Clear accounts and computers that have expired ad

the company's domain has been running for more than three years. During the use process, the company constantly adds user accounts and computer accounts to the domain, and the computer system often breaks down in the middle, the most terrible thing about reinstalling the system is that computer naming rules should be performed several times. Therefore, in the computer container, the same computer may have more than one record (both old naming rules and new naming rules have records). Of course, only one record is valid. A user account is equally troublesome, after a person leaves the company, his login account may be transferred to new colleagues, or the account may be discarded and not used by anyone. these unused computers and user accounts are junk. If they are put there, they will certainly have no impact on the normal use of users. However, every time you see them, you will always feel powerless: manually clean them up, the workload is too heavy. Now I am busy with other things every day, so I don't have time to do it. Just ignore it and I feel like I have failed.
after some searches and trials, I think the software Active Directory janitor is good and meets my needs. I will "break all unused computer accounts and user accounts ", so that our domain and ou architecture can better reflect the current staff situation of the company, but also reduce the load on the server (involving group policies ). because each computer and user object has its own SID number and will not be used for new objects after deletion, the best solution is to create two ou in AD, they are named "disabled computer accounts" and "disabled user accounts" respectively. Then, the computer accounts and user accounts that are not currently in use are deprecated and put in these two ou, in this way, the existing staff of each department will be clear and achieve our goal. in fact, the software ad janitor can easily help us find, stop, and move.
now, let's talk about technology. first, let's get to know the shortcut interface. The picture is as follows:

First, we need to clear the expired computer account and select scan computers. The page turns into asking us to clear the computer account range. Generally, you can use ou. the related image is as follows: Next, let's select the attribute values to be scanned. Here we will select the attribute values as needed. We recommend that you use Ping/last logon/disabled for filtering. the image is as follows: Press scan to enter the scan interface. Note that the start scanning button in the upper left corner must be clicked. Otherwise, it will not work. select the computer objects whose Ping results are not in DNS, and then disable and move them to the OU. Then, the computers object is cleared. as for how to clean the computer records that are not in the DNS records, it is because the computer in the domain will register its a records on the DNS server every time it starts, if the record is not updated after a certain number of days, the DNS server will automatically delete the record and synchronize it between DNS servers in all regions. therefore, basically, not in DNS means that the computer has not started up for a long time. The biggest possibility is that the computer named by this name does not exist. the related image is as follows: the cleaning of users accounts is similar to the cleaning of computers accounts above. After they are disabled, move them to the OU "disabled user accounts, this is not detailed here. note: The cleanup is based on last longon, which is determined based on the last logon time of the user account. If the logon time is blank, the user has never logged on. the related images are as follows: