Deleting Old computer accounts

[Mehrab]

Hi,

I need to delete a few hundreds of old computer accounts
from Active Directory on Windows 2000, SP4.

I don't want to perform this by scripting. I'm looking
for an LDAP query on Active Directory to find these old
computer accounts. Any help is much appreciated.

Thanks
Mehrab

 

[Johan Arwidmark]

Well, the computer object is automatically updated with information
from the netlogon service during secure channel setup.

You can find unused or inactive computer accounts by searching for
certain computer object attributes with LDAP searches.

Computer objects that have never been used do not have the
operatingSystem, OperatingSystemServicePack and operatingSystemVersion
attributes set.

If the whenChanged attribute is more than a month old, the computer
probably is not active on a network making periodic password changes.
You can also check the lastLogon attribute. (the whenChanged and
lastLogon attributes is non-replicated attributes which means you have
to examine it on all domain controllers)

To search you can use a tool like ldp (from support tools)

However, I do recommend using a script for this...there are many good
examples scripts for this on the net....

regards
Johan Arwidmark

Windows User Group - Nordic
http://www.wug-nordic.net

 

[Cary Shultz [A.D. MVP]]

I might suggest that you take a look at http://www.joeware.net as he has a
very nice tool there - called oldcmp. It is in the free C++ tools section.
It will allow you to first create a report - if you wish - so that you can
see how many computer account objects that you have that are xxx days old
( as Johann so aptly explained ). You can set the 'xxx' part - it defaults
to 90 days - with the "/age xxx days" switch. You can then go in and
disable the computer account objects that meet your requirements. Only
after you have first disabled the computer account objects in question can
you then delete them.

HTH,

Cary

 

[Staffan]

Hi Mehrab!

Check out the tool Active Directory Janitor. I believe you can
download a trial version directly from their site (www.adjanitor.com
if I recall it correctly).

I've used it myself. The trial version has some limitations but it
will show you the number of obsolete computer accounts in your AD.
Personally I've purchased the unlimited version and believe me, it was
50 bucks well spent!

Regards Kemal Frank

 

[Jimmy Andersson [MVP]]

You'll also find a non-GUI tool at www.joeware.net which is free and does
the job.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

Hi Mehrab!

Check out the tool Active Directory Janitor. I believe you can
download a trial version directly from their site (www.adjanitor.com
if I recall it correctly).

I've used it myself. The trial version has some limitations but it
will show you the number of obsolete computer accounts in your AD.
Personally I've purchased the unlimited version and believe me, it was
50 bucks well spent!

Regards Kemal Frank


"Cary Shultz [A.D. MVP]" <[email protected]> wrote in message

I might suggest that you take a look at http://www.joeware.net as he has a
very nice tool there - called oldcmp. It is in the free C++ tools section.
It will allow you to first create a report - if you wish - so that you can
see how many computer account objects that you have that are xxx days old
( as Johann so aptly explained ). You can set the 'xxx' part - it defaults
to 90 days - with the "/age xxx days" switch. You can then go in and
disable the computer account objects that meet your requirements. Only
after you have first disabled the computer account objects in question can
you then delete them.

HTH,

Cary

 

[Cary Shultz [A.D. MVP]]

Jimmy,

And a mighty fine job it does. I promote Joe's 'oldcmp' utility whenever I
can. I also looked at the adjanitor tool quickly and it looks nice. I
guess, as I wrote in another post, you need to decide if you want the free
tool from http://www.joeware.net and the command line as the interface or if
you want to pay the $50.00 at http://www.adjanitor.com and have the nice GUI
( as well as having to install .NET Framework 1.1 - which is no problem at
all ).

Cary

You'll also find a non-GUI tool at www.joeware.net which is free and does
the job.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

Hi Mehrab!

Check out the tool Active Directory Janitor. I believe you can
download a trial version directly from their site (www.adjanitor.com
if I recall it correctly).

