Auto Delete from AD

Does any one know if there is an automatic way to scavenge and delete the
accounts of machines that have been taken permanently off-line but have not
been cleanly removed from the domain.

For example a machine is built using RIS which will automatically add that
client to AD. After that the user removes the machine from the network to
make it stand-alone, but does not inform me. I would like that machines
account to be either deleted automatically from AD after a set period of
time of say 60 days or disabled somehow.

Is this possible and can anyone help.

MMMSD

try

dsquery computer forestroot -o dn -scope subtree

It will let you find inactive machine accounts based on time inactive. You
can use it to pipe to a batch script or the like and use NET COMPUTER
\\computername /DEL to make them go away.

Dsquery
http://www.microsoft.com/resources/do***entation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/do***entation/WindowsServ/2003/standard/proddocs/en-us/dsquery.asp

Cheers,

Mark Gamache

There are two wars to answer this question, one is to upgrade to W2K3 and
use the DS** commands

Or

Use a Joe ware tool that does a similar sort of thing.

Thank you for your help

What you can do is to have some sort of script that scan AD regularly for
such computer accounts by leveraging the pwdLastSet attribute. It basically
identifies stale computer accounts based on the number of days since the
computer account has logged on to the domain. Or you can use the lastlogon
attribute. Because the LastLogon attribute is not replicated, every Domain
Controller in the domain must be queried to find the latest LastLogon date
for each computer.

I would recommend simply disabling the identified accounts for a period of
time prior to deletion. This would give you a pre-determined window of time
for improperly identified machines to be re-enabled.

Zunquan Wang [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

http://www.joeware.net/win/free/tools/oldcmp.htm

--
Joe Richards Microsoft MVP Windows Server Directory Services
http://www.joeware.net

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode test 33Switch to Hybrid Mode Switch to Threaded Mode

3 26th July 13:02 mutsa External User Posts: 1	Auto Delete from AD There are two wars to answer this question, one is to upgrade to W2K3 and use the DS** commands Or Use a Joe ware tool that does a similar sort of thing. Thank you for your help

5 3rd August 11:39 joe richards [mvp] External User Posts: 1	Auto Delete from AD http://www.joeware.net/win/free/tools/oldcmp.htm -- Joe Richards Microsoft MVP Windows Server Directory Services http://www.joeware.net