Urgent Need: Inactive Computer account cleanup in Windows 2000 Native Mode via pwdlastset attribute

Hi, I am looking to build a process and application that will go and find "inactive" computer accounts in our Windows 2000 Native Mode AD Domain and be able to delete them.  I was hoping to target solely the pwdlastset property of the computer object and delete computer accounts in which hasn't been reset in 365 days.  Is this a good idea?

We have the following clients: XP, Win2k, Win98.  There is no NT4 anymore.
We have the following Windows servers: Win2k, Windows 2003

There seens to be some concerns among our domain management group that we will somehow miss something and end up deleting machines that we should based on the pwdlastset info.  I am not sure what their specific reasons are.

1.  My question is "are we missing anything"?  What if people don't log into the domain or only log in local to their clients?  I would suppose they machine account would never syncronize thus maybe that is a problem.  What if people shadow into resources?

2. Also, does anyone know the differences of using this pwdlastset attribute in an Windows 2000 AD verses Windows 2003 AD?  Is the default sync times the same?  I thought the 2000 domain was every 7 days and the 2003 was every 30 days.   When would an account be locked off the domain?  60 days?

3. Finally does anyone have any C# code that will query for that value and convert it?  I know there are some cool utilities with Windows 2003 but we are not quite there yet.

Thanks a bunch for any help,
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:

Hi TS,

I haven't anything in C#, but I do have a VbScript that looks at PwdLastSet. For us it just writes a report and moves the accounts to a specific OU so our desktop teams can deal with their own. It also writes the PwdLastSet date and the original location of the account to the adminDescription attribute in case the change needs to be reversed.

I forget what the interval is for 2000, but you're right in thinking 2003 is every 30 days. With that in mind you can be pretty sure a PC isn't in use anymore if it hasn't been changed for a year.


Dim objConnection, objCommand, objRecordSet, objComputer, objPwdLastSet, objOU
Dim objRootDSE
Dim objFileSystem, objFile
Dim strComputerName
Dim strDescription
Dim lngHigh, lngLow, lngDate
Dim datDate

Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Set objFile = objFileSystem.OpenTextFile("out.txt", 2, True, 0)

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

Set objRootDSE = GetObject("LDAP://RootDSE")

objCommand.CommandText = "SELECT name, aDSPath " &_
      "FROM 'LDAP://" & objRootDSE.Get("defaultNamingContext") & "' WHERE objectClass='computer'"

Set objRootDSE = Nothing

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 600
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False

Set objRecordSet = objCommand.Execute

objFile.WriteLine "Name,Date Password Last Required to Change,Office"

Set objOU = GetObject("LDAP://<Destination OU>")

While Not objRecordSet.EOF

      Set objComputer = GetObject(objRecordSet.Fields("aDSPath"))

      Set objPwdLastSet = objComputer.Get("pwdLastSet")

      ' Check that it's not in the Member Servers OU

      If InStr(1, objRecordSet.Fields("aDSPath"), "Servers", VbTextCompare) = 0 Then

            lngHigh = objPwdLastSet.HighPart
            lngLow = objPwdLastSet.LowPart

            If lngLow < 0 Then
                  lngHigh = lngHigh + 1
            End If

            lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
                  + lngLow) / 600000000) / 1440
            datDate = CDate(lngDate)

            If (datDate + 50) < Date() Then
                  objFile.WriteLine objComputer.Get("name") & "," & datDate + 50
                  On Error Resume Next
                  strDescription = CStr(datDate + 50) & "::" & objRecordSet.Fields("aDSPath")
                  objComputer.Put "adminDescription", strDescription
                  objOU.MoveHere objComputer.ADSPath, VbNullString
                  On Error Goto 0
            End If
      End If



Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing

Set objFile = Nothing
Set objFileSystem = Nothing

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.