How to Remove Old Computer or User accounts from a Windows Domain

Any admin knows that there are always computer and user accounts in AD that become stale and unused. It’s good practice to remove these old accounts from AD.

Here’s how I do it.

From any Domain Controller, open a command prompt and try the following.

 
dsquery computer -inactive 8 -limit 3000 

Dsquery is an invaluable tool and can do much more than just this. We tell dsquery to look for computer accounts that are currently inactive for 8 weeks and to limit the display to 3000 entries. Setting the -limit to 0 would return all entries.

If you would simply like to count them:

dsquery computer -inactive 8 -limit 3000 | find /c "-" 

This example should also return inactive computer accounts, older than 8 weeks. In this case, we query for stale passwords on computer accounts instead. This should return the same results as the ‘inactive 8’ flag in the previous example.

dsquery computer DC=domain,DC=com -stalepwd 56 -limit 0 

Now that we know what computers need to be removed, lets disable them instead of deleting them. Just in case.
Just pipe the information to dsmod to modify their status:
dsquery computer DC=domain,DC=com, -stalepwd 56 -limit 1400 | dsmod computer -disabled yes

Now just sit and wait for maybe a week or two, if no-one calls to report problems, you’re OK to delete the accounts.
To remove the disabled accounts:

dsquery computer DC=fs31,DC=vwf,DC=vwfs-ad –disabled | dsrm 

And You’re done!

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

No bots allowed * Time limit is exhausted. Please reload the CAPTCHA.