jump to navigation

Purging Inactive Computer Accounts January 14, 2010

Posted by General Zod in Microsoft, Storytime, Tech.
trackback

Here’s a story from one of my former jobs.

One day, my supervisor (Rudy) had received word from one of our nosier junior administrators (Brad) that… “Active Directory was loaded down with tons of useless computer accounts!”  I hadn’t been told this directly, but Brad sat in the cube right next to mine… and he mumbles what he’s typing to himself.  (Usually that’s a rather annoying trait, but I’d found it useful on this day.)

I wasn’t 100% sure of where he was looking to go with it, but knowing Brad as I did… I suspected that he was looking to make points with our supervisor at my expense.  I got the immediate impression that he wanted to demonstrate how he was more efficient and paid more attention to detail than I did.  This was a foolish act on Brad’s part.

It wasn’t foolish because he was “going up against me”… after all, we’re not in high school anymore.  It was foolish because he knew that I had Rudy’s ear… the two of us chatted casually about lots of things.  Had Brad brought the issue to me, then we could have fixed it together… and then I would have praised Brad’s “attention to detail” to Rudy.  Instead, Brad wanted to get out the rulers and have a measuring contest.

Now I’ll admit that I had not been keeping up with purging old computer accounts out of AD at that time.  It isn’t exactly the type of thing that keeps me busy… nor does not doing it keep me up at night.  At the time, that was one of those tasks that I “got around to” whenever the mood struck me.  However, in all honesty, it did need to get done, so now was as good a time as any.

The biggest problem with simply deleting old, inactive computer accounts is laptops.  They tend to migrate from place to place as folks travel… and you cause a lot of drama for them (and your Help Desk) if you start deleting them just because they haven’t been touched in a few weeks.  So I’d made practice of leaving computer accounts in place until approximately 2 months of inactivity.  (This wide period would give those laptop folks plenty of time to… return from long business trips… get back from personal vacations… get bored of working at home and make an appearance at the office… and other such things.)

Now… take a few minutes to introduce yourself to the DSQUERY command.  This powerful little utility has more uses to it than I’ve yet thought of, so educating yourself on it’s use is one of the better thing to spend your time on.

So let’s start by reviewing a list of all computer accounts that have been inactive for the last 2 months.  (Truthfully, the following DSQUERY COMPUTER command wants to pull information in terms of weeks, not months.  Since 1 month is an average of 4.348 weeks, I usually just round up and call it 9 weeks.)  I use the following command to dump those inactive computer accounts to a CSV file…

dsquery computer –inactive 9 –limit 0 –o rdn > c:\computers.csv

… and the output looks something a-kin to:

WORKSTATION4432
WORKSTATION2401
LAPTOP2058
LAPTOP9523
WORKSTATION1220
SERVER207
LAPTOP4482
etc…

Anyway, after sorting and reviewing the contents of the file, it was easily decided that all of these computer accounts could be erased without fear of creating problems.

Now, I’m pretty paranoid about the possibility of accidentally creating problems… so I when it comes to erasing things, I usually prefer to do it by-hand.  By doing it slowly, it gives me time for confirmation… that way there’s never the sudden realization that… “I shouldn’t have done that!”

However, if you’re in a hurry… then you can quickly purge all of the accounts  found by the above command with this command…

dsquery computer -inactive 9 -limit 0 | dsrm -noprompt

Then, after purging about 300 useless accounts out of AD, I looked at the clock and noted that it was already 6pm… so I went home.

The following morning, the systems and network administrators gathered in Rudy’s office for our tradition morning meeting.  During the meeting, Rudy mentioned that Brad had brought the inactive computer accounts issue to his attention and wanted to discuss a course of action.  The conversation went as follows:

Rudy: So how old are some of these computer accounts?

Brad: Some of them are as much as 6 months old.

Zod <feigning ignorance>: When did you gather this information?

Brad: It took me a few days to gather up all of the computer names.  It took me half the week to do it.

Zod: Well… I’m afraid your information is out-of-date.

Rudy: What do you mean?

Zod: Actually, by sheer coincidence, I cleaned up the list of computer accounts just yesterday.

Brad: That’s impossible…

Zod: No, it’s not.

Brad: How long did it take you?

Zod: Actually, it only took about 20 minutes.

Rudy: I’d like us to make a practice out of purging inactive accounts at least once a month.

Zod: That sounds like a decent best practice.  How about we let Brad manage to that?

Rudy: Sounds good.

Zod: Brad.  Why don’t you put some time aside this afternoon to come visit me, and I’ll school you on what you’ll need to know.

Well… Brad wasn’t too pleased that he didn’t get his chance to shine in front of Rudy that day; however, I did get him to quickly change his tune.

Instead of being an a$$ about it, I decided to continue the illusion that I was ignorant to his previous actions… and I praised Brad for his forward thinking.  And then I “rewarded” him by assigning him even more administrative responsibilities.  This made Brad happy because he felt like he was playing an important role (and, in truth, he was)… and it freed myself up to give my attention to even cooler projects.

I called it a win-win.

Comments»

1. WRJ - May 3, 2010

If some additional documentation is needed. Oldcmp from Joeware.net can generate some html pages for the deletion – http://joeware.net/freetools/tools/oldcmp/index.htm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: