Posted  by 

Purge Inactive Computers Active Directory

Move and disable inactive computer accounts from Active Directory This PowerShell script is designed to identify all inactive computers in Active Directory and move them to a specific OU then disable the computer account.

Learning has never been so easy!

← Azure Active Directory Purge inactive registered devices on Azure It would be useful if old devices that haven't been seen for a period of time could be automatically purged from the list of a user's registered devices. Does Active Directory 'auto-purge' computers that haven't signed on to a domain in a while? If so what's the timeframe and can that be adjusted? DJ Baby Anne's.

Active Directory administrators are very much aware of the security threats posed by inactive computer/user accounts. When AD accounts are not used for long periods, they need to be disabled and finally deleted. Most of the organizations have a well-defined policy to deal with such obsolete accounts.

Depending on the situations prevailing in the organization, one can decide on the maximum inactivity period that can be allowed for the AD accounts. After that period, computer/user accounts can be considered as inactive. It is recommended that you first find out all the inactive accounts. Such accounts can be disabled after moving them all to a single OU. After a certain period, they can be deleted forever.

For this purpose, you can use either the Command Prompt or professional Active Directory cleaning solutions.

Finding inactive accounts, and disabling or deleting them can be performed using the command prompt, by using the following command line tools:

• Dsquery

The dsquery command line tool searches for AD objects according to the specified criteria. One can use this to find out inactive users and computers in the active directory. The search results can be given as input to dsmod and dsrm command lines for disabling and deleting.

The general syntax of dsquery command line is :

dsquery computer [-inactive ] [-limit ]

or
dsquery user [-inactive ] [-limit ]

• ‘Dsmod’ and ‘dsrm’

The dsmod command line modifies the attributes of the specified AD objects. It can be used to disable the queried AD computers and users. The dsrm command line deletes the specified AD objects. It can be used to delete the queried AD computers and users.

Directory

Note: One must have installed Active Directory Domain Services (AD DS) server role.

5 Steps total

Step 1: Open Command Prompt

Open Start menu, right-click the Command Prompt, and click Run as administrator.

Step 2: Find computers/users that are inactive

To find the computers/users that are inactive for seven weeks, run:

dsquery computer -inactive 7 -limit 200

or
dsquery user -inactive 1 -limit 200

Step 3: Disable inactive computers/users

To disable the inactive computers/users, run:

dsquery computer -inactive 7 dsmod computer –disabled yes

or
dsquery user -inactive 7 dsmod user –disabled yes

Step 4: Find disabled computers/users and delete them

To find the disabled computers/users and to delete them, run:

dsquery computer –disabled dsrm -noprompt

or
dsquery user -disabled dsrm -noprompt

Note: while using -noprompt, no confirmation will be requested before deletion.

Step 5: Delete Inactive Users/Computer account

Instead of disabling the inactive computers/users first, one can directly delete them by running :

dsquery computer -inactive 7 dsrm -noprompt

or
dsquery user -inactive 7 dsrm -noprompt

With a few simple command line tools, administrators can find inactive computer as well as user accounts of the Active Directory. Such accounts can be disabled and deleted as per the organizational policy; they can be deleted directly too. Also, one can rely on professional Active Directory cleanup solutions for dealing with inactive computer/user accounts.

Published: Jan 12, 2016 · Last Updated: Jan 29, 2016

References

Dsquery To Find Inactive Computers

  • Lepide Active Directory Cleaner

6 Comments

Remove Inactive Computer Accounts Active Directory

  • Datil
    ianmacdonald3 Jan 17, 2016 at 08:09am

    Microsoft servers are designed by default to force users to keep on changing their password every 42 days, which is a hellish nuisance and has only doubtful security benefits. Possibly negative benefits since it forces users to write passwords down.

    At the same time, they have no default policy for locking inactive accounts, and if you go into any small site without a fulltime admin managing things, you will find numerous stale accounts. Very possibly the accounts will have VPN access too.

    There does seem to be a disconnect of logic here.

  • Serrano
    tdg2 Jan 20, 2016 at 06:09am

    'Microsoft servers are designed by default to force users to keep on changing their password every 42 days..At the same time, they have no default policy for locking inactive accounts'
    Wouldn't that mean that the password would need changing after 42 days so no longer accessible [automatically]?
    OR
    if was changed by someone unauthorized then the account would not be inactive any longer? Tna beer money theme song download.

  • Jalapeno
    Travis0729 May 10, 2016 at 06:14pm

    tdg2 - that is true for any user trying to access the network that didn't know the users password for the account they are trying to login as but say and employee has left your workplace and you don't realize that you forgot to disable their account. That person can now login as themselves and sabotage files (if they connect through VPN)

    I say this because we have users that login to our network through VPN and Remote Desktop connections and I can honestly say me and my manager have forgotten to disable accounts, in that time these users could have attempted to get on our network because we didn't disable their account. Therefore, just letting their password expire wouldn't resolve the issue in this case.

  • Anaheim
    Vicious942 Aug 23, 2016 at 01:43am

    I love this one tool called AD Tidy. At http://www.cjwdev.co.uk/index.html

    Sure it costs for the full version, but its great on finding the dead accounts.

  • Jalapeno
    ommegang Nov 14, 2016 at 05:15pm

    Solarwinds has a Free Active Directory Admin Bundle that makes this all pretty easy.

    Here's a video of the free Solarwind tool in action: https://www.youtube.com/watch?time_continue=92&v=-RFS1Fsf420

    Bundle can be downloaded here:
    http://www.solarwinds.com/free-tools/active-directory-admin-tools-bundle

  • Serrano
    Anton (Softerra) Sep 6, 2017 at 07:10am

    Performing AD cleanup manually makes no sense. It should be an automated procedure that goes regularly on its own.

    There are multiple ways you can do that. Either you can go with a PowerShell solution and schedule the script: http://www.adaxes.com/blog/cleanup-active-directory-with-powershell.html

    Or you can go with third-party solutions that provide more advanced options like condition-based rules or approvals: http://www.adaxes.com/blog/how-to-keep-your-active-directory-clean.html