Urgent Need: Inactive Computer account cleanup in Windows 2000 Native Mode via pwdlastset attribute
Posted on 2006-03-22
Hi, I am looking to build a process and application that will go and find "inactive" computer accounts in our Windows 2000 Native Mode AD Domain and be able to delete them. I was hoping to target solely the pwdlastset property of the computer object and delete computer accounts in which hasn't been reset in 365 days. Is this a good idea?
We have the following clients: XP, Win2k, Win98. There is no NT4 anymore.
We have the following Windows servers: Win2k, Windows 2003
There seens to be some concerns among our domain management group that we will somehow miss something and end up deleting machines that we should based on the pwdlastset info. I am not sure what their specific reasons are.
1. My question is "are we missing anything"? What if people don't log into the domain or only log in local to their clients? I would suppose they machine account would never syncronize thus maybe that is a problem. What if people shadow into resources?
2. Also, does anyone know the differences of using this pwdlastset attribute in an Windows 2000 AD verses Windows 2003 AD? Is the default sync times the same? I thought the 2000 domain was every 7 days and the 2003 was every 30 days. When would an account be locked off the domain? 60 days?
3. Finally does anyone have any C# code that will query for that value and convert it? I know there are some cool utilities with Windows 2003 but we are not quite there yet.
Thanks a bunch for any help,