Over time, a lot of old and unnecessary information accumulates in Active Directory, which periodically needs to be deleted.
The task arose: to clear a specific OU in Active Directory from PC accounts that have not been used for more than 120 days.
As a utility for conducting mass operations with AD, I prefer to use dsquery, and as a parameter that determines the time during which the account was not used – the time since the last password change of the computer in the domain.
How to find all inactive accounts
To sample all inactive (at least 120 days) PCs in a specific OU, I use the following command:
dsquery computer “ou = Computers, ou = Moskow, dc = corp, dc = winitpro, dc = en” -stalepwd 120 -limit 10000> c: \ 12.txt
Parameters: —stalepwd 120 is the time since the last password change of the PC in the domain,
limit 10000 – limit the number of PC records to display. 10,000
c: \ 12.txt – redirect the output of the command to the file c: \ 12.txt
And to remove the found PC accounts, you need to use the dsrm command:
dsquery computer “ou = Computers, ou = Moskow, dc = corp, dc = winitpro, dc = en” -stalepwd 120 -limit 10000 | dsrm
PS: dsquery utility is part of the Windows Server 2003 Support Tools package (Adminpak.msi)