none
Inactive Computer Accounts

    Question

  • Hi

    I dont have Quest Active directory pluggins installed on windows 2008 and not really had a chance to look at powershell. Right i have ran the DSquery computer -inactive -limit 0 > c:\inactive.txt

    Also i have run DSquery computer -limit 0 > c:\active.txt well when i search through active i find old machines that have not been active for a while. Hmmm what attributes is this command targetting ?

    Yes i know its most probably been asked and people will post scripts. but i am trying to understand why this command is not working as it should.

    Cheers in advanced for the help

    Monday, January 21, 2013 3:00 PM

Answers

All replies

  • Try it.

    Dsquery computer -inactive 4 -limit 0 >c:\list.txt

    4 stands for 4 weeks.


    HTH
    Biswajit Biswas
    My Blogs |MCC |TNWiki Ninja

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Monday, January 21, 2013 3:11 PM
  • Delete Stale or Inactive Computer Accounts from Active Directory
    http://portal.sivarajan.com/2010/03/delete-stale-or-inactive-computer.html

    dsquery computer forestroot -inactive <NumWeeks>
    dsquery computer -inactive 8 -limit 3000.This command returns all stale computer accounts from the Active Directory domain that have not been 'seen' by the domain controllers for a period of 8 weeks.

    Joe Richard's makes oldcmp which is really great  (works for users and computers)  http://www.joeware.net/freetools/tools/oldcmp/

    other good methods are using adtidy (free GUI tool)  
    http://www.cjwdev.co.uk/Software/ADTidy/Info.html


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, January 21, 2013 3:20 PM
  • Hi sorry i have been using -inactive 12 (also tried 8 and 4) the command was just a typo. My appologise's. The DS I am looking at has not been cleaned up in a while and i think we have computer accounts that mayhave been created in windows 2000 DS but i am guessing.  

    So the question i have is what attributes does the above command target.  

    Monday, January 21, 2013 3:47 PM
  • With PowerShell this can be done easily as well.  Windows 2008 R2 domain controllers support their own PowerShell cmdlets, and you can update 2003 and 2008 to support the same with this: http://www.microsoft.com/en-us/download/details.aspx?id=2852.  The cmdlet which supports the type of search is Search-ADAccount -inactive.

    If you don't want to mess with updating <2008 R2 domain controllers, you can also use the free Quest (now Dell) PS snap-ins.  In this case, the cmdlet would be similiar: Get-QADComputer -inactive.

    I suggest ditching dsquery and learning PowerShell.  Its very easy to learn and has been Microsoft's recommended scripting language for over 5 years now.



    Mike Crowley | MVP
    My Blog -- Planet Technologies

    Monday, January 21, 2013 3:53 PM
  • Scripting for Computer Accounts and Last Logon
    http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/eeb2ad35-7e89-4354-9e8c-7cc7d62c0f0b/

    “The LastLogonTimeStamp Attribute” – “What it was designed for and how it works”
    http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, January 21, 2013 4:00 PM
  • The -inactive parameter of dsquery computer is based on the lastLogonTimeStamp attribute. It is only supported if the domain functional level is Windows Server 2003 or above (so the lastLogonTimeStamp attribute is available). The -stalepwd parameter is based on the pwdLastSet attribute.

    I recommend using Joe Richards' free oldcmp utility:

    http://www.joeware.net/freetools/tools/oldcmp/index.htm


    Richard Mueller - MVP Directory Services

    Monday, January 21, 2013 5:04 PM
  • Hi thanks for all the help. Yes i do need to get my head round powershell, its just so like programming and i hated that at college. Mike any recources you recommend to get me off and running ?

    Also found a script that could help me alot just cannot figure out how it works. The person who posted it said that it was lacking being able to output to a csv file. But if i run this in powershell i do get an error so i think i am either doing something wrong or fault with the script. I think i am doing something wrong if honest. (I miss dos) lol

    $strCategory = "computer"
     
    $objDomain = New-Object System.DirectoryServices.DirectoryEntry
     
    $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
    $objSearcher.SearchRoot = $objDomain
    $objSearcher.Filter = ("(objectCategory=$strCategory)")
     
    $colProplist = "name"
    foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
     
    $colResults = $objSearcher.FindAll()
     
    foreach ($objResult in $colResults)
        {$objComputer = $objResult.Properties; $objComputer.name}
     
    gc C:\Myscripts\Computers.txt |?{ (gwmi Win32_PingStatus -Filter
     
    "Address='$_'").StatusCode -eq 0 } | out-file C:\Myscripts\Pingable2.txt
     
    $erroractionpreference = "SilentlyContinue"
     
