• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 534
  • Last Modified:

Urgent Need: Inactive Computer account cleanup in Windows 2000 Native Mode via pwdlastset attribute

Hi, I am looking to build a process and application that will go and find "inactive" computer accounts in our Windows 2000 Native Mode AD Domain and be able to delete them.  I was hoping to target solely the pwdlastset property of the computer object and delete computer accounts in which hasn't been reset in 365 days.  Is this a good idea?

We have the following clients: XP, Win2k, Win98.  There is no NT4 anymore.
We have the following Windows servers: Win2k, Windows 2003

There seens to be some concerns among our domain management group that we will somehow miss something and end up deleting machines that we should based on the pwdlastset info.  I am not sure what their specific reasons are.

1.  My question is "are we missing anything"?  What if people don't log into the domain or only log in local to their clients?  I would suppose they machine account would never syncronize thus maybe that is a problem.  What if people shadow into resources?

2. Also, does anyone know the differences of using this pwdlastset attribute in an Windows 2000 AD verses Windows 2003 AD?  Is the default sync times the same?  I thought the 2000 domain was every 7 days and the 2003 was every 30 days.   When would an account be locked off the domain?  60 days?

3. Finally does anyone have any C# code that will query for that value and convert it?  I know there are some cool utilities with Windows 2003 but we are not quite there yet.

Thanks a bunch for any help,
1 Solution
Chris DentPowerShell DeveloperCommented:

Hi TS,

I haven't anything in C#, but I do have a VbScript that looks at PwdLastSet. For us it just writes a report and moves the accounts to a specific OU so our desktop teams can deal with their own. It also writes the PwdLastSet date and the original location of the account to the adminDescription attribute in case the change needs to be reversed.

I forget what the interval is for 2000, but you're right in thinking 2003 is every 30 days. With that in mind you can be pretty sure a PC isn't in use anymore if it hasn't been changed for a year.


Dim objConnection, objCommand, objRecordSet, objComputer, objPwdLastSet, objOU
Dim objRootDSE
Dim objFileSystem, objFile
Dim strComputerName
Dim strDescription
Dim lngHigh, lngLow, lngDate
Dim datDate

Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Set objFile = objFileSystem.OpenTextFile("out.txt", 2, True, 0)

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

Set objRootDSE = GetObject("LDAP://RootDSE")

objCommand.CommandText = "SELECT name, aDSPath " &_
      "FROM 'LDAP://" & objRootDSE.Get("defaultNamingContext") & "' WHERE objectClass='computer'"

Set objRootDSE = Nothing

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 600
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False

Set objRecordSet = objCommand.Execute

objFile.WriteLine "Name,Date Password Last Required to Change,Office"

Set objOU = GetObject("LDAP://<Destination OU>")

While Not objRecordSet.EOF

      Set objComputer = GetObject(objRecordSet.Fields("aDSPath"))

      Set objPwdLastSet = objComputer.Get("pwdLastSet")

      ' Check that it's not in the Member Servers OU

      If InStr(1, objRecordSet.Fields("aDSPath"), "Servers", VbTextCompare) = 0 Then

            lngHigh = objPwdLastSet.HighPart
            lngLow = objPwdLastSet.LowPart

            If lngLow < 0 Then
                  lngHigh = lngHigh + 1
            End If

            lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
                  + lngLow) / 600000000) / 1440
            datDate = CDate(lngDate)

            If (datDate + 50) < Date() Then
                  objFile.WriteLine objComputer.Get("name") & "," & datDate + 50
                  On Error Resume Next
                  strDescription = CStr(datDate + 50) & "::" & objRecordSet.Fields("aDSPath")
                  objComputer.Put "adminDescription", strDescription
                  objOU.MoveHere objComputer.ADSPath, VbNullString
                  On Error Goto 0
            End If
      End If



Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing

Set objFile = Nothing
Set objFileSystem = Nothing
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now