"dsquery computer -inactive x" ignores very old obviously inactive computers
dsquery computer -inactive x
uses the LastLogonTimeStamp attribute to decide if a computer is inactive or not. Two of the idiosyncrasies of LastLogonTimeStamp are that:
1) it's very loose, i.e. nowhere near real-time. This attribute is not updated every time a computer logs on to the domain, and even when it is updated it isn't always replicated to other domain controllers right away.
2) It can be null, in which case, dsquery will most likely ignore it.
The -stalepwd
switch can also be helpful to you in identifying inactive computer accounts. Computer accounts should be automatically updating their passwords every 30 days. But beware, it uses the pwdLastSet LDAP attribute which can also be null. pwdLastSet comes as an annoying file time, but .Net/Powershell easily converts it to a human-friendly date:
PS C:\Users\ryan> Get-ADComputer -Filter * -Properties PasswordLastSet,LastLogonTimeStamp | ? { $_.PasswordLastSet -LT $(Get-Date).AddDays(-180) } | Select Name,PasswordLastSet,LastLogonTimeStamp | Sort-Object PasswordLastSet -Descending
The line of Powershell above will give you all computer accounts who's pwdLastSet attribute (Powershell converts this into the human readable PasswordLastSet) is older than 180 days, freshest accounts will be at the top. Oldest accounts and those with null pwdLastSets will be at the bottom.
(Of course you can disable password changes on a computer, but that's a relatively rare thing to do.)
These accounts that have null values, it usually means they have never logged on to the domain and/or never changed their password. I'm sure there might be other little strange use cases where this might happen, such as an administrator prestaging a computer account but then deciding to never actually join the machine to the domain, computer accounts from other child domains of the same forest, etc. You'll just have to investigate those.
Here's some more information about LastLogonTimeStamp from AskDS if you want to read it:
http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
First, computers change their password every 30 days by default, though that can be changed. Looking for computers with anything less than 30 days as inactive is just asking for trouble, and don't forget about VPN users or others who may connect to the domain only every 6-12 months when they happen to be in the office.
That said, you may need to specify the ou the computers are in, or forestroot or domainroot:
dsquery computer forestroot -inactive 4
dsquery computer domainroot -inactive 4
dsquery computer ou=Foo,dc=bar,dc=baz,dc=com -inactive 4
My personal preference is a free joeware utility "oldcmp":
oldcmp -age [days] -report
oldcmp also has options to delete anything you want, so proceed with caution if you go that way.