Active Directory admins are very much aware of the security threat from inactive users/computers in Active Directory. When AD accounts are not being used for long time, we need to either disable or delete them. Organizations with structured approach have proper policy for account disabling and then deletion timelines.
We will use below commands in this article to archive the goal:
Dsquery : This command will query the AD objects on the basis of further switches of the command.
Dsmod: This command will modify the properties of the object.
Dsrm: This command will remove the object from the AD.
Syntax of dsquery command is:
Dsquery <object type> -inactive <number of weeks> -limit <number of objects>
Example: dsquery computer -inactive 8 -limit 500
Dsquery user -inactive 8 -limit 500
Syntax of dsmod command is:
Dsmod <object type> -disabled
Syntax of dsrm command is:
Dsrm <object Distinguished name (DN)>
Please find below steps to perform the stale objects search:
Note: Run this command on domain controller or computer with RSAT
Step 1: Open command prompt with administrator
Step 2: Find stale users/computers using below command:
For user: dsquery user -inactive 8 -limit 100
For computers: dsquery computer –inactive 8 –limit 100
Step 3: Disable inactive users/computers:
To disable inactive users/ computers. Please use below commands:
For User: dsquery user –inactive 8 | dsmod user –disabled yes
For Computer: dsquery computer –inactive 8 | dsmod computer –disabled yes
Step 4: To delete inactive/disabled users/computers
For user: dsquery user –inactive 8 |dsrm –noprompt
Dsquery user –disabled |dsrm –noprompt
For computer: dsquery computer –inactive 8 |dsrm –noprompt
Dsquery computer –disabled |dsrm –noprompt
By following above commands you will be able to clean the staled objects of AD. This will remove the possibilities of security threats due to staled objects. This can also be achieved by PowerShell scripts and 3rd party tools.