Home / server / Questions / 529811
In Process
MrVimes
Asked: 2013-08-10 01:20:15 +0800 CST

"dsquery computer -inactive x" ignores very old obviously inactive computers

  • 772

I have inherited an AD environment that contains hundreds of long-dead computer accounts. I want to start clearing them out. If I use the dsquery computer -inactive command it seems to ignore these computers and only return computers that have been active in recent months/weeks but not active in the given time period.

For example, if I run dsquery computer -inactive 4 I get one computer. If I run dsquery computer -inactive 3 I get about five. If I run dsquery computer -inactive 1 I get a large list. None of these lists show the very old computer accounts.

Am I misunderstanding what this command is supposed to do?

active-directory

2 Answers

  1. dsquery computer -inactive x uses the LastLogonTimeStamp attribute to decide if a computer is inactive or not. Two of the idiosyncrasies of LastLogonTimeStamp are that:

    1) it's very loose, i.e. nowhere near real-time. This attribute is not updated every time a computer logs on to the domain, and even when it is updated it isn't always replicated to other domain controllers right away.

    2) It can be null, in which case, dsquery will most likely ignore it.

    The -stalepwd switch can also be helpful to you in identifying inactive computer accounts. Computer accounts should be automatically updating their passwords every 30 days. But beware, it uses the pwdLastSet LDAP attribute which can also be null. pwdLastSet comes as an annoying file time, but .Net/Powershell easily converts it to a human-friendly date:

    PS C:\Users\ryan> Get-ADComputer -Filter * -Properties PasswordLastSet,LastLogonTimeStamp | ? { $_.PasswordLastSet -LT $(Get-Date).AddDays(-180) } | Select Name,PasswordLastSet,LastLogonTimeStamp | Sort-Object PasswordLastSet -Descending

    The line of Powershell above will give you all computer accounts who's pwdLastSet attribute (Powershell converts this into the human readable PasswordLastSet) is older than 180 days, freshest accounts will be at the top. Oldest accounts and those with null pwdLastSets will be at the bottom.

    (Of course you can disable password changes on a computer, but that's a relatively rare thing to do.)

    These accounts that have null values, it usually means they have never logged on to the domain and/or never changed their password. I'm sure there might be other little strange use cases where this might happen, such as an administrator prestaging a computer account but then deciding to never actually join the machine to the domain, computer accounts from other child domains of the same forest, etc. You'll just have to investigate those.

    Here's some more information about LastLogonTimeStamp from AskDS if you want to read it:

    http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

    • 4

  2. First, computers change their password every 30 days by default, though that can be changed. Looking for computers with anything less than 30 days as inactive is just asking for trouble, and don't forget about VPN users or others who may connect to the domain only every 6-12 months when they happen to be in the office.

    That said, you may need to specify the ou the computers are in, or forestroot or domainroot:

    dsquery computer forestroot -inactive 4
dsquery computer domainroot -inactive 4
dsquery computer ou=Foo,dc=bar,dc=baz,dc=com -inactive 4

    My personal preference is a free joeware utility "oldcmp":

    oldcmp -age [days] -report

    oldcmp also has options to delete anything you want, so proceed with caution if you go that way.

    • 1