Purging Inactive Computer Accounts January 14, 2010Posted by General Zod in Microsoft, Storytime, Tech.
Here’s a story from one of my former jobs.
One day, my supervisor (Rudy) had received word from one of our nosier junior administrators (Brad) that… “Active Directory was loaded down with tons of useless computer accounts!” I hadn’t been told this directly, but Brad sat in the cube right next to mine… and he mumbles what he’s typing to himself. (Usually that’s a rather annoying trait, but I’d found it useful on this day.)
I wasn’t 100% sure of where he was looking to go with it, but knowing Brad as I did… I suspected that he was looking to make points with our supervisor at my expense. I got the immediate impression that he wanted to demonstrate how he was more efficient and paid more attention to detail than I did. This was a foolish act on Brad’s part.
It wasn’t foolish because he was “going up against me”… after all, we’re not in high school anymore. It was foolish because he knew that I had Rudy’s ear… the two of us chatted casually about lots of things. Had Brad brought the issue to me, then we could have fixed it together… and then I would have praised Brad’s “attention to detail” to Rudy. Instead, Brad wanted to get out the rulers and have a measuring contest.
Now I’ll admit that I had not been keeping up with purging old computer accounts out of AD at that time. It isn’t exactly the type of thing that keeps me busy… nor does not doing it keep me up at night. At the time, that was one of those tasks that I “got around to” whenever the mood struck me. However, in all honesty, it did need to get done, so now was as good a time as any.
The biggest problem with simply deleting old, inactive computer accounts is laptops. They tend to migrate from place to place as folks travel… and you cause a lot of drama for them (and your Help Desk) if you start deleting them just because they haven’t been touched in a few weeks. So I’d made practice of leaving computer accounts in place until approximately 2 months of inactivity. (This wide period would give those laptop folks plenty of time to… return from long business trips… get back from personal vacations… get bored of working at home and make an appearance at the office… and other such things.)
Now… take a few minutes to introduce yourself to the DSQUERY command. This powerful little utility has more uses to it than I’ve yet thought of, so educating yourself on it’s use is one of the better thing to spend your time on.
So let’s start by reviewing a list of all computer accounts that have been inactive for the last 2 months. (Truthfully, the following DSQUERY COMPUTER command wants to pull information in terms of weeks, not months. Since 1 month is an average of 4.348 weeks, I usually just round up and call it 9 weeks.) I use the following command to dump those inactive computer accounts to a CSV file…
dsquery computer –inactive 9 –limit 0 –o rdn > c:\computers.csv
… and the output looks something a-kin to:
Anyway, after sorting and reviewing the contents of the file, it was easily decided that all of these computer accounts could be erased without fear of creating problems.
Now, I’m pretty paranoid about the possibility of accidentally creating problems… so I when it comes to erasing things, I usually prefer to do it by-hand. By doing it slowly, it gives me time for confirmation… that way there’s never the sudden realization that… “I shouldn’t have done that!”
However, if you’re in a hurry… then you can quickly purge all of the accounts found by the above command with this command…
dsquery computer -inactive 9 -limit 0 | dsrm -noprompt
Then, after purging about 300 useless accounts out of AD, I looked at the clock and noted that it was already 6pm… so I went home.
The following morning, the systems and network administrators gathered in Rudy’s office for our tradition morning meeting. During the meeting, Rudy mentioned that Brad had brought the inactive computer accounts issue to his attention and wanted to discuss a course of action. The conversation went as follows:
Rudy: So how old are some of these computer accounts?
Brad: Some of them are as much as 6 months old.
Zod <feigning ignorance>: When did you gather this information?
Brad: It took me a few days to gather up all of the computer names. It took me half the week to do it.
Zod: Well… I’m afraid your information is out-of-date.
Rudy: What do you mean?
Zod: Actually, by sheer coincidence, I cleaned up the list of computer accounts just yesterday.
Brad: That’s impossible…
Zod: No, it’s not.
Brad: How long did it take you?
Zod: Actually, it only took about 20 minutes.
Rudy: I’d like us to make a practice out of purging inactive accounts at least once a month.
Zod: That sounds like a decent best practice. How about we let Brad manage to that?
Rudy: Sounds good.
Zod: Brad. Why don’t you put some time aside this afternoon to come visit me, and I’ll school you on what you’ll need to know.
Well… Brad wasn’t too pleased that he didn’t get his chance to shine in front of Rudy that day; however, I did get him to quickly change his tune.
Instead of being an a$$ about it, I decided to continue the illusion that I was ignorant to his previous actions… and I praised Brad for his forward thinking. And then I “rewarded” him by assigning him even more administrative responsibilities. This made Brad happy because he felt like he was playing an important role (and, in truth, he was)… and it freed myself up to give my attention to even cooler projects.
I called it a win-win.