• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 321
  • Last Modified:

script Required

i want to Disable Computer Name not connect to domain more than 90 days

i need one script finf computers not connect to domain more than 90 days and disable the same.

help will be appreciated
  • 6
  • 5
  • 2
1 Solution
Combined a few scripts from the Microsoft Scripting Guys into the script below that should take care of what you need.  Unable to test as I don't have access to an AD anymore.
On Error Resume Next
dtmLogoffDate = dateadd("d",-90,date())
Set objShell = CreateObject("Wscript.Shell")
lngTimeZoneBias = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _
  & "TimeZoneInformation\ActiveTimeBias")
If UCase(TypeName(lngTimeZoneBias)) = "LONG" Then
  lngFinalBias = lngTimeZoneBias
ElseIf UCase(TypeName(lngTimeZoneBias)) = "VARIANT()" Then
  lngFinalBias = 0
  For k = 0 To UBound(lngTimeZoneBias)
    lngFinalBias = lngFinalBias + (lngTimeZoneBias(k) * 256^k)
End If
dtmNewDate = DateAdd("n", lngFinalBias, dtmLogoffDate)
lngSeconds = DateDiff("s", #1/1/1601#, dtmNewDate)
strModifiedLogoffDate = CStr(lngSeconds) & "0000000"
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
'Replace the dc=fabrikam,dc=com in the command below with the proper info for your domain.
objCommand.CommandText = _
    "SELECT Name, adspath FROM 'LDAP://dc=fabrikam,dc=com' WHERE objectClass='computer' "  & _
        "AND lastLogoff<='" & strModifiedLogoffDate & "'" 
Set objRecordSet = objCommand.Execute
Do Until objRecordSet.EOF
    set comp = getobject(objRecordset("adspath"))
	 if not comp is nothing then
		 comp.AccountDisabled = True
		msgbox "Computer DN """ & objRecordset("adspath") & """ could not be found"
	end if
	 set comp = nothing

Open in new window

Actually you don't need to script it. The built in dsquery and dsmod commands will do it.
dsquery computer -inactive 13 | dsmod computer -disabled yes
The above command will find any computers inactive for 13 weeks or more (91 days) and disable them.
gokulakrishnannsAuthor Commented:
Hi dan_neal,

Tahnks for the script... i need some modifications for the same.

1. I have created "Disabled Computers" OU so when the script executes the disbled accounts will move to this "Disabled Computers" OU .
2.i need an detailed output for the same.
Appricate ur help...
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

I would highly recommend checking out the script repository on Miscrosoft Scripting Guys site for a large majority of these types of scripts have already been written there.
gokulakrishnannsAuthor Commented:
hi bluntTony
unable to get the details with Ds query:

C:\>dsquery computer -inactive 13
dsquery failed:The parameter is incorrect.:Windows could not run this query be
use you are connected to a domain that does not support this query.
type dsquery /? for help.
gokulakrishnannsAuthor Commented:
hi bluntTony
DS query commands not working... could u pls check any syntax error...

The synax is OK, but your domain needs to be running at Windows Server 2003 functional level.
You can only raise the functional level to this if you have no pre-2003 servers on the network (i.e. 2000/NT4). To raise the level, go the AD Users and Computers, right click the domain, 'Raise Domain Functional Level'.
Before you have raised the functional level, I don't think the attribute it queries is being written to, and in addtion, I don't think the script posted by dan neal will work either. The attribute lastLogoff is not written to, and is also not replicated to other domain controllers, so you would have to run it on all DCs. You would have to query the pwdLastSet attribute. By default computer passwords are reset every 30 days, so usually searching for dates older than 90 days is a good way to do this.
Simplest thing for you to do, download this utility: http://www.joeware.net/freetools/tools/oldcmp/index.htm. Copy it into %systemroot%\system32 and call it from the command line. It does what you need and more. It's a very good utility.
gokulakrishnannsAuthor Commented:
hi bluntTony,

thanks for teh reply.. i have tested with Old cmp on test server which shows only 2 accounts are old but the same i have used with dan_neal script but it disables more than 2 accounts... i have two doubts

1. after dan_neal script  exceution i could see 5 - 6 accounts disbaled after that i generate report with the help of oldcomp it is not showing all  5 - 6 accounts

2.my purpose is
         - get the list of computers not looging more than 90 days
        - Disable and move it to one OU
using oldcomp it is possible but before implememtning into production i want to ensure that reports generated by old comp is correct? since i got above difference on test server
I can pretty much assure you that oldcmp works. The difference is that the script above is testing on the attribute lastLogOff for the computer account and oldcmp uses pwdLastSet. The lastLogOff attribute isn't actually written to by AD. The field isn't used.

You can prove this by using ADSIEdit (from the support tools on the W2K3 CD). Browse to a computer account and view the properties. Scroll down to the lastLogOff attribute and the value will most likely be 0.

Furthermore, the lastLogOff attribute is not replicated, so you would have to perform the search by connecting to each domain controller. There is a lastLogOn attribute which is written to, but this is also not replicated. Each individual domain controller holds a record of when the machine last logged on with it.

By default, a machine will automatically reset it's password every 30 days with a DC. So, if it's password has not been reset for 90 days, it can't have logged on for 90 days.

In answer to your first question - being disabled is different to the last logon. They are two different attributes, so just because you have disabled a computer account, it's still going to show as having logged on the same time, hence the reason why they didn't immediately appear on the oldcmp report. If you want to search for disabled computer accounts, use 'dsquery computer -disabled'
gokulakrishnannsAuthor Commented:
hi bluntTony

i have to identify when the user is created in my domain..
in my child domain totall 1000 users are there... i need user name and when it is created (DD/MM/yy) output..Pls let me know any tool\script is there
You can use AdFind for this : http://www.joeware.net/freetools/tools/adfind/index.htm

The command you want is:

adfind -f "(objectCategory=user)" sAMAccountName -tdcas createTimeStamp > results.txt

The tool will output the data to results.txt
gokulakrishnannsAuthor Commented:
hi bluntTony,

Thanks for the prompt update... Actually in my domains more than 1000 users are existing.. i want 400 usesr with in that which created different OU's according to thier departments. so is it possible i can input that 400 users and get the same ?

i need to execute the same in 2 child domains also... ur help will be much appreciated.
Hope running this tool in production envirnment will not make any impact....
I'm not sure what you mean. Wasn't your original question about disabling old computer accounts? You now are asking to search for users. I think this is a different question.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now