"dsquery computer -inactive x" ignores very old obviously inactive computers

active-directory windows-server-2008-r2

dsquery computer -inactive x uses the LastLogonTimeStamp attribute to decide if a computer is inactive or not. Two of the idiosyncrasies of LastLogonTimeStamp are that:

1) it's very loose, i.e. nowhere near real-time. This attribute is not updated every time a computer logs on to the domain, and even when it is updated it isn't always replicated to other domain controllers right away.

2) It can be null, in which case, dsquery will most likely ignore it.

The -stalepwd switch can also be helpful to you in identifying inactive computer accounts. Computer accounts should be automatically updating their passwords every 30 days. But beware, it uses the pwdLastSet LDAP attribute which can also be null. pwdLastSet comes as an annoying file time, but .Net/Powershell easily converts it to a human-friendly date:

PS C:\Users\ryan> Get-ADComputer -Filter * -Properties PasswordLastSet,LastLogonTimeStamp | ? { $_.PasswordLastSet -LT $(Get-Date).AddDays(-180) } | Select Name,PasswordLastSet,LastLogonTimeStamp | Sort-Object PasswordLastSet -Descending

The line of Powershell above will give you all computer accounts who's pwdLastSet attribute (Powershell converts this into the human readable PasswordLastSet) is older than 180 days, freshest accounts will be at the top. Oldest accounts and those with null pwdLastSets will be at the bottom.

(Of course you can disable password changes on a computer, but that's a relatively rare thing to do.)

These accounts that have null values, it usually means they have never logged on to the domain and/or never changed their password. I'm sure there might be other little strange use cases where this might happen, such as an administrator prestaging a computer account but then deciding to never actually join the machine to the domain, computer accounts from other child domains of the same forest, etc. You'll just have to investigate those.

Here's some more information about LastLogonTimeStamp from AskDS if you want to read it:

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx


First, computers change their password every 30 days by default, though that can be changed. Looking for computers with anything less than 30 days as inactive is just asking for trouble, and don't forget about VPN users or others who may connect to the domain only every 6-12 months when they happen to be in the office.

That said, you may need to specify the ou the computers are in, or forestroot or domainroot:

dsquery computer forestroot -inactive 4
dsquery computer domainroot -inactive 4
dsquery computer ou=Foo,dc=bar,dc=baz,dc=com -inactive 4

My personal preference is a free joeware utility "oldcmp":

oldcmp -age [days] -report

oldcmp also has options to delete anything you want, so proceed with caution if you go that way.

Related

How do you use ELB's support for PROXY protocol version 1 securely?
How to Configure Secure Connectivity between Multiple Subnets
How to make exception in password locking via pam_tally2 for specific user?
AOT - Angular 6 - Directive SomeComponent, Expected 0 arguments, but got 1. for self made Component
Reasons not to build your own bug tracking system [closed]
Python socket receive - incoming packets always have a different size
Java: Enumeration from Set<String>
Insert variable values in the middle of a string
Cannot resolve method 'getSupportFragmentManager ( )' inside Fragment
ZSH Agnoster Theme showing machine name
Why some iphone apps won't finish ssl handshake with Charles Proxy?
How to set image to fit width of the page using jsPDF?