Skip to main content

Find Stale computer accounts in Active Directory


So it's inevitable that if you run Active Directory long enough, you will have "stale" accounts. Stale accounts are accounts that no-one is using anymore, be it because the user is no-longer employed, it was a shared account that no-one uses anymore, or people just forgot the account is there. Yes, Yes, you should have good practices in place to prevent this kind of account stagnation, but it happens.

The easiest way to find accounts is to use DSQuery:

dsquery user domainroot -name * -inactive 18

Which will display the distinguished names of all users in only the current domain who have been inactive for 120 days (17+ weeks rounded to 18 weeks) or more.


But what about computer accounts?

dsquery computer -inactive 8 -limit 0

Searches for computers that have been inactive (stale) for the number of weeks that you specify (in this case 8 weeks) and displays all entries (Default is 100)

But what if you want pretty output ?

Joeware has a nice little utility that does all of the hard part for you, and can display in a DHTML table that is easily sortable

http://www.joeware.net/freetools/tools/oldcmp/index.htm

Comments

Popular posts from this blog

Embed a Slideshow from Picasa Web / Google Plus

One of the great features of Picasa Web was that you could embed a Flash slideshow of your albums. Google would even give you the code to do it.  There was a button that said Embed and it would give you the code. Just cut and paste and you were done. With the migration to Google Plus Photos, this disappeared. Here's a work around. Use the following link to get back to the original PicasaWeb site. https://picasaweb.google.com/ lh/myphotos?noredirect=1 Hopefully the embed button makes a re-appearance, or Google leaves the old page up forever. *******UPDATE******* One of the commenters below posted this website. http://www.slidemypics.com/ It seems to work pretty good!

WPAD does not resolve in DNS

At work, we're doing a POC (proof of concept) with a web-proxy, specifically Ironport Websecurity Appliance. Like most all proxies, you have to get the traffic from the client to the proxy. It supports transparent traffic redirection, but we're looking at using WPAD instead. However, when I created the WPAD DNS entry, it didn't resolve. C:\>ping wpad Ping request could not find host wpad. Please check the name and try again. C:\>nslookup wpad <DNSServer1> Server: <DNSServer1>.domain.net Address: <IPofDNSServer1> *** <DNSServer1>.domain.net can't find wpad: Non-existent domain This of course, is a big problem. It took a little investigating, but I found the cause. Windows Server 2008 introduced a new feature, called "Global Query Block list", which prevents some arbitrary machine from registering the DNS name of WPAD. This is a good security feature, as it prevents someone from just joining your network, and setting himsel