Pruning Old Computer Accounts in AD

In large organizations the task of keeping Active Directory cleansed of inactive computer accounts can be daunting.  Using the dsquery command we can easily find all of the computers in the directory that have not been logged into in a given time interval.  As an example, the following command will find all computers in Active Directory that have not been logged into during the past 8 weeks:

dsquery computer -inactive 50 -limit 0

After reviewing this list to make sure these computers no longer exist on your network you can use the following command to find and delete them:

dsquery computer -inactive 50 -limit 0 | dsrm -noprompt

The DSQUERY utility comes with the Windows Server 2003 Support Tools package Adminpak.msi which can be installed directly from your Windows Server 2003 installation media or downloaded from the Microsoft website.  The standard disclaimer applies to this as to when you delete anything in Active Directory.  You should always check the list of computers to be deleted twice before you perform that action.  Just because your CEO hasn’t logged into his laptop in a couple of months doesn’t mean he won’t in the near future, and he may not be too happy to find he no longer has network access!

This appears to work out of the box on Server 2008 R2.

via Pruning Old Computer Accounts in AD.
Updated by

pruning old computer accounts in ad
remove old computer accounts active directory

Comments are closed.