RE: [ActiveDir] inactive computers question

[Joe]

You can actually use two attributes for cleaning up computer accounts. The most accurate one is pwdlastset. Passwords on W2K+ machines unless defaults have been tweaked are changed every 30 days. If I recall, they can change the password for up to 30 days after the last one has gone bad so basically any machine accounts up to 60 days should be considered valid. Outside of 60 days I *think* you will need to reset the account in order to use it anyway.   Note that doesn't apply to people playing with SAMBA or TAS or other SMB Emulators. Definitely take note of things like EMC's Celerra which currently NEVER changes its password if joined in the AD way instead of the NT4 way though that is a request the company I consult for has in. I would expect other systems trying to fake being Windows Servers like NetApp and others could have the same issue.   The other attribute you can look at is the whenchanged attribute however, any change to the machine accounts will update that value so some accounts could be kept alive by people making random changes.   Overall if just dealing with Windows machines you should be able to remove them if the pwdLastSet attribute is 60 days or older, you may want to standardize on 90 or even 120 days though.   Note that there is a free tool called secdata on the free win32 tools page of www.joeware.net that will dump computer (or alternatively user) objects for you if you want in a CSV format and will decode the pwdlastset date so you can sort it in excel or whatever. It gives several pieces of security info for a given DC for the given objects. The values dumped are   sAMAccountName cn distinguishedName badPasswordTime  (not replicated) badPwdCount  (not replicated) lastLogon  (not replicated) logonCount  (not replicated) pwdLastSet PwdAge lockoutTime accountExpires createTimeStamp ObjAg modifyTimeStamp ModAge userAccountControl (this is decoded not a bit flag)        joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, December 22, 2003 11:00 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] inactive computers question I know that dsquery and dsrm are good for AD2003 environments to find and remove inactive computer accounts in AD, as is Robbie’s script.  Someone on the SMS list has AD 2000 though, dsquery doesn’t work, and Robbie’s script is returning nothing.  Even if the info is not easily convertible to a date, seems like you should be able to sort by a column in a csvde export and see the same information – i.e. sort by pwdLastSet?  Any ideas?  It looked like lastLogonTimestamp might be a good one… but alas that’s new with 2003 so that’s no good for him.  The main source of my confusion is that dsquery and a sort by pwdLastSet do not show the same computers as being inactive the longest.   Thanks Rich -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.