none
Active Directory / Delete Computer Accounts RRS feed

  • Question

  • We have AD on Windows Server 2008 and have about over 2000 computers in various locations.
     I want to remove stale computers from my AD list, but want to know what the consequences would be if the computer is still active.
    In our list we have some computers that I cant ping or manage with SCCM. Since I cant ping or contact with other tools, I am thinking that the system is no longer online. So to clean up our AD and SCCM, I want to remove the computer account from AD. Although, we do have users that only come in at night or out of the the office for weeks, (We ask that they do not turn off their machines but we not enforced) so this why I ask about the consequences of removing them.

    Thanks,
    CardinalsTX
    Wednesday, August 12, 2009 7:44 PM

Answers

  • Computer accounts log on to the domain and increment the lastLogonTimestamp attribute.  You can query the value of this attribute across all computers in the domain to determine those which are no longer in use.  You can build your own query to do this, but there are tools available that can do this for you.  Have a look at Oldmp from www.joeware.net.

    Tony
    Wednesday, August 12, 2009 8:07 PM
  • Hi,

    As Tony explained, it’s suggested to use the lastLogonTimestamp attribute to determine unused computers. Here are some scripts to query AD computer, you may modify them based on your requirement.

    Computers
    http://www.microsoft.com/technet/scriptcenter/scripts/ad/default.mspx?mfr=true

    If you would like to further customize these scripts, I suggest that you initial a new post in The Official Scripting Guys Forum! to get further support there. They are the best resource for scripting related problems.

    For your convenience, I have list the link as followed.

    The Official Scripting Guys Forum!
    http://social.microsoft.com/Forums/en-US/ITCG/thread/34ed6cba-7698-4aa8-b13c-8693081296ef

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, August 13, 2009 7:56 AM
    Moderator

All replies

  • Computer accounts log on to the domain and increment the lastLogonTimestamp attribute.  You can query the value of this attribute across all computers in the domain to determine those which are no longer in use.  You can build your own query to do this, but there are tools available that can do this for you.  Have a look at Oldmp from www.joeware.net.

    Tony
    Wednesday, August 12, 2009 8:07 PM
  • Hi,

    As Tony explained, it’s suggested to use the lastLogonTimestamp attribute to determine unused computers. Here are some scripts to query AD computer, you may modify them based on your requirement.

    Computers
    http://www.microsoft.com/technet/scriptcenter/scripts/ad/default.mspx?mfr=true

    If you would like to further customize these scripts, I suggest that you initial a new post in The Official Scripting Guys Forum! to get further support there. They are the best resource for scripting related problems.

    For your convenience, I have list the link as followed.

    The Official Scripting Guys Forum!
    http://social.microsoft.com/Forums/en-US/ITCG/thread/34ed6cba-7698-4aa8-b13c-8693081296ef

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, August 13, 2009 7:56 AM
    Moderator
  • Thanks Tony & Mervyn. I have looked at Oldmp and will look further into it. I will also look at the scripts that Mervyn has suggested.
    I just created an OU for 'Bad' computers and then run your sggestions against only the computers in question to hopefully clean up AD and SCCM.

    Thanks again,
    CardinalsTX
    Thursday, August 13, 2009 5:39 PM