Find and/or cleanup old computer accounts in AD

Find and/or cleanup old computer accounts in AD

Dsquery is a command-line tool that is built into Windows Server 2008. 
It is available if you have the Active Directory Domain Services (AD DS) server role installed. 
To use dsquery, you must run the dsquery command from an elevated command prompt. 
To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

To find inactive computer accounts (number is inactivity in weeks):
dsquery computer -inactive 2

To find computers with stale passwords (number is stale in days)
dsquery computer -stalepwd 45

There is also a combination to disable / delete the accounts:
combined with dsmod/dsrm

dsquery computer -inactive 4 | dsmod computer -disabled yes
dsquery computer -stalepwd 45 | dsrm computer

You can get additional info on both of these tools with dsquery computer /? ,dsmod computer /?, and dsrm computer /?

Leave a Reply