Microsoft KB Archive/197478

= How to detect and remove inactive machine accounts =

Article ID: 197478

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows NT Server 3.5
 * Microsoft Windows NT Server 3.51
 * Microsoft Windows NT Server 4.0 Standard Edition

-



This article was previously published under Q197478



SUMMARY
This procedure uses batch files and resource kit utilities to create a list of machine accounts sorted by the last time the machine account's password was updated. The list then needs to be examined by an administrator to remove all machine accounts that are deemed active, leaving only the old machine accounts in the remaining list. The remaining list is then read by a batch file that systematically deletes the old machine accounts using Windows NT resource kit utilities.


 * 1) Create the following batch files from their listings below: Oldms.bat, Oldms2.bat, Oldms3.bat, Oldms4.bat, Deloldms.bat, and Bat2.bat.
 * 2) Run the Oldms.bat file from a command prompt while logged on as an administrator. Use the following syntax:

OLDMS.BAT DomainName
 * 1) Open the Output.txt file using a text editor, and REMOVE all lines that contain machine accounts that are VALID. The remaining lines in Output.txt should contain only machine accounts that will be deleted.
 * 2) Run the Deloldms.bat file. This file will read the Output.txt file, and delete each machine account by calling the Netdom.exe resource kit utility.

Contents of Oldms.bat:

@echo off if "%1"=="" goto nodomain set dom=%1 set deloldms= netdom /d:%1 bdc | find "Found PDC" > temp4.txt for /f "tokens=3" %%a in (temp4.txt) do set pdc=%%a if exist ms2.txt del ms2.txt if exist output.txt del output.txt if exist out2.txt del out2.txt if exist temp4.txt del temp4.txt echo. echo Generating Server List of Member Servers and Workstations echo. echo Please Wait... netdom /d:%1 /noverbose member > MS.TXT for /F "delims=\\ tokens=1" %%a in (ms.txt) do echo %%a >> MS2.TXT cls echo. echo Generating List of Member Servers and Workstations - Done echo. echo List Generated. Checking Password Ages. echo. echo Please Wait... for /F "tokens=1" %%a in (ms2.txt) do call oldms2.bat %%a %dom% %pdc% sort < output.txt > out2.txt del output.txt echo Machine account ages for domain: %dom% >> output.txt echo >> output.txt type out2.txt >> output.txt if exist ms.txt del ms.txt if exist out2.txt del out2.txt if exist temp3.txt del temp3.txt if exist ms2.txt del ms2.txt if exist temp.txt del temp.txt if exist temp4.txt del temp4.txt if exist total.txt del total.txt if exist working.txt del working.txt

REM *** IMPORTANT Make the next 2 lines 1 line. Wrapped for readability ***

FOR /F "SKIP=2 tokens=1,2,3" %%A IN (OUTPUT.TXT) DO echo %%A %%B %%C>>working.txt type working.txt|find " " /c>total.txt for /f "tokens=1" %%A in (total.txt) do set deloldms=%%A echo. Echo List Complete echo. Echo %deloldms% machine accounts found. echo. echo Now edit OUTPUT.TXT and remove all valid machine accounts. echo Machine accounts remaining in OUTPUT.TXT will be deleted. echo After OUTPUT.TXT has been modified, run DELOLDMS.BAT to  echo delete machine accounts. echo. if exist total.txt del total.txt if exist working.txt del working.txt goto end :nodomain echo Specify the target domain on the command line echo EXAMPLE: oldms MyDomainName :end

Contents of Oldms2.bat:

rem %1 = member server rem %2 = domain rem %3 = pdc nltest /server:%3 /user:%1$ | find "PasswordLastSet" > temp.txt for /F "delims== tokens=2" %%a in (temp.txt) do oldms3.bat %%a %1

Contents of Oldms3.bat:

rem %1 = date rem %2 = time rem %3 = member server echo %1 > temp3.txt

REM *** IMPORTANT Make the next 2 lines 1 line. Wrapped for readability ***

for /F "delims=/ tokens=1,2,3" %%a in (temp3.txt) do oldms4.bat %%a %%b %%c %2 %3

Contents of Oldms4.bat

rem %1 = month rem %2 = day rem %3 = year rem %4 = time rem %5 = member server echo %3/%1/%2 %4 %5 >> output.txt

Contents of Deloldms.bat

@echo off set dom= set deloldms= if exist total.txt del total.txt if exist working.txt del working.txt

REM *** IMPORTANT Make the next 2 lines 1 line. Wrapped for readability ***

FOR /F "SKIP=2 tokens=1,2,3" %%A IN (OUTPUT.TXT) DO echo %%A %%B %%C>>working.txt type working.txt|find " " /c>total.txt for /f "tokens=1" %%A in (total.txt) do set deloldms=%%A cls echo. Echo NOTICE: %deloldms% machine accounts found in OUTPUT.TXT, ready for deletion Echo Press Ctrl + C to abort or.. echo. pause FOR /f "tokens=6" %%a in (output.txt) do set dom=%%a if "%dom%"=="" goto nodomain FOR /F "SKIP=2 TOKENS=3" %%A IN (OUTPUT.TXT) DO CALL BAT2 %%A if exist total.txt del total.txt if exist working.txt del working.txt goto end :nodomain Echo Domain Name Missing from OUTPUT.TXT Echo Re-run OLDMS.BAT :end

Contents of Bat2.bat:

NETDOM /d:%dom% MEMBER %1 /DELETE



MORE INFORMATION
As a part of Windows NT security, machine account passwords are changed every seven days. The process described in this article relies on the age of the machine account password to determine validity. It is possible for an administrator to disable automatic machine account password changes. This process can be done on a domain-wide or per-system basis. If this process has been done, the administrator cannot rely on the password age to determine the validity of the account. You will need to cross reference with your internally documented valid machine accounts when editing Output.txt. If this information is not available, this technique should not be used.

NOTE: Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

