How to automatically purge expired computers from the Computers container. Because there are many times not in the normal way to retire the domain, resulting in the AD computers container there are many outdated computers, there is no way to let it automatically clean up
For our network administrators, the user account and computer account management is our longest and most difficult to manage a job. We know that frequent system reloading and joining the domain process will result in a large number of invalid computer accounts, how to clean up these invalid computer accounts becomes a problem.
Q:
How to find and delete redundant computer accounts in a domain.
A:
If our domain is a Windows 2003 domain, we can use the inactive parameter of the dsquery command to troubleshoot a computer that has not been active for some time.
The annex contains two CMD documents, the contents of which are as follows:
Disablecomputer.cmd
dsquery computer-inactive 10-stalepwd |dsmod computer-disabled Yes
Investigate machines that have not logged in 10 weeks and 70 days that failed to change the domain computer password (the values are specified) and then set them to disabled.
Note:-inactive refers to the machine is not logon time,-STALEPWD is the machine password has not changed time, Windows 2000 above the machine defaults to 30 days, we can combine to see which is not active machine. If you want to use the-inactive parameter, you need 2003 pure mode. If you use-stalepwd alone, you can run in mixed mode.
dsquery is more correct for computers that are inactive for longer periods of time. This occurs because Active Directory determines whether the computer is active based on whether it is authenticated or not. A 1-month computer that does not boot is, of course, inactive, but a computer that is powered up but one months unmanned will also be judged inactive, while the second is more common on the server (such as a file-sharing server). So we can't immediately delete the computer account according to the dsquery result, but also need to do some verification work (such as querying the IP of this computer name).
Deletecomputer.cmd
dsquery computer-disabled | Dsrm–noprompt
Isolate the machine and remove it.
Note: It is recommended that you use Deletecomputer.cmd to remove redundant computer accounts in a domain after two weeks of disablecomputer.cmd use without a user error.