Sign in with
Sign up | Sign in
Your question

Weeding out old computers from AD using the 'modified' date

Last response: in Windows 2000/NT
Share
August 17, 2005 12:37:52 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I'm trying to get rid of old computer objects from my OU. I have approx 100+
machines that no longer exist but don't have a list of which ones to delete.
I want to use the 'modified' field but I first need to know what it takes
for this field to be updated, so I dont disable any active machines.
Anonymous
August 17, 2005 12:37:53 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

One way to go about this is to see when the machines last had their secure
channel password changed. By default the secure channel password is changed
every 7 days. As a rule of thumb, if the password has not changed in over 60
days, then you have a pretty good idea that the machines no longer exist.

You can use a free utility called netpwage - here is a link that explains it..
http://www.jsifaq.com/SUBH/tip3900/rh3988.htm

Hope this helps.

Jason Silva


"spr" wrote:

> I'm trying to get rid of old computer objects from my OU. I have approx 100+
> machines that no longer exist but don't have a list of which ones to delete.
> I want to use the 'modified' field but I first need to know what it takes
> for this field to be updated, so I dont disable any active machines.
>
>
>
August 17, 2005 2:40:21 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

easy.

dsquery computer -inactive x ( x= number of weeks the computer has been
inactive )

or, if you like the password change methode or want day granularity, use;

dsquery computer -stalepwd y (y=number of days since the computer password
has been changed )

Since you want to 'prune the deadwood', do it all in one shot and 'disable'
the computers so they appear in ADU&C with a red X by;

dsquery computer -stalepwd 60 | dsmod computer -disabled yes

Then in ADU&C you can delete all the red X computers.

There is a way to directly delete the computer accounts using dsrm, but I'd
suggest getting more familiar with the other DSxx tools before using that
one.

--
/kj
"spr" <jaybruce (take out big space) @hotmail.com> wrote in message
news:zHCMe.42184$Vk3.38080@fe08.news.easynews.com...
> I'm trying to get rid of old computer objects from my OU. I have approx
> 100+ machines that no longer exist but don't have a list of which ones to
> delete. I want to use the 'modified' field but I first need to know what
> it takes for this field to be updated, so I dont disable any active
> machines.
Related resources
Anonymous
August 17, 2005 3:32:16 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

That is correct using DSQUERY.

However, they will only work on a 2000 DC.


"kj" wrote:

> easy.
>
> dsquery computer -inactive x ( x= number of weeks the computer has been
> inactive )
>
> or, if you like the password change methode or want day granularity, use;
>
> dsquery computer -stalepwd y (y=number of days since the computer password
> has been changed )
>
> Since you want to 'prune the deadwood', do it all in one shot and 'disable'
> the computers so they appear in ADU&C with a red X by;
>
> dsquery computer -stalepwd 60 | dsmod computer -disabled yes
>
> Then in ADU&C you can delete all the red X computers.
>
> There is a way to directly delete the computer accounts using dsrm, but I'd
> suggest getting more familiar with the other DSxx tools before using that
> one.
>
> --
> /kj
> "spr" <jaybruce (take out big space) @hotmail.com> wrote in message
> news:zHCMe.42184$Vk3.38080@fe08.news.easynews.com...
> > I'm trying to get rid of old computer objects from my OU. I have approx
> > 100+ machines that no longer exist but don't have a list of which ones to
> > delete. I want to use the 'modified' field but I first need to know what
> > it takes for this field to be updated, so I dont disable any active
> > machines.
>
>
>
Anonymous
August 17, 2005 3:34:05 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

oops i had a typo...

