"Dead" Machine Accounts


G

Guest

I was wondering whether there is a way to determine if a machine account is still active in Active Directory. We have possibly several hundred machine accounts that were created for testing purposes and these machines were either not removed cleanly from AD or simply shut off. As we over +50000 machine accounts, if would be nice to run an LDAP query to find these machines.

Does anyone know of a way to determine whether a machine account is "active" or "alive" in AD or a way to find out if a machine is "dead", preferably using some sort of query against the AD

Any help appreciated.
 
Ad

Advertisements

P

Paul Bergson {MCT, MCSE}

Going into ADSI Edit there is an attribute within the computer object that
is named last logon. I didn't do much research but I'm betting you could
write an ldap query and pull all accounts and list out from there all
machines that haven't logged in more than 90 days. I currently do this for
user accounts and now considering doing for machine accounts. You pose an
interesting question.

I would drop this question in one of the script groups.

Paul Bergson MCT, MCSE, CNE, CNA, CCA

William P. said:
I was wondering whether there is a way to determine if a machine account
is still active in Active Directory. We have possibly several hundred
machine accounts that were created for testing purposes and these machines
were either not removed cleanly from AD or simply shut off. As we over
+50000 machine accounts, if would be nice to run an LDAP query to find these
machines.
Does anyone know of a way to determine whether a machine account is
"active" or "alive" in AD or a way to find out if a machine is "dead",
preferably using some sort of query against the AD?
 
A

Ace Fekay [MVP]

In
Paul Bergson {MCT said:
is still active in Active Directory. We have possibly several hundred
machine accounts that were created for testing purposes and these
machines were either not removed cleanly from AD or simply shut off.
As we over +50000 machine accounts, if would be nice to run an LDAP
query to find these machines.
"active" or "alive" in AD or a way to find out if a machine is "dead",
preferably using some sort of query against the AD?


Going into ADSI Edit there is an attribute within the computer object
that is named last logon. I didn't do much research but I'm betting
you could write an ldap query and pull all accounts and list out from
there all machines that haven't logged in more than 90 days. I
currently do this for user accounts and now considering doing for
machine accounts. You pose an interesting question.

I would drop this question in one of the script groups.

Paul Bergson MCT, MCSE, CNE, CNA, CCA




In addition, here's a repost from last year concerning this that may help:
=================================================
Hi

Take a look here (can be used for computer accounts as well):

http://www.rlmueller.net/PwdLastChanged.htm


--
torgeir
Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of the 1328 page
Scripting Guide: http://www.microsoft.com/technet/scriptcenter

Unless someone else gives you something more specific for W2k or W2k3, check
this out:
http://cwashington.netreach.net/depo/view.asp?Index=883&ScriptType=vbscript
http://cwashington.netreach.net/depo/view.asp?Index=849&ScriptType=vbscript
--
Regards,
Ace
=================================================

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
A

Ace Fekay [MVP]

In
william P said:
Thanks Ace!

This does exactly what I need.

No prob!
:)

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Ad

Advertisements

G

Guest

Also, here is a script that can help with this -

'Script will output the machine account that have not change
'its machine account password in the last 180 days
'You can reduce this number by changing 15552000 which i
'86400(number seconds in the day) * 180(days). Every machine change
'its machine account every 7 days for NT4 and 30 days for W2
'Execute the script using cscript scriptnam

Dim Containe
Dim TargetDomai
Dim Membe
Dim Compute
Dim fs
Dim t

Set fso = createobject("Scripting.FileSystemObject"
Set tf = fso.createtextfile("C:\oldaccts.txt",TRUE
TargetDomain = "Net Bios Name" 'Change this to the netbios name of the domai
Set Container = GetObject("WinNT://" & TargetDomain
Container.Filter = Array("Computer"
For Each Member In Containe
Set Computer = GetObject("WinNT://" & TargetDomain & "/" & Member.Name & "$,user"
If Computer.Get("PasswordAge") > 1 Then '15552000 is 180 days=(15552000(seconds)\86400(Seconds in 24hrs
tf.WriteLine Computer.ADsPath & " " & (Computer.Get("PasswordAge")\86400) & "Days Old
End I
Nex

Craig Landis [MSFT
(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.ht
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top