No announcement yet.

LDAP Query - Identify Machines Of A Certain Age

  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP Query - Identify Machines Of A Certain Age

    Hi All,

    Couldn't really think of a suitable title... the situation is slightly different to what i put.

    Basically, our Active Directory has never been managed... at ALL.

    We have A LOT (I'd say well over 2,000) redundant computer objects that are still in Active Directory but no longer used on the domain.

    Is it possible to run an LDAP Query that will identify all computer objects that have NOT connected to the domain for say... 3 months?

    A colleague of mine was originally investigating this, but has since gone on paternity leave and i am picking it up.

    If you know of such a Query, or a resource that provides all the different switches for it, then that would be great!

    Thank you.
    Last edited by rsnooks; 23rd November 2009, 11:22.

  • #2
    Re: LDAP Query - Identify Machines Of A Certain Age

    You should be able to accomplish this with the dsquery command line utility.

    dsquery computer -stalepwd 90

    would show you all of the computers that have not changed the password on their computer account in 90 days.

    If it were me, I would run it using 120 days. Anything it picked up I would disable and move to a stale accounts OU. If after a few weeks nothing came back to bite me in the ass, then I'd clear out the stale accounts OU.


    • #3
      Re: LDAP Query - Identify Machines Of A Certain Age

      This will work as well, and format's it nicely for you as well:

      Michael Armstrong
      MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **