Weeding out old computers from AD using the 'modified' date

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I'm trying to get rid of old computer objects from my OU. I have approx 100+
machines that no longer exist but don't have a list of which ones to delete.
I want to use the 'modified' field but I first need to know what it takes
for this field to be updated, so I dont disable any active machines.
13 answers Last reply
More about weeding computers modified date
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    One way to go about this is to see when the machines last had their secure
    channel password changed. By default the secure channel password is changed
    every 7 days. As a rule of thumb, if the password has not changed in over 60
    days, then you have a pretty good idea that the machines no longer exist.

    You can use a free utility called netpwage - here is a link that explains it..
    http://www.jsifaq.com/SUBH/tip3900/rh3988.htm

    Hope this helps.

    Jason Silva


    "spr" wrote:

    > I'm trying to get rid of old computer objects from my OU. I have approx 100+
    > machines that no longer exist but don't have a list of which ones to delete.
    > I want to use the 'modified' field but I first need to know what it takes
    > for this field to be updated, so I dont disable any active machines.
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    easy.

    dsquery computer -inactive x ( x= number of weeks the computer has been
    inactive )

    or, if you like the password change methode or want day granularity, use;

    dsquery computer -stalepwd y (y=number of days since the computer password
    has been changed )

    Since you want to 'prune the deadwood', do it all in one shot and 'disable'
    the computers so they appear in ADU&C with a red X by;

    dsquery computer -stalepwd 60 | dsmod computer -disabled yes

    Then in ADU&C you can delete all the red X computers.

    There is a way to directly delete the computer accounts using dsrm, but I'd
    suggest getting more familiar with the other DSxx tools before using that
    one.

    --
    /kj
    "spr" <jaybruce (take out big space) @hotmail.com> wrote in message
    news:zHCMe.42184$Vk3.38080@fe08.news.easynews.com...
    > I'm trying to get rid of old computer objects from my OU. I have approx
    > 100+ machines that no longer exist but don't have a list of which ones to
    > delete. I want to use the 'modified' field but I first need to know what
    > it takes for this field to be updated, so I dont disable any active
    > machines.
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    That is correct using DSQUERY.

    However, they will only work on a 2000 DC.


    "kj" wrote:

    > easy.
    >
    > dsquery computer -inactive x ( x= number of weeks the computer has been
    > inactive )
    >
    > or, if you like the password change methode or want day granularity, use;
    >
    > dsquery computer -stalepwd y (y=number of days since the computer password
    > has been changed )
    >
    > Since you want to 'prune the deadwood', do it all in one shot and 'disable'
    > the computers so they appear in ADU&C with a red X by;
    >
    > dsquery computer -stalepwd 60 | dsmod computer -disabled yes
    >
    > Then in ADU&C you can delete all the red X computers.
    >
    > There is a way to directly delete the computer accounts using dsrm, but I'd
    > suggest getting more familiar with the other DSxx tools before using that
    > one.
    >
    > --
    > /kj
    > "spr" <jaybruce (take out big space) @hotmail.com> wrote in message
    > news:zHCMe.42184$Vk3.38080@fe08.news.easynews.com...
    > > I'm trying to get rid of old computer objects from my OU. I have approx
    > > 100+ machines that no longer exist but don't have a list of which ones to
    > > delete. I want to use the 'modified' field but I first need to know what
    > > it takes for this field to be updated, so I dont disable any active
    > > machines.
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    oops i had a typo...

    They will only work on 2003 DC's and will not work on 2000 DC's

    "JSilva" wrote:

    > That is correct using DSQUERY.
    >
    > However, they will only work on a 2000 DC.
    >
    >
    > "kj" wrote:
    >
    > > easy.
    > >
    > > dsquery computer -inactive x ( x= number of weeks the computer has been
    > > inactive )
    > >
    > > or, if you like the password change methode or want day granularity, use;
    > >
    > > dsquery computer -stalepwd y (y=number of days since the computer password
    > > has been changed )
    > >
    > > Since you want to 'prune the deadwood', do it all in one shot and 'disable'
    > > the computers so they appear in ADU&C with a red X by;
    > >
    > > dsquery computer -stalepwd 60 | dsmod computer -disabled yes
    > >
    > > Then in ADU&C you can delete all the red X computers.
    > >
    > > There is a way to directly delete the computer accounts using dsrm, but I'd
    > > suggest getting more familiar with the other DSxx tools before using that
    > > one.
    > >
    > > --
    > > /kj
    > > "spr" <jaybruce (take out big space) @hotmail.com> wrote in message
    > > news:zHCMe.42184$Vk3.38080@fe08.news.easynews.com...
    > > > I'm trying to get rid of old computer objects from my OU. I have approx
    > > > 100+ machines that no longer exist but don't have a list of which ones to
    > > > delete. I want to use the 'modified' field but I first need to know what
    > > > it takes for this field to be updated, so I dont disable any active
    > > > machines.
    > >
    > >
    > >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    2000 DC's with Sp3 or higher as I recall, or 2003 DC's as well. Should have
    added that as a disclaimer though it is a win2000 newsgroup.

    --
    /kj
    "JSilva" <JSilva@discussions.microsoft.com> wrote in message
    news:833D25F2-338E-41FA-88E7-E9D1DE4F54A1@microsoft.com...
    > That is correct using DSQUERY.
    >
    > However, they will only work on a 2000 DC.
    >
    >
    > "kj" wrote:
    >
    >> easy.
    >>
    >> dsquery computer -inactive x ( x= number of weeks the computer has been
    >> inactive )
    >>
    >> or, if you like the password change methode or want day granularity, use;
    >>
    >> dsquery computer -stalepwd y (y=number of days since the computer
    >> password
    >> has been changed )
    >>
    >> Since you want to 'prune the deadwood', do it all in one shot and
    >> 'disable'
    >> the computers so they appear in ADU&C with a red X by;
    >>
    >> dsquery computer -stalepwd 60 | dsmod computer -disabled yes
    >>
    >> Then in ADU&C you can delete all the red X computers.
    >>
    >> There is a way to directly delete the computer accounts using dsrm, but
    >> I'd
    >> suggest getting more familiar with the other DSxx tools before using that
    >> one.
    >>
    >> --
    >> /kj
    >> "spr" <jaybruce (take out big space) @hotmail.com> wrote in message
    >> news:zHCMe.42184$Vk3.38080@fe08.news.easynews.com...
    >> > I'm trying to get rid of old computer objects from my OU. I have approx
    >> > 100+ machines that no longer exist but don't have a list of which ones
    >> > to
    >> > delete. I want to use the 'modified' field but I first need to know
    >> > what
    >> > it takes for this field to be updated, so I dont disable any active
    >> > machines.
    >>
    >>
    >>
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    2000 SP3 or later Dc's

    http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;325465


    --
    /kj
    "JSilva" <JSilva@discussions.microsoft.com> wrote in message
    news:D5C6FEDB-D143-48C7-8DE6-31BCAC8AD1BF@microsoft.com...
    > oops i had a typo...
    >
    > They will only work on 2003 DC's and will not work on 2000 DC's
    >
    > "JSilva" wrote:
    >
    >> That is correct using DSQUERY.
    >>
    >> However, they will only work on a 2000 DC.
    >>
    >>
    >> "kj" wrote:
    >>
    >> > easy.
    >> >
    >> > dsquery computer -inactive x ( x= number of weeks the computer has
    >> > been
    >> > inactive )
    >> >
    >> > or, if you like the password change methode or want day granularity,
    >> > use;
    >> >
    >> > dsquery computer -stalepwd y (y=number of days since the computer
    >> > password
    >> > has been changed )
    >> >
    >> > Since you want to 'prune the deadwood', do it all in one shot and
    >> > 'disable'
    >> > the computers so they appear in ADU&C with a red X by;
    >> >
    >> > dsquery computer -stalepwd 60 | dsmod computer -disabled yes
    >> >
    >> > Then in ADU&C you can delete all the red X computers.
    >> >
    >> > There is a way to directly delete the computer accounts using dsrm, but
    >> > I'd
    >> > suggest getting more familiar with the other DSxx tools before using
    >> > that
    >> > one.
    >> >
    >> > --
    >> > /kj
    >> > "spr" <jaybruce (take out big space) @hotmail.com> wrote in message
    >> > news:zHCMe.42184$Vk3.38080@fe08.news.easynews.com...
    >> > > I'm trying to get rid of old computer objects from my OU. I have
    >> > > approx
    >> > > 100+ machines that no longer exist but don't have a list of which
    >> > > ones to
    >> > > delete. I want to use the 'modified' field but I first need to know
    >> > > what
    >> > > it takes for this field to be updated, so I dont disable any active
    >> > > machines.
    >> >
    >> >
    >> >
  7. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    oh, and licensing compliance requires purchase of at least one 2003 server
    license to use the dsxx tools and other win2003 admin tools. I'm not sure if
    web edition qualifies or not - I'd guess no.

    --
    /kj
    "kj" <kj@nowhere.com> wrote in message
    news:%23ydctt1oFHA.2152@TK2MSFTNGP14.phx.gbl...
    > 2000 SP3 or later Dc's
    >
    > http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;325465
    >
    >
    > --
    > /kj
    > "JSilva" <JSilva@discussions.microsoft.com> wrote in message
    > news:D5C6FEDB-D143-48C7-8DE6-31BCAC8AD1BF@microsoft.com...
    >> oops i had a typo...
    >>
    >> They will only work on 2003 DC's and will not work on 2000 DC's
    >>
    >> "JSilva" wrote:
    >>
    >>> That is correct using DSQUERY.
    >>>
    >>> However, they will only work on a 2000 DC.
    >>>
    >>>
    >>> "kj" wrote:
    >>>
    >>> > easy.
    >>> >
    >>> > dsquery computer -inactive x ( x= number of weeks the computer has
    >>> > been
    >>> > inactive )
    >>> >
    >>> > or, if you like the password change methode or want day granularity,
    >>> > use;
    >>> >
    >>> > dsquery computer -stalepwd y (y=number of days since the computer
    >>> > password
    >>> > has been changed )
    >>> >
    >>> > Since you want to 'prune the deadwood', do it all in one shot and
    >>> > 'disable'
    >>> > the computers so they appear in ADU&C with a red X by;
    >>> >
    >>> > dsquery computer -stalepwd 60 | dsmod computer -disabled yes
    >>> >
    >>> > Then in ADU&C you can delete all the red X computers.
    >>> >
    >>> > There is a way to directly delete the computer accounts using dsrm,
    >>> > but I'd
    >>> > suggest getting more familiar with the other DSxx tools before using
    >>> > that
    >>> > one.
    >>> >
    >>> > --
    >>> > /kj
    >>> > "spr" <jaybruce (take out big space) @hotmail.com> wrote in message
    >>> > news:zHCMe.42184$Vk3.38080@fe08.news.easynews.com...
    >>> > > I'm trying to get rid of old computer objects from my OU. I have
    >>> > > approx
    >>> > > 100+ machines that no longer exist but don't have a list of which
    >>> > > ones to
    >>> > > delete. I want to use the 'modified' field but I first need to know
    >>> > > what
    >>> > > it takes for this field to be updated, so I dont disable any active
    >>> > > machines.
    >>> >
    >>> >
    >>> >
    >
    >
  8. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    SPR,

    There is a much, much, much easier way. It is to use an awesome tool called
    'oldcmp' which you can find at http://www.joeware.net. Simply go to his
    Windows Free Tools section and you will find several tools in there - one of
    which is oldcmp. This tool will create an dhtml page that will list all of
    the machines that, by default, have not changed their 'secret' password in
    the last 90 days. You can change that it you like to 35 days, or 105 days -
    or whatever! And there is a lot of security built in to oldcmp. For
    example, you can not delete a computer account object until it has been
    disabled. Thus, there are two different, distinct actions that must be
    taken. This makes it very very difficult to 'accidentally do something
    stupid!

    And in Windows 2000 the default time is 30 days, not seven days. It was
    seven days in WINNT 4.0, however.

