“dsquery computer -inactive x” ignores very old obviously inactive computers

active-directorywindows-server-2008-r2

I have inherited an AD environment that contains hundreds of long-dead computer accounts. I want to start clearing them out. If I use the dsquery computer -inactive command it seems to ignore these computers and only return computers that have been active in recent months/weeks but not active in the given time period.

For example, if I run dsquery computer -inactive 4 I get one computer. If I run dsquery computer -inactive 3 I get about five. If I run dsquery computer -inactive 1 I get a large list. None of these lists show the very old computer accounts.

Am I misunderstanding what this command is supposed to do?

Best Answer

dsquery computer -inactive x uses the LastLogonTimeStamp attribute to decide if a computer is inactive or not. Two of the idiosyncrasies of LastLogonTimeStamp are that:

1) it's very loose, i.e. nowhere near real-time. This attribute is not updated every time a computer logs on to the domain, and even when it is updated it isn't always replicated to other domain controllers right away.

2) It can be null, in which case, dsquery will most likely ignore it.

The -stalepwd switch can also be helpful to you in identifying inactive computer accounts. Computer accounts should be automatically updating their passwords every 30 days. But beware, it uses the pwdLastSet LDAP attribute which can also be null. pwdLastSet comes as an annoying file time, but .Net/Powershell easily converts it to a human-friendly date:

PS C:\Users\ryan> Get-ADComputer -Filter * -Properties PasswordLastSet,LastLogonTimeStamp | ? { $_.PasswordLastSet -LT $(Get-Date).AddDays(-180) } | Select Name,PasswordLastSet,LastLogonTimeStamp | Sort-Object PasswordLastSet -Descending

The line of Powershell above will give you all computer accounts who's pwdLastSet attribute (Powershell converts this into the human readable PasswordLastSet) is older than 180 days, freshest accounts will be at the top. Oldest accounts and those with null pwdLastSets will be at the bottom.

(Of course you can disable password changes on a computer, but that's a relatively rare thing to do.)

These accounts that have null values, it usually means they have never logged on to the domain and/or never changed their password. I'm sure there might be other little strange use cases where this might happen, such as an administrator prestaging a computer account but then deciding to never actually join the machine to the domain, computer accounts from other child domains of the same forest, etc. You'll just have to investigate those.

Here's some more information about LastLogonTimeStamp from AskDS if you want to read it:

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

Related Topic