Any server administrator that works with Windows Server and Active Directory can tell you that it’s not uncommon for Active Directory to be littered with old and stale data, including old computer accounts.
It doesn’t matter whether your organization is a small business running a single server or a large corporate customer with numerous sites and more domain controllers than you can remember the names of off the top of your head.
Old and stale data in Active Directory includes having old computer accounts, unused global groups, stale DNS entries, unnecessary group policy objects, old user accounts, and a plethora of other worthless and outdated information in Active Directory should be cleaned up over time. Today, we are going to focus on finding and removing old computer accounts in your Active Directory domain for the purposes of good housekeeping practices that all server administrators should perform on a semi-regular basis.
It’s easy enough to join new computers to the domain as part of your routine procedure when setting up a new computer for a user, but it’s also just as easy to forget the important steps involved in retiring or removing their old computer. One of those steps should be to remove the old computer from the domain. When this procedure is skipped, Active Directory can eventually become filled with hundreds of useless computer accounts that will eventually need to be removed.
Windows operating systems such as Windows 10, Windows 8, Windows 7, all the way back to Windows NT, automatically change their computer account password every 30 days (yes, computer accounts have passwords, just like user accounts have passwords). The computer account passwords get changed automatically and synchronize between the desktop machine and a domain controller. There is never a need for user intervention to make this automated process happen, other than for a user to actually power the machine on.
If you have computer accounts that have passwords older than 75+ days, chances are, those computers have NOT even been turned on and connected to the domain for at least 45 days or more. In those cases, it’s likely the computers themselves no longer exist and are safe to delete from Active Directory. Keep in mind, if you mistakenly delete a computer account, you can very easily just re-join that machine to the domain.
Ways you can search for old computer accounts in your Active Directory domain.
The first method uses the built-in command line tool DSQUERY. With DSQUERY, you can generate a list of computer accounts with stale passwords. Here’s the process for doing so:
Open a Windows command prompt on your domain controller, and type the following:
C:\Windows\system32\dsquery computer –stalepwd 75 –limit 500 > c:\temp\old-computers.txt
This will output a list of computer accounts in your domain that have passwords older than 75 days, to a “old-computers.txt” text file in your c:\temp directory. Use the –limit parameter if you anticipate having over 100 computer accounts with aging passwords. You can open the outputted file in either Notepad or Excel to view and organize the data appropriately (sorting by Computer Name or by Organizational Unit) to make it easier for you to find, locate, and delete those computers.
Using Hyena from System Tools
The second method uses a tool called Hyena from System Tools that is GUI based and allows for quick analysis and viewing the password age for all computer accounts in your domain. Hyena has been an award winning Active Directory management tool for at least 12+ years now and has a plethora of capabilities beyond this small function. I’ve used it at many different customers over the years and it always seems to make the job of a server administrator much easier. In this particular case, you can make use of the Free 30 Day Trial available to get the information you need to clean up old computer accounts.
Once Hyena is setup, all you need to do is right-click on the Computer container in the left hand column, select Query Active Directory, then select Computer (Detailed), and you will end up with a list of results like this:
You can even sort by the Pwd Last Set column, then select all the applicable stale computer accounts, right-click and choose Remove from Domain.
There you go! Now that you’ve cleaned up old computer accounts in your domain, you can move on to cleaning up other aging data too like old user accounts, old group policy objects, stale DNS entries, unnecessary global groups, etc. Have fun!