ICC Home  /  Members  /  Meetings  /  Peer Support  /  Documentation  /  Projects

Procedures for   
Deleting Expired

Return to IT/SA Services Documentation: Active Directory

IFAS-implemented Solution (using scripts)

The script to delete computer accounts with old passwords will be enabled May 1, 2006. The script has been modified slightly to account for concerns raised during the March ICC meeting. When a computer account's password reaches 83 days old, the computer will be listed in the report "Computers with passwords older then 83 days". When a computer account's password reaches 90 days old, the computer account will be disabled, but not deleted.

The computer will also be left in it's original OU. At 120 days old, the computer account will be deleted. It is recommended that all Ou Admins subscribe to the report so they will get e-mail notice of problem machines. The 7 day grace period should provide enough time to investigate prior to any automatic disabling.

Do-it-yourself Solution (using free third party tool)

There is a very good (but potentially dangerous) tool by Joe Richards which will report on old computers (users). The tool is OldCmp.

Among other things, this tool can do the same reporting for you that the above listed reporting site can do. Example syntax (using the Entnem OU as an example) for viewing computer objects whose password age is older than 83 days would be:

oldcmp -report -age 83 -b "OU=ENTNEM,OU=IFAS,OU=Departments,ou=uf,DC=ad,DC=ufl,DC=edu"

The report output is a very nicely formated html file. No special rights are needed to run the reports.

last edited 25 September 2007 by Steve Lasley