Finding Inactive or Unused Computers

Not always a computer is removed from Active Directory when it is decommissioned. The result is that after a while of time, the contents of Active Directory is no longer aligned with the state of company. To find inactive computers that are still present in Active Directory, you can use different techniques.

If the Active Directory functional level is set to Windows 2003 or higher, then you can use the command dsquery.exe This command is present on all Domain Controllers, or on all Windows 7 workstations.

The following query will locate all inactive computers in the current forest:

dsquery computer forestroot -inactive <NumWeeks>

Where <NumWeeks> indicates the number of weeks of inactivity (i.e 84 days = 12 weeks, 175 days = 25 weeks).

You can also use domainroot in combination with the -d option to query a specific domain:

dsquery computer domainroot -d <DomainName> -inactive <NumWeeks>

for example:

dsquery computer domainroot -d homeworks.it -inactive 25

You can target your query at a specific container (i.e. ou=MyComputers,dc=homeworks,dc=it):

dsquery computer ou=MyComputers,dc=homeworks,dc=it -inactive <NumWeeks>

All commands dsquery.exe cited, should be executed by Command Prompt of a workstation that is part of Active Directory domain. The user running the command must be part, at least, of the Domain Users group in Active Directory.

If the domain functional level of Active Directory is not set to Windows 2003 or higher, you can use the command OldCmp.exe written by Joeware. By default, the command OldCmp.exe research workstations that are not connected to an Active Directory domain for more than 90 days.

To get the list of workstations that do not connect to the domain for more than 90 days in HTML format, just run the command (the list is sorted by Computer Name):

oldcmp -report -sort cn

To get the same list in CSV format, you should run the command:

oldcmp -report -format csv -sort cn

To get list of workstations that do not connect to a domain for more than 180 days, just run the command:

oldcmp -report -age 180 -sort cn

All commands OldCmp.exe cited, should be executed  by Command Prompt of a station that is part of Active Directory domain. The user running the command must be part, at least, of the Domain Users group in Active Directory.

In Active Directory domains whose functional level is set to Windows 2003 or later, the attribute lastLogonTimestamp of Active Directory, is used to know when was the last process of authenticating of a computer. lastLogonTimestamp attribute is replicated among all Domain Controllers. To see if the attribute lastLogonTimestamp is aligned on all Domain Controllers in the domain, you can run the command:

repadmin /showattr * <Distinguish_Name_of_Active_Directory_Domain>
 /subtree /filter:"((&(lastLogontimeStamp=*)(objectClass=computer)))"
 /attrs:lastLogontimeStamp > lastLogontimeStamp.txt

For example:

repadmin /showattr * dc=homeworks,dc=it /subtree
 /filter:"((&(lastLogontimeStamp=*)(objectClass=computer)))"
 /attrs:lastLogontimeStamp > lastLogontimeStamp.txt

By editing the file LastLogontimeStamp.txt, you can see if the attribute lastLogonTimestamp is aligned on all Domain Controllers. In the file LastLogontimeStamp.txt, are listed the attributes lastLogonTimestamp of each computer that is recorded on each Domain Controller.

For more information, please read the post of NedPyle called “The LastLogonTimeStamp Attribute” – What it was designed for and how it works

To learn how to raise the functional level of an Active Directory domain, you can see the Microsoft Knowledge Base KB322692.

Advertisements