Automated removal of expired machines in Active Directory

I'm looking for a way to automate the removal of expired machines (not logged in > 90 days) to help with asset management.
Al CaholicAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
If your domain is at the 2003 functional level or higher then you can find inactive computers using the command
dsquery computer -inactive <number of weeks>

Run this from a 2003 server or an XP machine with the adminpak installed.

You could pipe the output of this command to dsrm to delete the accounts, but do so with extreme caution.
Mike KlineCommented:
I really like old computer by MVP Joe Richards for this
Very nice reports that managment likes too.  
start with
oldcmp -report

I've written vbscripts to query the last logon date of a computer's object (depending on the forest and domain operational level, you might have to query each domain controller or if you are running at 2003 native then you can query AD directly) and then based on the results you can delete the objects that are old - or move them to an expired OU and then delete them once they are really old. It's up to you.

The code for getting last logon is somewhat complex, but I will attach it shortly in a subsequent post.

Deleting the object from AD via vbscript is pretty easy:

strComputer = "atl-pro-040"
set objComputer = GetObject("LDAP://CN=" & strComputer & ",CN=Computers,DC=fabrikam,DC=com")
objComputer.DeleteObject (0)

Open in new window

Here's a script that will poll each DC in the domain and determine the most recent last logon date of the computer and output that and whether the computer is enabed or disabled. It expects you to enter the computer name as a command line argument when running the script. You can use pieces of this script and the other small snippet I posted for deleting objects to create one that does the job you want.

On Error Resume Next
strPath = left(wscript.ScriptFullName, len(wscript.ScriptFullName) - len(wscript.ScriptName))
strDom = "fabrikam"
'Find DN
strNTName = strDOM & "\" & wscript.arguments(0) & "$"
Const ADS_NAME_TYPE_1779 = 1
Set objTrans = CreateObject("NameTranslate")
objTrans.Init ADS_NAME_INITTYPE_GC, ""
objTrans.Set ADS_NAME_TYPE_NT4, strNTName
' Use the Get method to retrieve the RPC 1779 Distinguished Name.
strPCDN = objTrans.Get(ADS_NAME_TYPE_1779)
strPCDN = Replace(strPCDN, "/", "\/")
wscript.echo strPCDN
LastLog = #1/1/1601#
'Get TimeZone offsets
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colTimeZones = objWMIService.ExecQuery("Select * From Win32_TimeZone")
For Each objTimeZone in colTimeZones
intTimeZoneBias = objTimeZone.Bias
intDaylightBias = objTimeZone.DaylightBias
Set objRootDSE = GetObject("LDAP://RootDSE")
strConfigurationNC = objRootDSE.Get("configurationNamingContext")
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
objCommand.CommandText = _
"SELECT ADsPath FROM 'LDAP://" & strConfigurationNC & "' WHERE objectClass='nTDSDSA'" 
Set objRecordSet = objCommand.Execute
'Get lastlogon from each DC and find newest
Do Until objRecordSet.EOF
Set objParent = GetObject(GetObject(objRecordset.Fields("ADsPath")).Parent)
strDCName = objParent.dnsHostName
Set objUser = GetObject _
("LDAP://" & strDCName & "/" & strPCDN)
Set objLastLogon = objUser.Get("lastLogon")
Set objLastLogonTS = objUser.Get("lastLogonTimestamp")
intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart 
intLastLogonTime = intLastLogonTime / (60 * 10000000)
intLastLogonTime = intLastLogonTime / 1440
dtmLastLogon = intLastLogonTime + #1/1/1601#
dtmLastLogon = DateAdd("n", intTimeZoneBias, dtmLastLogon)
dtmLastLogon = DateAdd("n", intDaylightBias, dtmLastLogon)
intLastLogonTimeTS = objLastLogonTS.HighPart * (2^32) + objLastLogonTS.LowPart 
intLastLogonTimeTS = intLastLogonTimeTS / (60 * 10000000)
intLastLogonTimeTS = intLastLogonTimeTS / 1440
dtmLastLogonTS = intLastLogonTimeTS + #1/1/1601#
dtmLastLogonTS = DateAdd("n", intTimeZoneBias, dtmLastLogonTS)
dtmLastLogonTS = DateAdd("n", intDaylightBias, dtmLastLogonTS)
wscript.echo " " & strDCName & " reports " & dtmLastLogon & " as last logon"
wscript.echo " " & strDCName & " reports " & dtmLastLogonTS & " as last logonTimeStamp"
If dtmLastLogonTS > dtmLastLogon Then dtmLastLogon = dtmLastLogonTS
If dtmLastLogon > LastLog Then
LastLog = dtmLastLogon
End If
wscript.echo "Final choice = " & LastLog
If Instr(LastLog, " ") > 0 Then
LLArray=Split(LastLog, " ")
End If
AccountStatus = "disabled"
AccountStatus = "enabled"
End If
wscript.echo wscript.arguments(0) & ";" & strPCDN & ";" & LastLog & ";" & AccountStatus
Function IsAccountDisabled( strDomain, strAccount )
Dim objUser
Set objUser = GetObject("WinNT://" & strDomain & "/" & strAccount & ",user")
IsAccountDisabled = objUser.AccountDisabled
End Function 

Open in new window

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.