I've used it myself. The trial version has some limitations but it
will show you the number of obsolete computer accounts in your AD.
Personally I've purchased the unlimited version and believe me, it was
50 bucks well spent!

Regards Kemal Frank


"Cary Shultz [A.D. MVP]" <[email protected]> wrote in message

I might suggest that you take a look at http://www.joeware.net as he

has

a

 

[Jimmy Andersson [MVP]]

Agreed!
It's just that I'm not a big fan of GUI tools (that costs money) that do the
exact same thing you can do with a bit of code/script.... but that's just my
personal 2 cents.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

Jimmy,

And a mighty fine job it does. I promote Joe's 'oldcmp' utility whenever I
can. I also looked at the adjanitor tool quickly and it looks nice. I
guess, as I wrote in another post, you need to decide if you want the free
tool from http://www.joeware.net and the command line as the interface or if
you want to pay the $50.00 at http://www.adjanitor.com and have the nice GUI
( as well as having to install .NET Framework 1.1 - which is no problem at
all ).

Cary

You'll also find a non-GUI tool at www.joeware.net which is free and does
the job.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

Hi Mehrab!

Check out the tool Active Directory Janitor. I believe you can
download a trial version directly from their site (www.adjanitor.com
if I recall it correctly).

I've used it myself. The trial version has some limitations but it
will show you the number of obsolete computer accounts in your AD.
Personally I've purchased the unlimited version and believe me, it was
50 bucks well spent!

Regards Kemal Frank


"Cary Shultz [A.D. MVP]" <[email protected]> wrote in message

I might suggest that you take a look at http://www.joeware.net as he

has

a
very nice tool there - called oldcmp. It is in the free C++ tools section.
It will allow you to first create a report - if you wish - so that

you
can

see how many computer account objects that you have that are xxx

days
old

( as Johann so aptly explained ). You can set the 'xxx' part - it defaults
to 90 days - with the "/age xxx days" switch. You can then go in and
disable the computer account objects that meet your requirements. Only
after you have first disabled the computer account objects in

question
can

you then delete them.

HTH,

Cary



"Johan Arwidmark"

wrote in message Well, the computer object is automatically updated with information
from the netlogon service during secure channel setup.

You can find unused or inactive computer accounts by searching for
certain computer object attributes with LDAP searches.

Computer objects that have never been used do not have the
operatingSystem, OperatingSystemServicePack and operatingSystemVersion
attributes set.

If the whenChanged attribute is more than a month old, the computer
probably is not active on a network making periodic password changes.
You can also check the lastLogon attribute. (the whenChanged and
lastLogon attributes is non-replicated attributes which means you have
to examine it on all domain controllers)

To search you can use a tool like ldp (from support tools)

However, I do recommend using a script for this...there are many good
examples scripts for this on the net....

regards
Johan Arwidmark

Windows User Group - Nordic
http://www.wug-nordic.net


On Sat, 20 Mar 2004 21:11:40 -0800, "Mehrab"

Hi,

I need to delete a few hundreds of old computer accounts
from Active Directory on Windows 2000, SP4.

I don't want to perform this by scripting. I'm looking
for an LDAP query on Active Directory to find these old
computer accounts. Any help is much appreciated.

Thanks
Mehrab

 

[Cary Shultz [A.D. MVP]]

Jimmy,

Also agree with you 100%. I would not dream of spending $5.00 - yet alone
$50.00 - for a GUI tool when I can use the command line. However, I think
that you will agree with me when I say that there are still a lot of people
who 'fear' the command line....

Hope that all is well in your neck of the woods!

Cary

 

[Jimmy Andersson [MVP]]

Cary,

Yep, too many are afraid of the command line, thus don't like scripting.
All is good in my woods and yours too I hope!

/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

 

[Cary Shultz [A.D. MVP]]

Could not be better! Thank you,

Cary

Cary,

Yep, too many are afraid of the command line, thus don't like scripting.
All is good in my woods and yours too I hope!

/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------


part -
it