Retired computer accounts in Active Directory

Active Directory
Desktop management applications
Microsoft Systems Management Server
Programming Languages
I need a dependable script!!! After several domain migrations and adding a few new sites over the past two years I have found that there are hundreds of computer accounts in Active Directory. We are a global company so tracking computer names is impossible. Because we use several management applications (WSUS, SMS, etc.) that rely on the information that is in AD it is imperative that I find all computer accounts that have not been active for a set amount of time. I have been struggling to confidently retrieve information from Active Directory using Vb, VBScript, Perl and ADSI. I have also used SMS Reporting but I would find that information returned from all methods to be incorrect. I need a script that will hit AD and return a list of stale machines that have not been connected to AD or our LAN/WAN for a specified amount of time. ALSO!!! Does anyone know how to query the network for all Windows based machines that are waiting for a reboot due to Windows Updates??? Any help would be greatly appreciated. Thanks in advance!

Answer Wiki

Thanks. We'll let you know when a new response is added.

We solve the problem of “what computers dont exist” by looking at SMS, AD, and McAfee EPO.

We look at the time of last machine account password set in AD, time of last SMS heartbeat, and time the machine last did a EPO Agent update. It’s a SMS Report that queries AD and EPO tables replicated to SMS so posting it wont do you much good.

As far as the WindowsUpdate reboot – I think the only way to do that would be do have SMS HW Invetory collect the PendingFileRename key in the registry – most reboots would be setting that. If your updates came from SMS, you could also script a query to look at v_ClientAdvertisemntStatus.LastStateName for all advertisements of interest and see if they are waiting for reboot. I dont know if SUS would also have something similar. For all I know, maybe it has something built in to simply show you what systems want reboots.


Know it’s an old post, but below could be useful.

I use a FREE tool called “OldCmp” that provides reporting / disabling / deleting from Active Directory, so that our SMS/SCCM AD Discovery only finds current systems. It’s the easiest, cheapest, quickest solution I’ve found over many years for this sort of thing.

Then I also use a script to creates spreadsheets to show me the gaps (AD -> SMS, SMS -> AD).
‘Compare_AD_SMS.vbs from

(this script works on SCCM also)

Re the reboot required question… there is another registry key to check. If it exists, system needs a reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired

There’s a great script at

– Shane

Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Buddyfarr
    please check out User Management Resource Administrator by Advanced Toolware. I use it to create, delete, backup accounts. I also have a script that shows all user accounts that are locked out and why. I don't have a script to do exactly what you are asking but I am sure that their techs can create one for you. they helped me create a script to access our exchange server and backup an entire mailbox to .pst for users that leave the organization. I use it along with backing up their personal files and then deleting the account. it has a multitude of uses that I haven't even scratched into yet.
    6,850 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: