[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Urgent Need:  Inactive Computer account cleanup in Windows 2000 Native Mode via pwdlastset attribute

Posted on 2006-03-22
Medium Priority
Last Modified: 2012-06-21
Hi, I am looking to build a process and application that will go and find "inactive" computer accounts in our Windows 2000 Native Mode AD Domain and be able to delete them.  I was hoping to target solely the pwdlastset property of the computer object and delete computer accounts in which hasn't been reset in 365 days.  Is this a good idea?

We have the following clients: XP, Win2k, Win98.  There is no NT4 anymore.
We have the following Windows servers: Win2k, Windows 2003

There seens to be some concerns among our domain management group that we will somehow miss something and end up deleting machines that we should based on the pwdlastset info.  I am not sure what their specific reasons are.

1.  My question is "are we missing anything"?  What if people don't log into the domain or only log in local to their clients?  I would suppose they machine account would never syncronize thus maybe that is a problem.  What if people shadow into resources?

2. Also, does anyone know the differences of using this pwdlastset attribute in an Windows 2000 AD verses Windows 2003 AD?  Is the default sync times the same?  I thought the 2000 domain was every 7 days and the 2003 was every 30 days.   When would an account be locked off the domain?  60 days?

3. Finally does anyone have any C# code that will query for that value and convert it?  I know there are some cool utilities with Windows 2003 but we are not quite there yet.

Thanks a bunch for any help,
Question by:sbdunn
1 Comment
LVL 71

Accepted Solution

Chris Dent earned 2000 total points
ID: 16267659

Hi TS,

I haven't anything in C#, but I do have a VbScript that looks at PwdLastSet. For us it just writes a report and moves the accounts to a specific OU so our desktop teams can deal with their own. It also writes the PwdLastSet date and the original location of the account to the adminDescription attribute in case the change needs to be reversed.

I forget what the interval is for 2000, but you're right in thinking 2003 is every 30 days. With that in mind you can be pretty sure a PC isn't in use anymore if it hasn't been changed for a year.


Dim objConnection, objCommand, objRecordSet, objComputer, objPwdLastSet, objOU
Dim objRootDSE
Dim objFileSystem, objFile
Dim strComputerName
Dim strDescription
Dim lngHigh, lngLow, lngDate
Dim datDate

Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Set objFile = objFileSystem.OpenTextFile("out.txt", 2, True, 0)

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

Set objRootDSE = GetObject("LDAP://RootDSE")

objCommand.CommandText = "SELECT name, aDSPath " &_
      "FROM 'LDAP://" & objRootDSE.Get("defaultNamingContext") & "' WHERE objectClass='computer'"

Set objRootDSE = Nothing

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 600
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False

Set objRecordSet = objCommand.Execute

objFile.WriteLine "Name,Date Password Last Required to Change,Office"

Set objOU = GetObject("LDAP://<Destination OU>")

While Not objRecordSet.EOF

      Set objComputer = GetObject(objRecordSet.Fields("aDSPath"))

      Set objPwdLastSet = objComputer.Get("pwdLastSet")

      ' Check that it's not in the Member Servers OU

      If InStr(1, objRecordSet.Fields("aDSPath"), "Servers", VbTextCompare) = 0 Then

            lngHigh = objPwdLastSet.HighPart
            lngLow = objPwdLastSet.LowPart

            If lngLow < 0 Then
                  lngHigh = lngHigh + 1
            End If

            lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
                  + lngLow) / 600000000) / 1440
            datDate = CDate(lngDate)

            If (datDate + 50) < Date() Then
                  objFile.WriteLine objComputer.Get("name") & "," & datDate + 50
                  On Error Resume Next
                  strDescription = CStr(datDate + 50) & "::" & objRecordSet.Fields("aDSPath")
                  objComputer.Put "adminDescription", strDescription
                  objOU.MoveHere objComputer.ADSPath, VbNullString
                  On Error Goto 0
            End If
      End If



Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing

Set objFile = Nothing
Set objFileSystem = Nothing

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Currently, there is an issue with being able to copy values from an external application to a dropdown list in Project Web Access (PWA).  The standard copy and paste methods don't seem to work properly. Here is a way to accomplish this task to s…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses
Course of the Month19 days, 22 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question