Active Directory: How to identify inactive computer accounts

45 pts.
Active Directory
Active Directory query
Microsoft Windows
Microsoft Windows Server 2003
Microsoft Windows XP
Systems administration
Windows client administration and maintenance
Hello, I have a lot of computers in my Active Directory that are inactive and/or obsolete. I am searching for a very safe and fool proof procedure which I can use to identify these computer accounts in active directory and move them to a separate OU. I will keep them in this OU temporarily and eventually delete them from the Active Directory completely.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Microsoft has good command shell tools for managing AD from the command line. You will need to install the Windows Server Administration Tools apppropriate for your AD and OS on your server or workstation that you use to manage objects.

Use DSQUERY and DSMOVE to find and move computer objects to a new OU based on how stale is the account. This example uses 12 weeks.

dsquery computer CN=Computers,DC=Example,DC=Domain -inactive 12 -scope subtree -limit 60000|dsmove -newparent OU=NewOU,DC=Example,DC=Domain -domain DC=Example,DC=Domain

Change the weeks inactive and limit values as needed.

Note that containers can be CN or OU and you will need to check. DSQUERY is good for demistifying all that.

You can use dsmod to modify attribute such as set disabled/enabled

I use DSQUERY to query the distinguished name of an object and pipe it to the second command as an easy method of grabbing distinguished names.

Wrapping it all up in a shell script with logging is suggested so you can review/audit what was done.


You can also use VBScrip or PowerShell to perform similar query / move operations using WMI or .NET calls. However I am a shell scripter and use it by preference.


Doing those things in your active directory is always possible for you as you are the owner of those computer systems. However, always think of data security and backup before doing and transfer or deletion of any important data from those directories.

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Augusta82
    Thank you for the response. i have group policy in place that disables the windows firewall upon login since all of our clients sit behind the corporate firewall. Additionally all of the clients share our corporate image which doesn't include any third party firewall (only antivirus). So I’m pretty confident that if the computer is "active" that it is talking with our active directory.
    45 pointsBadges:
  • mshen
    Thanks Joe. Looks like a very useful app. wish I knew about it before.
    27,385 pointsBadges:
  • Chris128
    I've recently finished writing a completely free app that will identify unused user and computer accounts and perform one of the following actions on them: move, delete, disable, add to group, remove from group, remove from all groups, set description, export to CSV + more. I hope it's useful to anyone reading this, you can find more information and a free download (this is not a trial or limited version, it is just a completely free app) here:
    10 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: