Clean up Active Directory

Question

Does anybody know of any useful Tools for cleaning out Active Directory on a Server 2003 domain? I want to clean up old computers, etc, and prefer a free tool.

I have a lot of devices that I know don't exist and I want to clean them prior to building up a new DC.

Izzy · Accepted Answer · 2009-10-06T19:47:24.100

23

You have all the tools you need on your domain controller already. The main command you want to use is DSQUERY. To find objects that have been inactive for 52 weeks, open a CMD window and type :

DSQUERY computer -inactive 52
DSQUERY user -inactive 52

You can also search for stale passwords using the -stalepwd <num of days> switch instead of -inactive. You could also search for disabled accounts by using the -disabled switch

If you want to take it to the next level, you can have it automatically move the objects into an OU of your choice (where you can then analyse what's there before you take any further action) by piping the results to the DSMOVE command like so:

DSQUERY computer -inactive 52 | DSMOVE -newparent <distinguished name of target OU>

Edit:

Here are all the builtin DS commands to experiment with:

dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.

edited Oct 06 '09 at 19:47

answered Oct 06 '09 at 04:41

Izzy

8,214
2
30
35

4

No point looking for anything more complex or trying to reinvent the wheel. – John Gardeniers Oct 06 '09 at 10:31
1

Exactly. And as an AD administrator, people must really learn how to do all the *GUI* tasks the manual way too. – Izzy Oct 06 '09 at 13:45
1

Man... you just got rid of a 18 line VBscript – breadly Oct 06 '09 at 13:58
Edit: Added the rest of the DS commands for reference – Izzy Oct 06 '09 at 14:53
1

Awesome, exactly what we needed +1 all around :D – Matt Rogish Oct 06 '09 at 20:41

score 5 · Answer 2 · answered Oct 06 '09 at 08:27

5

OldCmp by JoeWare gets used a lot, simple command line tool that creates web reports of Users and Computers that haven't authenticated in on the network in a while. Can also delete them out of AD for you.

answered Oct 06 '09 at 08:27

SteveBurkett

990
4
6

score 2 · Answer 3 · answered Oct 06 '09 at 10:37

In my previous position, a global network with about 15,000 users, we would run a batch file each month using the dsmove command, as Izzy described, to move all inactive user and machine accounts into a holding area. An operator would periodically manually check those accounts against a list of users known to be on extended leave and would delete any that weren't on that list. What had previously been a time consuming manual operation became a simple semi-automatic task, taking just a couple of minutes each month.

Clean up Active Directory

3 Answers3

Linked