In large organizations the task of keeping Active Directory cleansed of inactive computer accounts can be daunting. Using the dsquery command we can easily find all of the computers in the directory that have not been logged into in a given time interval.
As an example, the following command will find all computers in Active Directory that have not been logged into during the past 8 weeks:
dsquery computer -inactive 8 -limit 0
After reviewing this list to make sure these computers no longer exist on your network you can use the following command to find and delete them:
dsquery computer -inactive 8 -limit 0 | dsrm
The DSQUERY utility comes with the Windows Server 2003 Support Tools package (Adminpak.msi) which can be installed directly from your Windows Server 2003 installation media or downloaded from the Microsoft website.
The standard disclaimer applies to this as to when you delete anything in Active Directory. You should always check the list of computers to be deleted twice before you perform that action. Just because your CEO hasn’t logged into his laptop in a couple of months doesn’t mean he won’t in the near future, and he may not be too happy to find he no longer has network access!
***
Chris Sanders is the network administrator for one of the largest public school systems in the state of Kentucky. Chris’s specialties include general network administration, windows server 2003, wireless networking, and security. You can view Chris’ personal website at www.chrissanders.org.