They will only work on 2003 DC's and will not work on 2000 DC's

"JSilva" wrote:

> That is correct using DSQUERY.
>
> However, they will only work on a 2000 DC.
>
>
> "kj" wrote:
>
> > easy.
> >
> > dsquery computer -inactive x ( x= number of weeks the computer has been
> > inactive )
> >
> > or, if you like the password change methode or want day granularity, use;
> >
> > dsquery computer -stalepwd y (y=number of days since the computer password
> > has been changed )
> >
> > Since you want to 'prune the deadwood', do it all in one shot and 'disable'
> > the computers so they appear in ADU&C with a red X by;
> >
> > dsquery computer -stalepwd 60 | dsmod computer -disabled yes
> >
> > Then in ADU&C you can delete all the red X computers.
> >
> > There is a way to directly delete the computer accounts using dsrm, but I'd
> > suggest getting more familiar with the other DSxx tools before using that
> > one.
> >
> > --
> > /kj
> > "spr" <jaybruce (take out big space) @hotmail.com> wrote in message
> > news:zHCMe.42184$Vk3.38080@fe08.news.easynews.com...
> > > I'm trying to get rid of old computer objects from my OU. I have approx
> > > 100+ machines that no longer exist but don't have a list of which ones to
> > > delete. I want to use the 'modified' field but I first need to know what
> > > it takes for this field to be updated, so I dont disable any active
> > > machines.
> >
> >
> >
August 17, 2005 3:40:15 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

2000 DC's with Sp3 or higher as I recall, or 2003 DC's as well. Should have
added that as a disclaimer though it is a win2000 newsgroup.

--
/kj
"JSilva" <JSilva@discussions.microsoft.com> wrote in message
news:833D25F2-338E-41FA-88E7-E9D1DE4F54A1@microsoft.com...
> That is correct using DSQUERY.
>
> However, they will only work on a 2000 DC.
>
>
> "kj" wrote:
>
>> easy.
>>
>> dsquery computer -inactive x ( x= number of weeks the computer has been
>> inactive )
>>
>> or, if you like the password change methode or want day granularity, use;
>>
>> dsquery computer -stalepwd y (y=number of days since the computer
>> password
>> has been changed )
>>
>> Since you want to 'prune the deadwood', do it all in one shot and
>> 'disable'
>> the computers so they appear in ADU&C with a red X by;
>>
>> dsquery computer -stalepwd 60 | dsmod computer -disabled yes
>>
>> Then in ADU&C you can delete all the red X computers.
>>
>> There is a way to directly delete the computer accounts using dsrm, but
>> I'd
>> suggest getting more familiar with the other DSxx tools before using that
>> one.
>>
>> --
>> /kj
>> "spr" <jaybruce (take out big space) @hotmail.com> wrote in message
>> news:zHCMe.42184$Vk3.38080@fe08.news.easynews.com...
>> > I'm trying to get rid of old computer objects from my OU. I have approx
>> > 100+ machines that no longer exist but don't have a list of which ones
>> > to
>> > delete. I want to use the 'modified' field but I first need to know
>> > what
>> > it takes for this field to be updated, so I dont disable any active
>> > machines.
>>
>>
>>
August 17, 2005 3:42:28 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

2000 SP3 or later Dc's

http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;325465


--
/kj
"JSilva" <JSilva@discussions.microsoft.com> wrote in message
news:D 5C6FEDB-D143-48C7-8DE6-31BCAC8AD1BF@microsoft.com...
> oops i had a typo...
>
> They will only work on 2003 DC's and will not work on 2000 DC's
>
> "JSilva" wrote:
>
>> That is correct using DSQUERY.
>>
>> However, they will only work on a 2000 DC.
>>
>>
>> "kj" wrote:
>>
>> > easy.
>> >
>> > dsquery computer -inactive x ( x= number of weeks the computer has
>> > been
>> > inactive )
>> >
>> > or, if you like the password change methode or want day granularity,
>> > use;
>> >
>> > dsquery computer -stalepwd y (y=number of days since the computer
>> > password
>> > has been changed )
>> >
>> > Since you want to 'prune the deadwood', do it all in one shot and
>> > 'disable'
>> > the computers so they appear in ADU&C with a red X by;
>> >
>> > dsquery computer -stalepwd 60 | dsmod computer -disabled yes
>> >
>> > Then in ADU&C you can delete all the red X computers.
>> >
>> > There is a way to directly delete the computer accounts using dsrm, but
>> > I'd
>> > suggest getting more familiar with the other DSxx tools before using
>> > that
>> > one.
>> >
>> > --
>> > /kj
>> > "spr" <jaybruce (take out big space) @hotmail.com> wrote in message
>> > news:zHCMe.42184$Vk3.38080@fe08.news.easynews.com...
>> > > I'm trying to get rid of old computer objects from my OU. I have
>> > > approx
>> > > 100+ machines that no longer exist but don't have a list of which
>> > > ones to
>> > > delete. I want to use the 'modified' field but I first need to know
>> > > what
>> > > it takes for this field to be updated, so I dont disable any active
>> > > machines.
>> >
>> >
>> >
August 17, 2005 3:54:24 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

