exist.

You can use a free utility called netpwage - here is a link that explains
it..
http://www.jsifaq.com/SUBH/tip3900/rh3988.htm

Hope this helps.

Jason Silva
Click to expand...
Thanks, I tried the program but I can't figure out how to syntax it to only
scan my OU (a few hundred) instead of my entire forest (thousands+) which I
will surely hear about if I do a complete scan of.
 
G

Guest

If you can,

dump the contents of the ou into a text file.
run a script using netpwage against the computers in the text file.

This way, you are only querying against the contents of the OU.
 
C

Cary Shultz [A.D. MVP]

SPR,

There is a much, much, much easier way. It is to use an awesome tool called
'oldcmp' which you can find at http://www.joeware.net. Simply go to his
Windows Free Tools section and you will find several tools in there - one of
which is oldcmp. This tool will create an dhtml page that will list all of
the machines that, by default, have not changed their 'secret' password in
the last 90 days. You can change that it you like to 35 days, or 105 days -
or whatever! And there is a lot of security built in to oldcmp. For
example, you can not delete a computer account object until it has been
disabled. Thus, there are two different, distinct actions that must be
taken. This makes it very very difficult to 'accidentally do something
stupid!

And in Windows 2000 the default time is 30 days, not seven days. It was
seven days in WINNT 4.0, however.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
K

kj

easy.

dsquery computer -inactive x ( x= number of weeks the computer has been
inactive )

or, if you like the password change methode or want day granularity, use;

dsquery computer -stalepwd y (y=number of days since the computer password
has been changed )

Since you want to 'prune the deadwood', do it all in one shot and 'disable'
the computers so they appear in ADU&C with a red X by;

dsquery computer -stalepwd 60 | dsmod computer -disabled yes

Then in ADU&C you can delete all the red X computers.

There is a way to directly delete the computer accounts using dsrm, but I'd
suggest getting more familiar with the other DSxx tools before using that
one.
 
K

kj

2000 DC's with Sp3 or higher as I recall, or 2003 DC's as well. Should have
added that as a disclaimer though it is a win2000 newsgroup.
 
K

kj

oh, and licensing compliance requires purchase of at least one 2003 server
license to use the dsxx tools and other win2003 admin tools. I'm not sure if
web edition qualifies or not - I'd guess no.
 
S

spr

kj said:
easy.

dsquery computer -inactive x ( x= number of weeks the computer has been
inactive )

or, if you like the password change methode or want day granularity, use;

dsquery computer -stalepwd y (y=number of days since the computer password
has been changed )

Since you want to 'prune the deadwood', do it all in one shot and
'disable' the computers so they appear in ADU&C with a red X by;

dsquery computer -stalepwd 60 | dsmod computer -disabled yes

Then in ADU&C you can delete all the red X computers.

There is a way to directly delete the computer accounts using dsrm, but
I'd suggest getting more familiar with the other DSxx tools before using
that one.
Click to expand...
This is working GREAT!! I'm finding what I need using:
example ou layout
domain=world
ou structure=/northamerica/usa/texas/dallas

dsquery computer -name *elmstreet -stalepwd 60 works
dsquery computer -name *pinestreet -stalepwd 60 works

but
dsquery computer ou=dallas,dc=world -name *elmstreet -stalepwd 60 fails
gives me: "dsquery failed:A referral was returned from the server."


I love this but would like to figure out the syntax I'm messing up, so I can
query my whole ou instead of indivual wildcard 'streets'

Thanks again to all for pointing me to these tools, and special thanks to
JSilva for the dsxxxx tools.
 
S

spr

spr said:
This is working GREAT!! I'm finding what I need using:
example ou layout
domain=world
ou structure=/northamerica/usa/texas/dallas

dsquery computer -name *elmstreet -stalepwd 60 works
dsquery computer -name *pinestreet -stalepwd 60 works

but
dsquery computer ou=dallas,dc=world -name *elmstreet -stalepwd 60
fails
gives me: "dsquery failed:A referral was returned from the server."


I love this but would like to figure out the syntax I'm messing up, so I
can query my whole ou instead of indivual wildcard 'streets'

Thanks again to all for pointing me to these tools, and special thanks to
JSilva for the dsxxxx tools.
Click to expand...
oops, I ment kj but again, thanks to all.
 
K

kj

So if I understand correctly that you are trying to search only the "dallas"
ou for stale paswword computers and
that your ou structure is ou=dallas,
ou=texas,ou=northamerica,dc=world,dc=com ???

You just need to specify the complete DN of the start of your search. Use
the output of the dsquery that works as guidance for the ou DN to use in a
more selective search.
 
S

spr

So if I understand correctly that you are trying to search only the
"dallas"
ou for stale paswword computers and
that your ou structure is ou=dallas,
ou=texas,ou=northamerica,dc=world,dc=com ???
Click to expand...
You just need to specify the complete DN of the start of your search. Use
the output of the dsquery that works as guidance for the ou DN to use in a
more selective search.
Click to expand...

your the best!!!

thank god for notepad and cut/paste
my domain is like world.this.that.gov

I have to do five 'ou=...' and four 'dc=...' per query but it works
great! Leave a single one out and it craps itself. I was trying with just a
single,most significant ou= and dc= before.

Now I just gotta add my main ones into EZMacros and I'll be rockin.

snip
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Still weeding out computers in AD 1
Can computer object's Modified date be trusted? 2
Red X on Computers in AD 5
Renaming of computer name in a domain still shows old name in AD Computers 1
How do you use AD to manage computers/users? 1
Security Propagation Withing AD 2000 4
AD for Hosting Env. 1
AD Computer Objects 3

Top