8.8. Finding Inactive or Unused Computers


You want to find inactive computer accounts in a domain.



These solutions only apply to Windows-based machines. Other types of machines (e.g., Unix) that have accounts in Active Directory may not update their login timestamps or passwords, which are used to determine inactivity.

Using a command-line interface

The following query will locate all inactive computers in the current forest:

> dsquery computer forestroot -inactive <NumWeeks>

You can also use domainroot in combination with the -d option to query a specific domain:

> dsquery computer domainroot -d <DomainName> -inactive <NumWeeks>

or you can target your query at a specific container:

> dsquery computer ou=MyComputers,dc=rallencorp,dc=com -inactive <NumWeeks>


This can only be run against a Windows Server 2003 domain functional level or higher domain.

Using Perl

#!perl #----------------------- # Script Configuration #----------------------- # Domain and container/OU to check for inactive computer accounts my $domain = 'amer.rallencorp.com'; # set to empty string to query entire domain my $computer_cont = 'cn=Computers,'; # Number of weeks used to find inactive computers my $weeks_ago = 30; #----------------------- # End Configuration #----------------------- use strict; use Win32::OLE; $Win32::OLE::Warn = 3; use Math::BigInt; # Must convert the number of seconds since $weeks_ago # to a large integer for comparison against lastLogonTimestamp my $sixmonth_secs = time ...

Get Active Directory Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.