oh, and licensing compliance requires purchase of at least one 2003 server
license to use the dsxx tools and other win2003 admin tools. I'm not sure if
web edition qualifies or not - I'd guess no.

--
/kj
"kj" <kj@nowhere.com> wrote in message
news:%23ydctt1oFHA.2152@TK2MSFTNGP14.phx.gbl...
> 2000 SP3 or later Dc's
>
> http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;325465
>
>
> --
> /kj
> "JSilva" <JSilva@discussions.microsoft.com> wrote in message
> news:D 5C6FEDB-D143-48C7-8DE6-31BCAC8AD1BF@microsoft.com...
>> oops i had a typo...
>>
>> They will only work on 2003 DC's and will not work on 2000 DC's
>>
>> "JSilva" wrote:
>>
>>> That is correct using DSQUERY.
>>>
>>> However, they will only work on a 2000 DC.
>>>
>>>
>>> "kj" wrote:
>>>
>>> > easy.
>>> >
>>> > dsquery computer -inactive x ( x= number of weeks the computer has
>>> > been
>>> > inactive )
>>> >
>>> > or, if you like the password change methode or want day granularity,
>>> > use;
>>> >
>>> > dsquery computer -stalepwd y (y=number of days since the computer
>>> > password
>>> > has been changed )
>>> >
>>> > Since you want to 'prune the deadwood', do it all in one shot and
>>> > 'disable'
>>> > the computers so they appear in ADU&C with a red X by;
>>> >
>>> > dsquery computer -stalepwd 60 | dsmod computer -disabled yes
>>> >
>>> > Then in ADU&C you can delete all the red X computers.
>>> >
>>> > There is a way to directly delete the computer accounts using dsrm,
>>> > but I'd
>>> > suggest getting more familiar with the other DSxx tools before using
>>> > that
>>> > one.
>>> >
>>> > --
>>> > /kj
>>> > "spr" <jaybruce (take out big space) @hotmail.com> wrote in message
>>> > news:zHCMe.42184$Vk3.38080@fe08.news.easynews.com...
>>> > > I'm trying to get rid of old computer objects from my OU. I have
>>> > > approx
>>> > > 100+ machines that no longer exist but don't have a list of which
>>> > > ones to
>>> > > delete. I want to use the 'modified' field but I first need to know
>>> > > what
>>> > > it takes for this field to be updated, so I dont disable any active
>>> > > machines.
>>> >
>>> >
>>> >
>
>
Anonymous
August 17, 2005 5:34:37 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

SPR,

There is a much, much, much easier way. It is to use an awesome tool called
'oldcmp' which you can find at http://www.joeware.net. Simply go to his
Windows Free Tools section and you will find several tools in there - one of
which is oldcmp. This tool will create an dhtml page that will list all of
the machines that, by default, have not changed their 'secret' password in
the last 90 days. You can change that it you like to 35 days, or 105 days -
or whatever! And there is a lot of security built in to oldcmp. For
example, you can not delete a computer account object until it has been
disabled. Thus, there are two different, distinct actions that must be
taken. This makes it very very difficult to 'accidentally do something
stupid!

