Old computer accounts

Is there anyway to see which computer objects in AD have not been connected
to the network in a certain amount of time. I only have 60 computers on my
network, but I have about 120 in AD. Is there a good way to clean this up?

"Sander" <noemail@noemail.com> wrote in message
news:noemail@noemail.com:
> Is there anyway to see which computer objects in AD have not been
> connected
> to the network in a certain amount of time. I only have 60 computers on my
> network, but I have about 120 in AD. Is there a good way to clean this
> up?

Hello Sander,

Computers which are connected are changing their passwords every 15 to
30 days. If you are at Windows Server 2003 domain mode you can use the
command "dsquery computer" with the "-inactive" switch.

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org

Thanks for the info, but I really meant, computers that have been inactive
for a year or so, computers that we not longer own. I would like to delete
those accounts.


"Ulf B. Simon-Weidner [MVP]" <nospam2-ulf@usw-consulting.com> wrote in
message news:u1LMeKABFHA.2880@TK2MSFTNGP14.phx.gbl...
> "Sander" <noemail@noemail.com> wrote in message
> news:noemail@noemail.com:
>> Is there anyway to see which computer objects in AD have not been
>> connected
>> to the network in a certain amount of time. I only have 60 computers on
>> my
>> network, but I have about 120 in AD. Is there a good way to clean this
>> up?
>
> Hello Sander,
>
> Computers which are connected are changing their passwords every 15 to
> 30 days. If you are at Windows Server 2003 domain mode you can use the
> command "dsquery computer" with the "-inactive" switch.
>
> --
> Gruesse - Sincerely,
>
> Ulf B. Simon-Weidner
>
> MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
> Weblog: http://msmvps.org/UlfBSimonWeidner
> WebSite: http://www.windowsserverfaq.org

Sander wrote:
> Thanks for the info, but I really meant, computers that have been inactive
> for a year or so, computers that we not longer own. I would like to delete
> those accounts.

According to Ulf information if computer will not connect to the domain
in specified periond of time (for example 30 days) and will not renew
it's password it is disconnected from the domain and from domain point
of view this is unused computer.
Of course this computer can be used without access to the domain
(locally loged on user can us it) but for your domain point of view this
is account which can be deleted.

If You want to know which computer is physially connected to network and
used by someone regardless it is using domain or not You will have to
get access to some network devices to gather logs (from switches ports
for example) and then veryify it's connectivity to the network.

I will sugesst You following procedure:
- identify unused accounts in the domain (Ulf gives You advice about
that), delete them or put them into some OU and disable them (or just
reset password).
- In the working hours or at specified interval in some period use some
script or tool to check all Your IP addresses ranges with ping or other
method to gather data which adresses are alive. Gather host names from
this addresses, check if this machines are working properll in the
domian (try to get access to them with domain user credentials for example)
- match alive computers names with your names in AD, do some cleanup.

At the end You will have in Your AD objects representing "living
workstations" and list of other workstations which are working in
network but don't belong to the domain. Of couse there can be a
situation in which a workstation will not be turned on during Your
"checking" period and You will delete this computers accounts.



--
Tomasz Onyszko [MVP]
T.Onyszko@w2k.pl
http://www.w2k.pl

Check out oldcmp on the free Windows tools pages of www.joeware.net

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Sander wrote:
> Is there anyway to see which computer objects in AD have not been connected
> to the network in a certain amount of time. I only have 60 computers on my
> network, but I have about 120 in AD. Is there a good way to clean this up?
>
>

Now, if you were to run the dsquery, what's the difference between these two
switches?
-inactive (followed by the # of weeks) and
-stalepwd (followed by the # of days?)

The commandline help explaantion doesn't give very much. Am I to assume that
they both use computer password to determine whether or not a computer is no
longer active?

"Joe Richards [MVP]" wrote:

> Check out oldcmp on the free Windows tools pages of www.joeware.net
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Sander wrote:
> > Is there anyway to see which computer objects in AD have not been connected
> > to the network in a certain amount of time. I only have 60 computers on my
> > network, but I have about 120 in AD. Is there a good way to clean this up?
> >
> >
>