VBScript program to identify inactive computer accounts. The program uses ADO to search Active Directory for all computer objects and retrieve the pwdLastSet attribute. The program determines
the date that the system last set the computer account password. If the number
of days since the password was last set is larger than a designated number, the account is considered
inactive. The program moves inactive computer objects to a designated Organizational Unit and disables
the account. The program keeps a log of the inactive computer objects processed.
This program is similar to the "PasswordLastChanged" program found under
"Free VBScript Code", "User Administration", except that this program searches
for computer objects. Also, instead of displaying the password last changed date for every computer
object, this program moves and disables those considered inactive.
The program uses the pwdLastSet attribute of the computer object to determine inactive accounts. This
attribute is replicated to all Domain Controllers, so only one ADO query is required. That makes this
program much more efficient than one using the lastLogon attribute, because the lastLogon attribute is
not replicated. A program that determines the date the computer account last logged on must query every
Domain Controller in the domain to find the largest value.
By default, the system resets the password for computer objects every 30 days. If a computer object has
not had its password set in 150 days, then you know that the computer has not been on the network in at
least 120 days. The following information is hard coded in the program, and should be modified to meet
your needs: The log file name and path, the minimum number of days since the password was last set in
order for a computer account to be considered inactive, and the target Organizational Unit where
inactive accounts are to be moved.
The pwdLastSet attribute is stored in Active Directory as Integer8 (8 bytes). This means it is a
64-bit number, which cannot be handled directly by VBScript. However, the IADsLargeInteger interface
provides HighPart and LowPart methods that break the number into two 32-bit components. The resulting
value represents the number of 100 nanosecond intervals since 12:00 AM January 1, 1601. The date
represented by this number is in Coordinated Universal Time (UTC). It must be adjusted by the time
zone bias in the local machine registry to convert to local time.
Please note that although Windows 95/98/ME computers may have corresponding computer objects, they
never log into the domain. If you manually create objects for computers with these operating systems,
the object can be used in logon scripts to check computer group membership, perhaps to connect printers.
However, the client computer never logs in with this account, and the password is never reset by the system.
If you have computer objects for machines with these operating systems, you either should not use this
program, or you should revise this program to ignore these computer objects.
MoveOldComputers.txt <<-- Click here to view or download the program
A similar PowerShell script has also been developed.
PSMoveOldComputers.txt <<-- Click here to view or download the program