Active Directory administrators are very aware of the security threats posed by inactive computer and user accounts. When AD accounts are not used for long periods of time, they must be disabled and then deleted. Most organizations have a well-defined policy for dealing with these obsolete accounts.
Depending on the situation in the organization, a decision can be made about the maximum period of inactivity that can be allowed for AD accounts. After this period, computer and user accounts can be considered inactive. It is recommended that all inactive accounts be investigated first. These accounts can be disabled after moving them all to a single OU. After a certain period of time, they can be permanently deleted.
Searching for inactive accounts, disabling or deleting them can be done with the command prompt, using the Dsquery tool.
The dsquery command line tool searches for AD objects according to the specified criteria. It can be used to find inactive users and computers in the active directory. The search results can be given as input to the dsmod and dsrm command lines for deactivation and deletion. Simply change computer to user to get the same commands for deleting users.
Open the command prompt
Open the Start menu, right-click the command prompt, and then click Run as administrator.
Find computers/users that are inactive
To find computers/users that are idle for 12 weeks and limit the results to 100, type :
dsquery computer -inactive 12 -limit 100
Disable inactive computers/users
To disable inactive computers/users, run :
dsquery computer -inactive 12 | dsmod ordinateur -disabled yes
Find and remove disabled computers/users
To find disabled computers/users and remove them, run :
dsquery computer -disabled | dsrm -noprompt
Note: when using -noprompt, you will not be asked for confirmation before deleting.
Delete computers/users
Instead of deactivating inactive computers/users first, you can delete them directly by running :
dsquery computer -inactive 12 | dsrm -noprompt
With this tool, one can easily find inactive computers as well as user accounts in the Active Directory. These accounts can be disabled and deleted according to the organization’s policy. They can also be deleted directly.