    $a = New-Object -comobject Excel.Application
    $a.visible = $True
     
    $b = $a.Workbooks.Add()
    $c = $b.Worksheets.Item(1)
     
    $c.Cells.Item(1,1) = "Organization"
    $c.Cells.Item(1,2) = "Server Name"
    $c.Cells.Item(1,3) = "Operating System"
    #$c.Cells.Item(1,4) = "IP Address"
    $c.Cells.Item(1,4) = "Service Packs"
    $c.Cells.Item(1,5) = "System Type"
    $c.Cells.Item(1,6) = "Install Date"
    $c.Cells.Item(1,7) = "Manufacturer"
    $c.Cells.Item(1,8) = "Model"
    $c.Cells.Item(1,9) = "Service Tag"
    $c.Cells.Item(1,10) = "Serial Number"
    $c.Cells.Item(1,11) = "Number of Processors"
    $c.Cells.Item(1,12) = "Total Phsyical Memory (GB)"
    $c.Cells.Item(1,13) = "Last Reboot Time"
    $c.Cells.Item(1,14) = "Report Time Stamp"
     
    $d = $c.UsedRange
    $d.Interior.ColorIndex = 19
    $d.Font.ColorIndex = 11
    $d.Font.Bold = $True
     
    $intRow = 2
     
    $colComputers = get-content C:\MyScripts\pingable2.txt
    foreach ($strComputer in $colComputers)
    {
    $OS = get-wmiobject Win32_OperatingSystem -computername $strComputer
    $Computer = get-wmiobject Win32_computerSystem -computername $strComputer
    $Bios =get-wmiobject win32_bios -computername $strComputer
     
    $c.Cells.Item($intRow,1) = $OS.Organization
    $c.Cells.Item($intRow,2) = $strComputer.Toupper()
    $c.Cells.Item($intRow,3) = $OS.Caption
    #$c.Cells.Item($intRow,4) = $IP.IPaddress[0]
    $c.Cells.Item($intRow,4) = $OS.CSDVersion
    $c.Cells.Item($intRow,5) = $Computer.SystemType
    $c.Cells.Item($intRow,6) =
     
    [System.Management.ManagementDateTimeconverter]::ToDateTime($OS.InstallDate)
    $c.Cells.Item($intRow,7) = $Computer.Manufacturer
    $c.Cells.Item($intRow,8) = $Computer.Model
    $c.Cells.Item($intRow,9) = $Bios.serialnumber
    $c.Cells.Item($intRow,10) = $OS.SerialNumber
    $c.Cells.Item($intRow,11) = $Computer.NumberOfProcessors
    $c.Cells.Item($intRow,12) = "{0:N0}" -f ($computer.TotalPhysicalMemory/1GB)
    $c.Cells.Item($intRow,13) =
     
    [System.Management.ManagementDateTimeconverter]::ToDateTime($OS.LastBootUpTime)
     
     
     
    $c.Cells.Item($intRow,14) = Get-date
     
    $intRow = $intRow + 1
    }
    $d.EntireColumn.AutoFit()

    Tuesday, January 22, 2013 9:19 AM
  • I flunked programming in school too, but it wasn't the right time in my life.  I was much more interested in, uh, other things!  I think you'll find PowerShell very welcoming and easy to pick up.  It does most of the work for you, and is a higher level than even what you've just pasted here.  Microsoft is using PowerShell everywhere, and even 3rd parties (eg vmware) have support for it.  Its becomming an essential skill.

    To learn more, I'd start by understanding what commands (cmdlets) exist for a given topic.  Once you know what things like "get-process" or "get-adcomputer" do, you can then think of ways to string them together.  CBT Nuggets makes a nice PowerShell video series, which I found helpful as well.

    Tuesday, January 22, 2013 1:50 PM
  • I was alright with programing and i really enjoyed scripting in DOS. But this powershell is programming and i am finding it complicated to grasp. I have navigated to the directory and then ran the .PS1 file and it comes back cmdlet error. So i came across something that said run by put .\ in front of it so i have and that seems to be moving on. But the file doesnt seem to do anything and i have run it and it sits there. I give in!!!!

    Tuesday, January 22, 2013 3:08 PM
  • Hi,

    Since some error occurred while running the script and PowerShell, I suggest we could ask in the script and PowerShell forum. We will get a better assistance there.

