Any admin knows that there are always computer and user accounts in AD that become stale and unused. It’s good practice to remove these old accounts from AD.
Here’s how I do it.
From any Domain Controller, open a command prompt and try the following.
dsquery computer -inactive 8 -limit 3000
Dsquery is an invaluable tool and can do much more than just this. We tell dsquery to look for computer accounts that are currently inactive for 8 weeks and to limit the display to 3000 entries. Setting the -limit to 0 would return all entries.
If you would simply like to count them:
dsquery computer -inactive 8 -limit 3000 | find /c "-"
This example should also return inactive computer accounts, older than 8 weeks. In this case, we query for stale passwords on computer accounts instead. This should return the same results as the ‘inactive 8’ flag in the previous example.
dsquery computer DC=domain,DC=com -stalepwd 56 -limit 0
Now that we know what computers need to be removed, lets disable them instead of deleting them. Just in case.
Just pipe the information to dsmod to modify their status:
dsquery computer DC=domain,DC=com, -stalepwd 56 -limit 1400 | dsmod computer -disabled yes
Now just sit and wait for maybe a week or two, if no-one calls to report problems, you’re OK to delete the accounts.
To remove the disabled accounts:
dsquery computer DC=fs31,DC=vwf,DC=vwfs-ad –disabled | dsrm
And You’re done!