VBScript program to identify inactive computer accounts. The program uses ADO to search Active
Directory for all computer objects and retrieve the pwdLastSet attribute. The program determines
the date that the system last set the computer account password. If the number
of days since the password was last set is larger than a designated number, the account is considered
inactive. The program moves inactive computer objects to a designated Organizational Unit and disables
the account. The program keeps a log of the inactive computer objects processed.
This program is similar to the "PasswordLastChanged" program found under "Free VBScript Code", "User Administration", except that this program searches for computer objects. Also, instead of displaying the password last changed date for every computer object, this program moves and disables those considered inactive.
The program uses the pwdLastSet attribute of the computer object to determine inactive accounts. This attribute is replicated to all Domain Controllers, so only one ADO query is required. That makes this program much more efficient than one using the lastLogon attribute, because the lastLogon attribute is not replicated. A program that determines the date the computer account last logged on must query every Domain Controller in the domain to find the largest value.
By default, the system resets the password for computer objects every 30 days. If a computer object has not had its password set in 150 days, then you know that the computer has not been on the network in at least 120 days. The following information is hard coded in the program, and should be modified to meet your needs: The log file name and path, the minimum number of days since the password was last set in order for a computer account to be considered inactive, and the target Organizational Unit where inactive accounts are to be moved.
The pwdLastSet attribute is stored in Active Directory as Integer8 (8 bytes). This means it is a 64-bit number, which cannot be handled directly by VBScript. However, the IADsLargeInteger interface provides HighPart and LowPart methods that break the number into two 32-bit components. The resulting value represents the number of 100 nanosecond intervals since 12:00 AM January 1, 1601. The date represented by this number is in Coordinated Universal Time (UTC). It must be adjusted by the time zone bias in the local machine registry to convert to local time.
Please note that although Windows 95/98/ME computers may have corresponding computer objects, they never log into the domain. If you manually create objects for computers with these operating systems, the object can be used in logon scripts to check computer group membership, perhaps to connect printers. However, the client computer never logs in with this account, and the password is never reset by the system. If you have computer objects for machines with these operating systems, you either should not use this program, or you should revise this program to ignore these computer objects.
MoveOldComputers.txt <<-- Click here to view or download the program
A similar PowerShell script has also been developed.
PSMoveOldComputers.txt <<-- Click here to view or download the program