We have a moderately sized AD installation with approx 1000 employees and maybe 1800 valid computer accounts (servers, PCs, virtuals). Because we replace desktop hardware on a 3-4 yr cycle, cleaning up old computer accounts is a necessary task that usually get's put off. We currently have 3200 accounts!). We have a robust process in place for identifying unused user accounts and disabling/deleting them, but nothing in place for computer accounts.
We know about tools like oldcomp, powershell, etc and we even have a windows batch script which uses dsquery and dsrm to handle this, but we've not actually production-alized anything.
My question is simple - What process do you use to clean up these accounts?
PowerShell + dsquery. Really. Very short pipeline, runs fast. Use DSQuery to generate a list of computer accounts that haven't logged in in $days, run it through whatever exception list we have going, then send the output through dsrm. Works a treat, and we can even create a log-file showing which machines got deleted when.
My first initial thought would be - to not put disabling computer accounts on the back burner, if that then raises concerns later. Simply make it a procedure to disable computer accounts (and move them a Unused Comps OU for example).
Furthermore we still do check AD and apart from powershell, we use ADtidy, a simple but very effective tool ( http://www.cjwdev.co.uk/Software/ADTidy/Info.html) We run this manually but we have a reminder in our shared calendar -so that this task gets done on a regular basis (every 4 months is ok for us)