How to find all inactive accounts in a specific OU in AD

Over time, a lot of old and unnecessary information accumulates in Active Directory, which periodically needs to be deleted.

The task arose: to clear a specific OU in Active Directory from PC accounts that have not been used for more than 120 days.

As a utility for conducting mass operations with AD, I prefer to use dsquery, and as a parameter that determines the time during which the account was not used – the time since the last password change of the computer in the domain.

How to find all inactive accounts

To sample all inactive (at least 120 days) PCs in a specific OU, I use the following command:

dsquery computer “ou = Computers, ou = Moskow, dc = corp, dc = winitpro, dc = en” -stalepwd 120 -limit 10000> c: \ 12.txt

Parameters: —stalepwd 120 is the time since the last password change of the PC in the domain,

limit 10000 – limit the number of PC records to display. 10,000

c: \ 12.txt – redirect the output of the command to the file c: \ 12.txt

And to remove the found PC accounts, you need to use the dsrm command:

dsquery computer “ou = Computers, ou = Moskow, dc = corp, dc = winitpro, dc = en” -stalepwd 120 -limit 10000 | dsrm

PS: dsquery utility is part of the Windows Server 2003 Support Tools package (Adminpak.msi)