And in Windows 2000 the default time is 30 days, not seven days. It was
seven days in WINNT 4.0, however.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"spr" <jaybruce (take out big space) @hotmail.com> wrote in message
news:zHCMe.42184$Vk3.38080@fe08.news.easynews.com...
> I'm trying to get rid of old computer objects from my OU. I have approx
> 100+ machines that no longer exist but don't have a list of which ones to
> delete. I want to use the 'modified' field but I first need to know what
> it takes for this field to be updated, so I dont disable any active
> machines.
>
August 17, 2005 7:06:22 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"JSilva" <JSilva@discussions.microsoft.com> wrote in message
news:69418FB6-12CB-4149-B11A-8FAE9ED85D6C@microsoft.com...
> One way to go about this is to see when the machines last had their secure
> channel password changed. By default the secure channel password is
> changed
> every 7 days. As a rule of thumb, if the password has not changed in over
> 60
> days, then you have a pretty good idea that the machines no longer exist.
>
> You can use a free utility called netpwage - here is a link that explains
> it..
> http://www.jsifaq.com/SUBH/tip3900/rh3988.htm
>
> Hope this helps.
>
> Jason Silva
>
Thanks, I tried the program but I can't figure out how to syntax it to only
scan my OU (a few hundred) instead of my entire forest (thousands+) which I
will surely hear about if I do a complete scan of.

>
> "spr" wrote:
>
>> I'm trying to get rid of old computer objects from my OU. I have approx
>> 100+
>> machines that no longer exist but don't have a list of which ones to
>> delete.
>> I want to use the 'modified' field but I first need to know what it takes
>> for this field to be updated, so I dont disable any active machines.
>>
>>
>>
Anonymous
August 17, 2005 7:06:23 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

If you can,

dump the contents of the ou into a text file.
run a script using netpwage against the computers in the text file.

This way, you are only querying against the contents of the OU.

"spr" wrote:

>
> "JSilva" <JSilva@discussions.microsoft.com> wrote in message
> news:69418FB6-12CB-4149-B11A-8FAE9ED85D6C@microsoft.com...
> > One way to go about this is to see when the machines last had their secure
> > channel password changed. By default the secure channel password is
> > changed
> > every 7 days. As a rule of thumb, if the password has not changed in over
> > 60
> > days, then you have a pretty good idea that the machines no longer exist.
> >
> > You can use a free utility called netpwage - here is a link that explains
> > it..
> > http://www.jsifaq.com/SUBH/tip3900/rh3988.htm
> >
> > Hope this helps.
> >
> > Jason Silva
> >
> Thanks, I tried the program but I can't figure out how to syntax it to only
> scan my OU (a few hundred) instead of my entire forest (thousands+) which I
> will surely hear about if I do a complete scan of.
>
> >
> > "spr" wrote:
> >
> >> I'm trying to get rid of old computer objects from my OU. I have approx
> >> 100+
> >> machines that no longer exist but don't have a list of which ones to
> >> delete.
> >> I want to use the 'modified' field but I first need to know what it takes
> >> for this field to be updated, so I dont disable any active machines.
> >>
> >>
> >>
>
>
>
August 18, 2005 3:28:08 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"kj" <kj@nowhere.com> wrote in message
news:o 3$OBL1oFHA.2472@tk2msftngp13.phx.gbl...
> easy.
>
> dsquery computer -inactive x ( x= number of weeks the computer has been
> inactive )
>
> or, if you like the password change methode or want day granularity, use;
>
> dsquery computer -stalepwd y (y=number of days since the computer password
> has been changed )
>
> Since you want to 'prune the deadwood', do it all in one shot and
> 'disable' the computers so they appear in ADU&C with a red X by;
>
> dsquery computer -stalepwd 60 | dsmod computer -disabled yes
>
> Then in ADU&C you can delete all the red X computers.
>
> There is a way to directly delete the computer accounts using dsrm, but
> I'd suggest getting more familiar with the other DSxx tools before using
> that one.
>
This is working GREAT!! I'm finding what I need using:
example ou layout
domain=world
ou structure=/northamerica/usa/texas/dallas

dsquery computer -name *elmstreet -stalepwd 60 works
dsquery computer -name *pinestreet -stalepwd 60 works

but
dsquery computer ou=dallas,dc=world -name *elmstreet -stalepwd 60 fails
gives me: "dsquery failed:A referral was returned from the server."