    The Official Scripting Guys Forum!

    http://social.technet.microsoft.com/Forums/en-US/ITCG/threads

    Windows PowerShell

    http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/threads

    Best Regards,

    Andy Qi


    Andy Qi
    TechNet Community Support

    Wednesday, January 23, 2013 7:13 AM
    Moderator
  • Hi,

    you can also try this tools:

    http://www.cjwdev.co.uk/Software/ADTidy/Info.html


    Kind regards,

    Tim
    MCITP, MCTS
    http://directoryadmin.blogspot.com

    This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.

    "If this thread answered your question, please click on "Mark as Answer"

    Wednesday, January 23, 2013 7:48 AM
  • As Richard mentioned, have you look at the freeware tool from Joe Richard's called oldcmp.exe?  I use this all the time and so do thousands of others.  This is the perfect tool for you and you can set it to just show you without doing anything or there are all kinds of options, such as move but don't disable, disable, delete, only delete the first 25, etc...

    I strongly recommend you consider using this tool.

    -- 
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, January 23, 2013 1:07 PM
    Moderator
  • Can see good response for inactive computers. Richard put great input.Also I have mentioned a VBS which will update the "description" field with the last logged on user. You can push it via GPO (user settings)

    If you query the "decription" field update date ,  you will get the computer last online date & time.

    On Error Resume Next
     
    Set objWSHShell = CreateObject("Wscript.Shell")
     Set objADSysInfo = CreateObject("ADSystemInfo")
     
    StruserPath = "LDAP://" & objADSysInfo.UserName
     set objuser = GetObject (StruserPath)
     strDisplayname = objuser.CN
     
    'To determine the OU could be more complex. If the client
      'is W2k or XP, use ADSystemInfo to get both user and
      'computer DistinguishedName, which includes the OU
      'information.
      
      Dim sDNSDomain, oTrans, sNetBiosDomain, sAdsPath, sComputer, oUser
      Dim WshNetwork : Set WshNetwork = WScript.CreateObject("WScript.Network")
      
      ' Determine DNS domain name from RootDSE object.
      Dim oRoot : Set oRoot = GetObject("LDAP://RootDSE")
      sDNSDomain = oRoot.Get("DefaultNamingContext")
      ' Use the NameTranslate object to find the NetBIOS
      ' domain name from the DNS domain name.
      Set oTrans = CreateObject("NameTranslate")
      oTrans.Init 3, sDNSDomain
      oTrans.Set 1, sDNSDomain
      sNetBIOSDomain = oTrans.Get(3)
      
      ' Use NameTranslate to convert the NT user name to the
      ' DistinguishedName required for the LDAP provider.
      oTrans.Init 1, Left(sNetBIOSDomain, _
        Len(sNetBIOSDomain) - 1)
      oTrans.Set 3, sNetBIOSDomain & sNTName
      sAdsPath = oTrans.Get(1)
      
      ' Bind to the user object in AD with the LDAP provider.
      Set oUser = GetObject("LDAP://" & sAdsPath)
      
      ' Use NameTranslate to convert the NT name of the computer
      ' to the DistinguishedName required by LDAP.
      ' Computer names must end with "$".
      'sComputer = InputBox("Please enter ComputerName, hit enter if Local PC.","Enter PC Name", "Local")'
      'If ucase(sComputer) = "LOCAL" then
          sComputer = WshNetwork.ComputerName
      'ElseIf IsEmpty(sComputer) Then
      '    Msgbox "Cancel Clicked, Quitting Script"
      '    wscript.Quit
      'End If
      
      oTrans.Set 3, sNetBIOSDomain & sComputer & "$"
      sAdsPath = oTrans.Get(1)
      
      ' Bind to the computer object in AD with the LDAP provider.
      Set oComputer = GetObject("LDAP://" & sAdsPath) 
      'Should be able to add objComputer.DeleteObject (0) here to delete the PC.
     
    Set objComputer = GetObject _ 
        ("LDAP://" & sAdsPath)
     
    objComputer.Put "Description" , strdisplayName
     objComputer.SetInfo

    You can use the below command for finding the "decription" field update date . Also you can use for loop for multiple computers.
    C:\>repadmin /showobjmeta KOL-LDS01 "CN=KOL-LDS01,OU=Domain Controllers,DC=contoso,DC=com"


    HTH
    Biswajit Biswas
    My Blogs |MCC |TNWiki Ninja

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin




    • Edited by bshwjt Sunday, January 27, 2013 1:57 AM
    Thursday, January 24, 2013 4:09 AM
  • use following command

    dsquery dsquery computer -stalepwd 45

    you now each computer must  update own computer account each 30 day,this command show you which computer accounts did not try to change the password in last 45 days.that means they must be inactive 

    Saturday, June 18, 2016 7:51 AM