    --
    Cary W. Shultz
    Roanoke, VA 24012
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "spr" <jaybruce (take out big space) @hotmail.com> wrote in message
    news:zHCMe.42184$Vk3.38080@fe08.news.easynews.com...
    > I'm trying to get rid of old computer objects from my OU. I have approx
    > 100+ machines that no longer exist but don't have a list of which ones to
    > delete. I want to use the 'modified' field but I first need to know what
    > it takes for this field to be updated, so I dont disable any active
    > machines.
    >
  9. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "JSilva" <JSilva@discussions.microsoft.com> wrote in message
    news:69418FB6-12CB-4149-B11A-8FAE9ED85D6C@microsoft.com...
    > One way to go about this is to see when the machines last had their secure
    > channel password changed. By default the secure channel password is
    > changed
    > every 7 days. As a rule of thumb, if the password has not changed in over
    > 60
    > days, then you have a pretty good idea that the machines no longer exist.
    >
    > You can use a free utility called netpwage - here is a link that explains
    > it..
    > http://www.jsifaq.com/SUBH/tip3900/rh3988.htm
    >
    > Hope this helps.
    >
    > Jason Silva
    >
    Thanks, I tried the program but I can't figure out how to syntax it to only
    scan my OU (a few hundred) instead of my entire forest (thousands+) which I
    will surely hear about if I do a complete scan of.

    >
    > "spr" wrote:
    >
    >> I'm trying to get rid of old computer objects from my OU. I have approx
    >> 100+
    >> machines that no longer exist but don't have a list of which ones to
    >> delete.
    >> I want to use the 'modified' field but I first need to know what it takes
    >> for this field to be updated, so I dont disable any active machines.
    >>
    >>
    >>
  10. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    If you can,

    dump the contents of the ou into a text file.
    run a script using netpwage against the computers in the text file.

    This way, you are only querying against the contents of the OU.

    "spr" wrote:

    >
    > "JSilva" <JSilva@discussions.microsoft.com> wrote in message
    > news:69418FB6-12CB-4149-B11A-8FAE9ED85D6C@microsoft.com...
    > > One way to go about this is to see when the machines last had their secure
    > > channel password changed. By default the secure channel password is
    > > changed
    > > every 7 days. As a rule of thumb, if the password has not changed in over
    > > 60
    > > days, then you have a pretty good idea that the machines no longer exist.
    > >
    > > You can use a free utility called netpwage - here is a link that explains
    > > it..
    > > http://www.jsifaq.com/SUBH/tip3900/rh3988.htm
    > >
    > > Hope this helps.
    > >
    > > Jason Silva
    > >
    > Thanks, I tried the program but I can't figure out how to syntax it to only
    > scan my OU (a few hundred) instead of my entire forest (thousands+) which I
    > will surely hear about if I do a complete scan of.
    >
    > >
    > > "spr" wrote:
    > >
    > >> I'm trying to get rid of old computer objects from my OU. I have approx
    > >> 100+
    > >> machines that no longer exist but don't have a list of which ones to
    > >> delete.
    > >> I want to use the 'modified' field but I first need to know what it takes
    > >> for this field to be updated, so I dont disable any active machines.
    > >>
    > >>
    > >>
    >
    >
    >
  11. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "kj" <kj@nowhere.com> wrote in message
    news:O3$OBL1oFHA.2472@tk2msftngp13.phx.gbl...
    > easy.
    >
    > dsquery computer -inactive x ( x= number of weeks the computer has been
    > inactive )
    >
    > or, if you like the password change methode or want day granularity, use;
    >
    > dsquery computer -stalepwd y (y=number of days since the computer password
    > has been changed )
    >
    > Since you want to 'prune the deadwood', do it all in one shot and
    > 'disable' the computers so they appear in ADU&C with a red X by;
    >
    > dsquery computer -stalepwd 60 | dsmod computer -disabled yes
    >
    > Then in ADU&C you can delete all the red X computers.
    >
    > There is a way to directly delete the computer accounts using dsrm, but
    > I'd suggest getting more familiar with the other DSxx tools before using
    > that one.
    >
    This is working GREAT!! I'm finding what I need using:
    example ou layout
    domain=world
    ou structure=/northamerica/usa/texas/dallas

    dsquery computer -name *elmstreet -stalepwd 60 works
    dsquery computer -name *pinestreet -stalepwd 60 works

    but
    dsquery computer ou=dallas,dc=world -name *elmstreet -stalepwd 60 fails
    gives me: "dsquery failed:A referral was returned from the server."


