Urgent Need:  Inactive Computer account cleanup in Windows 2000 Native Mode via pwdlastset attribute

Posted on 2006-03-22
Last Modified: 2012-06-21
Hi, I am looking to build a process and application that will go and find "inactive" computer accounts in our Windows 2000 Native Mode AD Domain and be able to delete them.  I was hoping to target solely the pwdlastset property of the computer object and delete computer accounts in which hasn't been reset in 365 days.  Is this a good idea?

We have the following clients: XP, Win2k, Win98.  There is no NT4 anymore.
We have the following Windows servers: Win2k, Windows 2003

There seens to be some concerns among our domain management group that we will somehow miss something and end up deleting machines that we should based on the pwdlastset info.  I am not sure what their specific reasons are.

1.  My question is "are we missing anything"?  What if people don't log into the domain or only log in local to their clients?  I would suppose they machine account would never syncronize thus maybe that is a problem.  What if people shadow into resources?

2. Also, does anyone know the differences of using this pwdlastset attribute in an Windows 2000 AD verses Windows 2003 AD?  Is the default sync times the same?  I thought the 2000 domain was every 7 days and the 2003 was every 30 days.   When would an account be locked off the domain?  60 days?

3. Finally does anyone have any C# code that will query for that value and convert it?  I know there are some cool utilities with Windows 2003 but we are not quite there yet.

Thanks a bunch for any help,
Question by:sbdunn
    1 Comment
    LVL 70

    Accepted Solution


    Hi TS,

    I haven't anything in C#, but I do have a VbScript that looks at PwdLastSet. For us it just writes a report and moves the accounts to a specific OU so our desktop teams can deal with their own. It also writes the PwdLastSet date and the original location of the account to the adminDescription attribute in case the change needs to be reversed.

    I forget what the interval is for 2000, but you're right in thinking 2003 is every 30 days. With that in mind you can be pretty sure a PC isn't in use anymore if it hasn't been changed for a year.


    Dim objConnection, objCommand, objRecordSet, objComputer, objPwdLastSet, objOU
    Dim objRootDSE
    Dim objFileSystem, objFile
    Dim strComputerName
    Dim strDescription
    Dim lngHigh, lngLow, lngDate
    Dim datDate

    Set objFileSystem = CreateObject("Scripting.FileSystemObject")
    Set objFile = objFileSystem.OpenTextFile("out.txt", 2, True, 0)

    Set objConnection = CreateObject("ADODB.Connection")
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"

    Set objCommand = CreateObject("ADODB.Command")
    objCommand.ActiveConnection = objConnection

    Set objRootDSE = GetObject("LDAP://RootDSE")

    objCommand.CommandText = "SELECT name, aDSPath " &_
          "FROM 'LDAP://" & objRootDSE.Get("defaultNamingContext") & "' WHERE objectClass='computer'"

    Set objRootDSE = Nothing

    objCommand.Properties("Page Size") = 1000
    objCommand.Properties("Timeout") = 600
    objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
    objCommand.Properties("Cache Results") = False

    Set objRecordSet = objCommand.Execute

    objFile.WriteLine "Name,Date Password Last Required to Change,Office"

    Set objOU = GetObject("LDAP://<Destination OU>")

    While Not objRecordSet.EOF

          Set objComputer = GetObject(objRecordSet.Fields("aDSPath"))

          Set objPwdLastSet = objComputer.Get("pwdLastSet")

          ' Check that it's not in the Member Servers OU

          If InStr(1, objRecordSet.Fields("aDSPath"), "Servers", VbTextCompare) = 0 Then

                lngHigh = objPwdLastSet.HighPart
                lngLow = objPwdLastSet.LowPart

                If lngLow < 0 Then
                      lngHigh = lngHigh + 1
                End If

                lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
                      + lngLow) / 600000000) / 1440
                datDate = CDate(lngDate)

                If (datDate + 50) < Date() Then
                      objFile.WriteLine objComputer.Get("name") & "," & datDate + 50
                      On Error Resume Next
                      strDescription = CStr(datDate + 50) & "::" & objRecordSet.Fields("aDSPath")
                      objComputer.Put "adminDescription", strDescription
                      objOU.MoveHere objComputer.ADSPath, VbNullString
                      On Error Goto 0
                End If
          End If



    Set objRecordSet = Nothing
    Set objCommand = Nothing
    Set objConnection = Nothing

    Set objFile = Nothing
    Set objFileSystem = Nothing

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    Great sound, comfort and fit, excellent build quality, versatility, compatibility. These are just some of the many reasons for choosing a headset from Sennheiser.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now