3

We have a moderately sized AD installation with approx 1000 employees and maybe 1800 valid computer accounts (servers, PCs, virtuals). Because we replace desktop hardware on a 3-4 yr cycle, cleaning up old computer accounts is a necessary task that usually get's put off. We currently have 3200 accounts!). We have a robust process in place for identifying unused user accounts and disabling/deleting them, but nothing in place for computer accounts.

We know about tools like oldcomp, powershell, etc and we even have a windows batch script which uses dsquery and dsrm to handle this, but we've not actually production-alized anything.

My question is simple - What process do you use to clean up these accounts?

uSlackr
  • 6,412
  • 21
  • 37

2 Answers2

2

PowerShell + dsquery. Really. Very short pipeline, runs fast. Use DSQuery to generate a list of computer accounts that haven't logged in in $days, run it through whatever exception list we have going, then send the output through dsrm. Works a treat, and we can even create a log-file showing which machines got deleted when.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
2

My first initial thought would be - to not put disabling computer accounts on the back burner, if that then raises concerns later. Simply make it a procedure to disable computer accounts (and move them a Unused Comps OU for example).

Furthermore we still do check AD and apart from powershell, we use ADtidy, a simple but very effective tool ( http://www.cjwdev.co.uk/Software/ADTidy/Info.html) We run this manually but we have a reminder in our shared calendar -so that this task gets done on a regular basis (every 4 months is ok for us)

redknight
  • 857
  • 3
  • 9
  • 13