Scavenging Machine Acounts in AD



Does any one know if there is an automatic way to scavenge and delete the
accounts of machines that have been taken permanently off-line but have not
been cleanly removed from the domain.

For example a machine is built using RIS which will automatically add that
client to AD. After that the user removes the machine from the network to
make it stand-alone, but does not inform me. I would like that machines
account to be either deleted automatically from AD after a set period of
time of say 60 days or disabled somehow.

Is this possible and can anyone help.


Cary Shultz [A.D. MVP]


A large part of the problem apparently is that the domain user account
object is a member of the computer's local Administrators group. I suggest
this as the only way that this action ( to rename a computer or to join it
to a domain/workgroup ) is available is if the domain user account object is
a member of the local Administrators group ( or that the domain user account
object being used to do this is a member of the Domain Admins or other 'top
level' special groups ).

A 'regular' domain user account object *should* not be a member of any of
these groups. This problem very quickly goes away if this basic security
policy is maintained and enforced ( as the ability to do this is not
available ).

There is also the behavioral problem ( which, again, would not be possible
where basic security policies in place - but I do understand that this is
not always possible politically. Which is always a horrible horrible
horrible reason). Management and HR might need to be involved and your user
base needs to be made aware that they are not to be messing with the
computer account objects in any way, shape or form. However, this requires
HR and Management to be in agreement with the IT Department's stance on
this. This is not always the case ( as mentioned above ) so......

Now, while this is not an 'automagic' approach you can go to Joe Richard's
website at and look at his free utilities section.
There is something called oldcmp that will do what you need. However, you
do need to manually run this ( or set up something so that it runs on a
schedule ). Be advised that you must first disable any computer account
objects before you can delete them. This is just one of the several
safeguards that Joe wisely built in to this awesome utility.




There are two ways to answer this question, one is to upgrade to W2K3 and
use the DS** commands


Use a Joeware tool that does a similar sort of thing.

Thank you for your help

Joe Richards [MVP]

Let me correct that URL...

if you want you can read about it in the current Windows IT Pro magazine. It is
one of 5 Best Tools for AD (I have 2 other tools in that list as well).


Cary Shultz [A.D. MVP]

Yes, Thank you, Joe!

Yet another example of the fingers going too fast!

And you have O - N - L - Y three of the five? Hard to believe. I thought
it would have been all of them!


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question