We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


Urgent Need:  Inactive Computer account cleanup in Windows 2000 Native Mode via pwdlastset attribute

sbdunn asked
Medium Priority
Last Modified: 2012-06-21
Hi, I am looking to build a process and application that will go and find "inactive" computer accounts in our Windows 2000 Native Mode AD Domain and be able to delete them.  I was hoping to target solely the pwdlastset property of the computer object and delete computer accounts in which hasn't been reset in 365 days.  Is this a good idea?

We have the following clients: XP, Win2k, Win98.  There is no NT4 anymore.
We have the following Windows servers: Win2k, Windows 2003

There seens to be some concerns among our domain management group that we will somehow miss something and end up deleting machines that we should based on the pwdlastset info.  I am not sure what their specific reasons are.

1.  My question is "are we missing anything"?  What if people don't log into the domain or only log in local to their clients?  I would suppose they machine account would never syncronize thus maybe that is a problem.  What if people shadow into resources?

2. Also, does anyone know the differences of using this pwdlastset attribute in an Windows 2000 AD verses Windows 2003 AD?  Is the default sync times the same?  I thought the 2000 domain was every 7 days and the 2003 was every 30 days.   When would an account be locked off the domain?  60 days?

3. Finally does anyone have any C# code that will query for that value and convert it?  I know there are some cool utilities with Windows 2003 but we are not quite there yet.

Thanks a bunch for any help,
Watch Question

PowerShell Developer
Top Expert 2010

Hi TS,

I haven't anything in C#, but I do have a VbScript that looks at PwdLastSet. For us it just writes a report and moves the accounts to a specific OU so our desktop teams can deal with their own. It also writes the PwdLastSet date and the original location of the account to the adminDescription attribute in case the change needs to be reversed.

I forget what the interval is for 2000, but you're right in thinking 2003 is every 30 days. With that in mind you can be pretty sure a PC isn't in use anymore if it hasn't been changed for a year.


Dim objConnection, objCommand, objRecordSet, objComputer, objPwdLastSet, objOU
Dim objRootDSE
Dim objFileSystem, objFile
Dim strComputerName
Dim strDescription
Dim lngHigh, lngLow, lngDate
Dim datDate

Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Set objFile = objFileSystem.OpenTextFile("out.txt", 2, True, 0)

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

Set objRootDSE = GetObject("LDAP://RootDSE")

objCommand.CommandText = "SELECT name, aDSPath " &_
      "FROM 'LDAP://" & objRootDSE.Get("defaultNamingContext") & "' WHERE objectClass='computer'"

Set objRootDSE = Nothing

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 600
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False

Set objRecordSet = objCommand.Execute

objFile.WriteLine "Name,Date Password Last Required to Change,Office"

Set objOU = GetObject("LDAP://<Destination OU>")

While Not objRecordSet.EOF

      Set objComputer = GetObject(objRecordSet.Fields("aDSPath"))

      Set objPwdLastSet = objComputer.Get("pwdLastSet")

      ' Check that it's not in the Member Servers OU

      If InStr(1, objRecordSet.Fields("aDSPath"), "Servers", VbTextCompare) = 0 Then

            lngHigh = objPwdLastSet.HighPart
            lngLow = objPwdLastSet.LowPart

            If lngLow < 0 Then
                  lngHigh = lngHigh + 1
            End If

            lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
                  + lngLow) / 600000000) / 1440
            datDate = CDate(lngDate)

            If (datDate + 50) < Date() Then
                  objFile.WriteLine objComputer.Get("name") & "," & datDate + 50
                  On Error Resume Next
                  strDescription = CStr(datDate + 50) & "::" & objRecordSet.Fields("aDSPath")
                  objComputer.Put "adminDescription", strDescription
                  objOU.MoveHere objComputer.ADSPath, VbNullString
                  On Error Goto 0
            End If
      End If



Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing

Set objFile = Nothing
Set objFileSystem = Nothing

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.