    I love this but would like to figure out the syntax I'm messing up, so I can
    query my whole ou instead of indivual wildcard 'streets'

    Thanks again to all for pointing me to these tools, and special thanks to
    JSilva for the dsxxxx tools.
  12. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    So if I understand correctly that you are trying to search only the "dallas"
    ou for stale paswword computers and
    that your ou structure is ou=dallas,
    ou=texas,ou=northamerica,dc=world,dc=com ???

    You just need to specify the complete DN of the start of your search. Use
    the output of the dsquery that works as guidance for the ou DN to use in a
    more selective search.

    --
    /kj
    "spr" <jaybruce (take out big space) @hotmail.com> wrote in message
    news:bh_Me.64626$Vk3.13413@fe08.news.easynews.com...
    >
    > "kj" <kj@nowhere.com> wrote in message
    > news:O3$OBL1oFHA.2472@tk2msftngp13.phx.gbl...
    >> easy.
    >>
    >> dsquery computer -inactive x ( x= number of weeks the computer has been
    >> inactive )
    >>
    >> or, if you like the password change methode or want day granularity, use;
    >>
    >> dsquery computer -stalepwd y (y=number of days since the computer
    >> password has been changed )
    >>
    >> Since you want to 'prune the deadwood', do it all in one shot and
    >> 'disable' the computers so they appear in ADU&C with a red X by;
    >>
    >> dsquery computer -stalepwd 60 | dsmod computer -disabled yes
    >>
    >> Then in ADU&C you can delete all the red X computers.
    >>
    >> There is a way to directly delete the computer accounts using dsrm, but
    >> I'd suggest getting more familiar with the other DSxx tools before using
    >> that one.
    >>
    > This is working GREAT!! I'm finding what I need using:
    > example ou layout
    > domain=world
    > ou structure=/northamerica/usa/texas/dallas
    >
    > dsquery computer -name *elmstreet -stalepwd 60 works
    > dsquery computer -name *pinestreet -stalepwd 60 works
    >
    > but
    > dsquery computer ou=dallas,dc=world -name *elmstreet -stalepwd 60
    > fails
    > gives me: "dsquery failed:A referral was returned from the server."
    >
    >
    > I love this but would like to figure out the syntax I'm messing up, so I
    > can query my whole ou instead of indivual wildcard 'streets'
    >
    > Thanks again to all for pointing me to these tools, and special thanks to
    > JSilva for the dsxxxx tools.
    >
  13. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "spr" <jaybruce (take out big space) @hotmail.com> wrote in message
    news:bh_Me.64626$Vk3.13413@fe08.news.easynews.com...
    >
    > "kj" <kj@nowhere.com> wrote in message
    > news:O3$OBL1oFHA.2472@tk2msftngp13.phx.gbl...
    >> easy.
    >>
    >> dsquery computer -inactive x ( x= number of weeks the computer has been
    >> inactive )
    >>
    >> or, if you like the password change methode or want day granularity, use;
    >>
    >> dsquery computer -stalepwd y (y=number of days since the computer
    >> password has been changed )
    >>
    >> Since you want to 'prune the deadwood', do it all in one shot and
    >> 'disable' the computers so they appear in ADU&C with a red X by;
    >>
    >> dsquery computer -stalepwd 60 | dsmod computer -disabled yes
    >>
    >> Then in ADU&C you can delete all the red X computers.
    >>
    >> There is a way to directly delete the computer accounts using dsrm, but
    >> I'd suggest getting more familiar with the other DSxx tools before using
    >> that one.
    >>
    > This is working GREAT!! I'm finding what I need using:
    > example ou layout
    > domain=world
    > ou structure=/northamerica/usa/texas/dallas
    >
    > dsquery computer -name *elmstreet -stalepwd 60 works
    > dsquery computer -name *pinestreet -stalepwd 60 works
    >
    > but
    > dsquery computer ou=dallas,dc=world -name *elmstreet -stalepwd 60
    > fails
    > gives me: "dsquery failed:A referral was returned from the server."
    >
    >
    > I love this but would like to figure out the syntax I'm messing up, so I
    > can query my whole ou instead of indivual wildcard 'streets'
    >
    > Thanks again to all for pointing me to these tools, and special thanks to
    > JSilva for the dsxxxx tools.
    oops, I ment kj but again, thanks to all.
    >
Ask a new question

Read More

Computers Microsoft Active Directory Windows