The Active Directory is the heart of the computer and user administration in the Microsoft networks. As a rule, the administrators are all required to keep the Active Directory up to date with all the necessary information. Everyone who administers an AD structure ultimately knows how difficult this is often.
Computers and users are changing so quickly in domains with several hundred or a thousand users that ” corpses ” can also arise. This means that AD objects that should no longer be there are still in AD and should be cleaned up.
Find inactive computer accounts
For this reason, we would like to show you today how you can find “outdated” computers or users in Active Directory with very simple means and then work through them one after the other. The command to list outdated computers is
dsquery computer -inactive <NUMBER OF WEEKS>
This means that you should replace the placeholder ” number of weeks ” with a number, so that only the computer objects are shown that have not been used for more than 30 weeks . The following similar edition will then be displayed accordingly.
“CN = MUCPC001, OU = Server, OU = MUC, OU = _Location, DC = WINDOWS-FAQ, DC = de”
“CN = MUCPC009, OU = Server, OU = MUC, OU = Citrix, DC = WINDOWS-FAQ, DC = de ”
” CN = MUCPC012, OU = Clients, OU = MUC, OU = _Locations, DC = WINDOWS-FAQ, DC = de ”
” CN = MUCPC022, OU = Clients, OU = MUC, OU = _Locations, DC = WINDOWS-FAQ, DC = de ”
” CN = MUCSVR01, OU = Clients, OU = MUC, OU = _Location, DC = WINDOWS-FAQ, DC = de ”
” CN = MUCSVR06, OU = Clients, OU = MUC, OU = _Locations, DC = WINDOWS-FAQ, DC = de “
” CN = MUCSW07, OU = Clients, OU = FRA, OU = _Locations, DC = WINDOWS-FAQ, DC = de ”
With the redirection “> file name.txt” you can of course have the results written to you in a text file so that you can then process them accordingly using a notepad or Excel.
Find inactive users in AD
You can do the same as listing inactive computer accounts for inactive users in Active Directory . The appropriate command is
dsquery user -inactive <NUMBER OF WEEKS>
The result list of this command looks similar to that of the inactive computer accounts .
If you want to execute these two commands on your clients, then it is a prerequisite that you have installed the RSAT tools (Remote Server Administration Tools) for your respective Windows version. If this is not the case, then you only have the option of executing directly on a domain controller.
With the command ” dsquery ” you can do a lot more. You can query the AD groups and export them to a text file, or you can query which Active Directory (AD) groups a user has .