Deleted old computer accounts in AD

  • Thread starter Thread starter txitalian
  • Start date Start date
T

txitalian

Ihave been tasked to cleanup the list of computer accounts within our
domain. I must determine which computer accounts are no longer required
and a process for how to delete them. So far, I've exported the list
from AD and it is well over 1000. Any pointers on what can be done to
accomplish this?
 
Look at the lastlogon attribute in AD (you may want to write a VB script to
export that information and convert the number to a readable date / time.
That should give you an indication of the last time the computers
authenticated with the domain. If you have multiple domain controllers you
must consolidate the data and get the "newest" logon time for each account
since that attribute is not replicated throught the domain. If this is a
Windows 2003 AD there is another attribute called lastLogonTimestamp (or
something like that) which is replicated so you don't have to consolidate
the data.

BTW. The lastlogon attribute holds a large integer which is a filetime value
(number of 100ns intervals since 1/1/1600 or something). Check the AD schema
reference.


Arild
 
I'll definetly be looking into both methods, thanks in advance. One
thing I notice is that when I'm in Active Directory Users and
Computers, I can add the modified column and the ones that have not
been modified for 30+ days are in fact the ones that are old. Question
is what exactly has not been modified for 30+ days?
 
Before delete the accounts, download a free tool called "pping" and then you
can create a list of hostnames to "ping" and to return a real report if the
machines exists in the network or not, I mean, if the machines (hostnames)
are still physically in your network.

To download the tool : http://www.intsoft.com/products/pping/download.php

I've used this method a couple of months ago and it worked fine.

Regards,
 
Back
Top