Active Directory Computer Cleaning

I’m sure many of you found this as a problem while checking AD and you ended up finding multiple computer AD accounts not needed anymore and that’s why you need to do Active Directory Computer Cleaning.  This can happen because sometimes computers expire after users leave the company and new owners get the computer with a fresh install of Windows while the system administrator hasn’t deleted yet the old name, computers were decommissioned but weren’t also removed from domain and other reasons. The fact is that somebody, someday, will have to clean that AD environment when it won’t resemble the company’s standards anymore and, in case it will be you, I strongly recommend you to scan AD by using  one of these two ways which I find by far, the best until now:

First method is OldCmp, a command line Active Directory query tool that is mostly used to find and cleanup old computer accounts that haven’t been active but it can also be used to clean up user accounts when the proper filter is specified.  The other method is Dsquery which is another command-line tool but this one is built into Windows Server 2003 and 2008.

Further on, I will explain a little bit about each one and give you a few examples but I would strongly recommend you to use the first tool OldCmp which has some security measures embedded and so making the second method, Dsquery a bit risky.

OldCmpthe tool will work with Windows 2000 AD as well as with Windows 2003 AD and you can output nice reports using it which will help you in getting a more current and updated version of your company’s AD environment.

After you download it (find it on web with a search) navigate with the command prompt to its location and first try this command to see the syntax and the guide to help you in whatever you want to do with it: oldcmp.exe /?

Active Directory Computer Cleaning - Oldcmp help

The help is longer but I’ve only put a part to see what you should expect.

Now, let’s say you wanna check your AD environment for computers who did not contact your Domain for more than 120 days you would use this command:

Active Directory Computer Cleaning - Oldcmp report csv format

Keep in mind that if you don’t use the -age value option for the command you will only get those computers that have been inactive for longer than 90 days which is the default for this tool.

You can select a different type of format depending on what you need by checking the help of the tool. i mostly prefer .csv because you can edit them nicely with excel and create detailed reports which you can easily update.

I also don’t recommend using the tool built in options for disabling and deleting computers, even if it is more than tested, however if you don’t have an insane number of computers to manager, do them manually, it’s safer and nothing bad can happen, plus you can think twice and most of the time you will face the fact that you saved some computers that shouldn’t have been deleted anyway.

If you want to add some filters too, for your domain use the command like this:

oldcmp -report -format csv -age 120 -b ou=OU_NAME,dc=my,dc=domain,dc=com

There are multiple ways to get it, in the end you only have to play some options for the tool as they seem fit to you. You can also come with questions in here if you don’t find the way by yourself and with Excel option for formatting (like the text to columns option from excel which will help you split big domains by for example comma and the raw data you get in some cases) you will get good detailed reports to help you a lot. I will also show some tip and tricks for excel for reports in a later material on this blog, maybe it will help you formatting to a better way to see the problems in your AD environment.

DSQUERY – is a command-line tool that is built into Windows Server 2003 and 2008. You can use it if you have the Active Directory Domain Services (AD DS) server role installed. The syntax would be below but you can also use in a command line prompt “dsquery /?” without the quotes for help.

dsquery computer [{<StartNode> | forestroot | domainroot}] 
[-o {dn | rdn | samid}] [-scope {subtree | 
onelevel | base}] [-name <Name>] [-desc <Description>] 
[-samid <SAMName>] [-inactive <NumberOfWeeks>] 
[-stalepwd <NumberOfDays>] [-disabled] 
[{-s <Server> | -d <Domain>}] 
[-u <UserName>] [-p {<Password> | 
*}] [-q] [-r] [-gc] [-limit <NumberOfObjects>] 
[{-uc | -uco | -uci}]

Note that all the above 7 lines are actually a command on one line, imagine the syntax on one line…
This would be the basic useful command for a dsquery scan for inactive computers:

dsquery computer ou=WORKSTATIONS,dc=my,dc=company,dc=com 
-inactive < NumWeeks> 

The only weird thing at this tool compred to others would be that you have to put the period of time you want to be checked for inactive computer to be in weeks. For example if you want to see the list of computers inactive for 10 weeks, you would put 10 at NumWeeks.

If you want to export it to a file, you can use the basic output parameter for the command prompt from windows (>) followed by the path:

dsquery computer ou=RO,dc=ad-01,dc=ent-01,dc=adgroup -inactive 16 > c:\comps.csv

This command would output the report to a .csv file on your C drive. You can make it output the file to another format if you want, for example .txt – jsut change the .csv to .txt.

I would strongly advise you to build your own commands starting with these examples and with the help examples, keeping in mind what you need in your report. We also wait for your questions if you need more details, or you have questions about anything explained here.


VN:F [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)
Active Directory Computer Cleaning, 5.0 out of 5 based on 2 ratings

Leave a Reply

Your email address will not be published. Required fields are marked *