I love this but would like to figure out the syntax I'm messing up, so I can
query my whole ou instead of indivual wildcard 'streets'

Thanks again to all for pointing me to these tools, and special thanks to
JSilva for the dsxxxx tools.
August 18, 2005 3:28:09 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

So if I understand correctly that you are trying to search only the "dallas"
ou for stale paswword computers and
that your ou structure is ou=dallas,
ou=texas,ou=northamerica,dc=world,dc=com ???

You just need to specify the complete DN of the start of your search. Use
the output of the dsquery that works as guidance for the ou DN to use in a
more selective search.

--
/kj
"spr" <jaybruce (take out big space) @hotmail.com> wrote in message
news:bh_Me.64626$Vk3.13413@fe08.news.easynews.com...
>
> "kj" <kj@nowhere.com> wrote in message
> news:o 3$OBL1oFHA.2472@tk2msftngp13.phx.gbl...
>> easy.
>>
>> dsquery computer -inactive x ( x= number of weeks the computer has been
>> inactive )
>>
>> or, if you like the password change methode or want day granularity, use;
>>
>> dsquery computer -stalepwd y (y=number of days since the computer
>> password has been changed )
>>
>> Since you want to 'prune the deadwood', do it all in one shot and
>> 'disable' the computers so they appear in ADU&C with a red X by;
>>
>> dsquery computer -stalepwd 60 | dsmod computer -disabled yes
>>
>> Then in ADU&C you can delete all the red X computers.
>>
>> There is a way to directly delete the computer accounts using dsrm, but
>> I'd suggest getting more familiar with the other DSxx tools before using
>> that one.
>>
> This is working GREAT!! I'm finding what I need using:
> example ou layout
> domain=world
> ou structure=/northamerica/usa/texas/dallas
>
> dsquery computer -name *elmstreet -stalepwd 60 works
> dsquery computer -name *pinestreet -stalepwd 60 works
>
> but
> dsquery computer ou=dallas,dc=world -name *elmstreet -stalepwd 60
> fails
> gives me: "dsquery failed:A referral was returned from the server."
>
>
> I love this but would like to figure out the syntax I'm messing up, so I
> can query my whole ou instead of indivual wildcard 'streets'
>
> Thanks again to all for pointing me to these tools, and special thanks to
> JSilva for the dsxxxx tools.
>
August 18, 2005 3:33:42 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"spr" <jaybruce (take out big space) @hotmail.com> wrote in message
news:bh_Me.64626$Vk3.13413@fe08.news.easynews.com...
>
> "kj" <kj@nowhere.com> wrote in message
> news:o 3$OBL1oFHA.2472@tk2msftngp13.phx.gbl...
>> easy.
>>
>> dsquery computer -inactive x ( x= number of weeks the computer has been
>> inactive )
>>
>> or, if you like the password change methode or want day granularity, use;
>>
>> dsquery computer -stalepwd y (y=number of days since the computer
>> password has been changed )
>>
>> Since you want to 'prune the deadwood', do it all in one shot and
>> 'disable' the computers so they appear in ADU&C with a red X by;
>>
>> dsquery computer -stalepwd 60 | dsmod computer -disabled yes
>>
>> Then in ADU&C you can delete all the red X computers.
>>
>> There is a way to directly delete the computer accounts using dsrm, but
>> I'd suggest getting more familiar with the other DSxx tools before using
>> that one.
>>
> This is working GREAT!! I'm finding what I need using:
> example ou layout
> domain=world
> ou structure=/northamerica/usa/texas/dallas
>
> dsquery computer -name *elmstreet -stalepwd 60 works
> dsquery computer -name *pinestreet -stalepwd 60 works
>
> but
> dsquery computer ou=dallas,dc=world -name *elmstreet -stalepwd 60
> fails
> gives me: "dsquery failed:A referral was returned from the server."
>
>
> I love this but would like to figure out the syntax I'm messing up, so I
> can query my whole ou instead of indivual wildcard 'streets'
>
> Thanks again to all for pointing me to these tools, and special thanks to
> JSilva for the dsxxxx tools.
oops, I ment kj but again, thanks to all.
>
!