Summary

Command line Active Directory query tool. Primarily used to find and cleanup old computer accounts that haven't been used. Can also be used to clean up user accounts when the proper filter is specified.

Warranty

PlatForms

Current Version

Version 1.5.0 - December 28, 2004

Modification(s) from previous version

Security Requirements

There are no local security requirements for running OldCmp. Information returned from Active Directory will be dependent on the security configured for the directory. Generally a normal Active Directory user can successfully run the report options. Disabling, moving, and deleting obviously require modify rights to the appropriate attributes

Language

Source Code Availability

Story

OldCmp was built because there was no decent way to find/report on/delete old computers in Active Directory. You can use dsget combined with dsrm but you are really taking your life in your hands. OldCmp has all sorts of safeties built in to try and prevent you from shooting your own foot. Note that you can still shoot yourself in the foot, it just takes more work. This appeals to the paranoid, scared, admin in myself.

The tool will work with a Windows 2000 AD as well as a Windows 2003 AD. It can key off the pwdLastSet attribute or in a Windows 2003 Domain Functional Domain on lastLogonTimestamp. This means you are going after IDs that have not had their password reset in x days or you can go after accounts that haven't logged on x days where by default x, is 90 days. I chose 90 days because computers should change their password at least every 30 days unless they have had their registries modified to prevent that password change. There are exceptions like when a mobile user goes away and doesn't log into the network for a long time or for some poorly written SAN/NAS solutions that don't change the password on the machine accounts on a regular basis. Generally, however, if the password on a computer account is between 90-120 days, you can safely remove it.

OldCmp also is flexible enough to add your own components to the filter so if you want to only find disabled computer accounts or computer accounts in the xx dept or whatever, you have the ability to add any standard LDAP queries onto the base filter generated.

OldCmp as mentioned above has some safeties built in, the list is:

You can not delete a machine account that isn't already disabled.

You must specify a safety limit of how many machines it can manipulate at once if you want more than 10. By default it will only affect up to 10 accounts. If you want to work up to 50 machines you can say 50, if you want up to 100, specify 100.

You must specify the FORREAL option if you really want it to make changes, otherwise it will just report what it will try to do... I.E. It will be toothless.

It will not modify domain controller accounts at all. Period. Just too many dangers there.

