Disabled or Deleted computer accounts in AD 1

[windowsfan]

In our network I came across many computer accounts with red cross on it.
How can I figure out wheter to delete those or not?

How can I find out that those computers are not part of the domain any more or have not logged in since long time and that the reason has a red cross?

What's the best way to find out and delete them automatically?

 

[windowsfan]

Also like to know what is the default time a computer account get's disabled if not contacted AD in certain days ?

 

[meekrob]

The red X means that the administrator has disabled those accounts. They have either been disabled manually or by group policy.

My inclination would be to delete them, but the safest course is to leave them. If you leave them you can re-enable them in the future if needed. If you delete them you will need to rejoin them to the domain. Either way is not a big deal.

They are not part of the domain, because if they are disabled they are not connecting.

You can used "saved queries" to search for disabled accounts.

If you are new to this network I would suggest waiting a couple of months, and if you don't need to re-enable any of these accounts then delete them. However I don't know anything about your organization or network, so it's your responsibility. Who disabled them? Why? Once you answer those questions you will know what to do with these accounts.

 

[meekrob]

[blue]"Also like to know what is the default time a computer account get's disabled if not contacted AD in certain days ?"[/blue]

I'm not aware of any such default. A user account will be disabled when you reach the failed login limit, but the computer accounts will hang around forever.

 

[windowsfan]

what I found out was if a account is offline for more than 30 days it will not synch its password with DC and that computer will not be able to log on because secure channel between client and dc is not there anymore.

That's what I am trying to figure out that all the computer which are disabled are disabled manually or because they are offline. How and where I can figure that out.

Thanks for your help

 

[brontosaurus]

An "offline" computer will still not be disabled. It has to be done manually.

 

[windowsfan]

from what I read if it was offline for more than 30 days you will end up re-joining the domain.

 

[brontosaurus]

You're confusing re-synching with re-joining. Yes, when a computer has not contacted its domain after 30 days, its password will be out of synch, but its account will not be disabled, so there will not be a red X. If and when that computer comes back online and attempts to connect to the domain, during bootup/network initialization, it will re-establish its password synchronization, and the user will be able to log in. If the computer account was actually disabled, this process would not happen.

 

[meekrob]

http://technet2.microsoft.com/Windo...c4aa-4e0d-b5bc-cb14c7ff69cd1033.mspx?mfr=true

 

[windowsfan]

so if computer was out of synch it will still be able to login with out any problem,right? May be I was wrong on what I told that once it's out of synch I have to re-join into domain.

Thanks everyone for your help

 

[meekrob]

No I think you are right, if the computer doesn't connect to the domain for 30 days the machine account password expires. Then the computer is reconnected and attempts to connect using the old password, until it reaches the account lockout threshold. In this case I think that the machine accounts would be automatically disabled.

Maybe this will help:

http://support.microsoft.com/kb/197478

 

[meekrob]

(but that doesn't mean you would have to rejoin - just enable the account)

 

[brontosaurus]

I deploy hundreds of laptops annually that are joined to their respective corporate domains. Frequently, the users do not connect with these laptops for over 30 days, but I have never seen the computer account disabled as a result of this. In actuality, even though there is a default of 30 days for computer account password expiration, passwords can be changed at any time when both parties (pc and server) are in communication. However, failure to do this will not result in a disabled machine account.

 

[supportahm1980]

Here is a vbscript i use to check computer account password info:

You will need to change you LDAP path below. also create a log directory on your C: drive.

'The script checks the Computers OU in Active Directory and displays computer name,OS, and last time password set

On Error Resume Next 

Set fso = CreateObject("Scripting.FileSystemObject")
Set ts = fso.OpenTextFile("C:\log\passwordreset.log", 2, True) 'Appends to Log File
Set objShell = WScript.CreateObject("WScript.Shell")
ts.WriteLine "Script started successfully on" & " " & Now 
ts.WriteBlankLines(2)
//edit ldapb elow. this checks computers container
Set objOU = GetObject("LDAP://CN=Computers,DC=foo,DC=com")
ObjOu.Filter = Array("computer")
For Each objComputer in ObjOU 'Loops through each computer account in Computers OU
    Set objPwdLastSet = objComputer.pwdLastSet
	intPLS = Integer8Date(objPwdLastSet,lngTZBias)
	StrCN = ObjComputer.CN 'Retrieve Computer Name
	StrOS = ObjComputer.operatingSystem 'Retrieve Operating System
	'StrPW = ObjComputer.pwdLastSet
	'Test Operating System of each pc
	ts.WriteLine "Computer Name:" & StrCN & " " & StrOS & " " & intPLS
	
	'Set objPwdLastSet = objComputer.pwdLastSet
	'intPLS = Integer8Date(objPwdLastSet,lngTZBias)
 
Next



ts.WriteLine "Script completed successfully on" & " " & Now 
ts.WriteBlankLines(2)
ts.Close  

Function Integer8Date(objDate, lngBias)
' Function to convert Integer8 (64-bit) value to a date, adjusted for
' local time zone bias
 
  Dim lngAdjust, lngDate, lngHigh, lngLow
  lngAdjust = lngBias
  lngHigh = objDate.HighPart
  lngLow = objdate.LowPart
' Account for error in IADslargeInteger property methods.
  If lngLow < 0 Then
    lngHigh = lngHigh + 1
  End If
  If (lngHigh = 0) And (lngLow = 0) Then
    lngAdjust = 0
  End If
  lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
    + lngLow) / 600000000 - lngAdjust) / 1440
' Trap error if lngDate is ridiculously huge.
  On Error Resume Next
  Integer8Date = CDate(lngDate)
  If Err.Number <> 0 Then
    On Error GoTo 0
    Integer8Date = #1/1/1601#
  End If
  On Error GoTo 0
End Function

 

[supportahm1980]

sorry you might get an error above.

comment out the second line last time password set
like this: 'last time password set

then comment out
//edit ldapb elow. this checks computers container

like this
'edit ldap below. this checks computers container