Command line Active Directory query tool. Primarily used to find and cleanup old computer accounts that haven't been used. Can also be used to clean up user accounts when the proper filter is specified.
Version 1.5.0 - December 28, 2004
Modification(s) from previous version
There are no local security requirements for running OldCmp. Information returned from Active Directory will be dependent on the security configured for the directory. Generally a normal Active Directory user can successfully run the report options. Disabling, moving, and deleting obviously require modify rights to the appropriate attributes
C++. Compiled with Borland Builder 6.0
Source Code Availability
OldCmp was built because there was no decent way to find/report on/delete old computers in Active Directory. You can use dsget combined with dsrm but you are really taking your life in your hands. OldCmp has all sorts of safeties built in to try and prevent you from shooting your own foot. Note that you can still shoot yourself in the foot, it just takes more work. This appeals to the paranoid, scared, admin in myself.
The tool will work with a Windows 2000 AD as well as a Windows 2003 AD. It can key off the pwdLastSet attribute or in a Windows 2003 Domain Functional Domain on lastLogonTimestamp. This means you are going after IDs that have not had their password reset in x days or you can go after accounts that haven't logged on x days where by default x, is 90 days. I chose 90 days because computers should change their password at least every 30 days unless they have had their registries modified to prevent that password change. There are exceptions like when a mobile user goes away and doesn't log into the network for a long time or for some poorly written SAN/NAS solutions that don't change the password on the machine accounts on a regular basis. Generally, however, if the password on a computer account is between 90-120 days, you can safely remove it.
OldCmp also is flexible enough to add your own components to the filter so if you want to only find disabled computer accounts or computer accounts in the xx dept or whatever, you have the ability to add any standard LDAP queries onto the base filter generated.
OldCmp as mentioned above has some safeties built in, the list is:
- You can not delete a machine account that isn't already disabled.
- You must specify a safety limit of how many machines it can manipulate at once if you want more than 10. By default it will only affect up to 10 accounts. If you want to work up to 50 machines you can say 50, if you want up to 100, specify 100.
- You must specify the FORREAL option if you really want it to make changes, otherwise it will just report what it will try to do... I.E. It will be toothless.
- It will not modify domain controller accounts at all. Period. Just too many dangers there.
The tool can create output in several formats based on the switches specified. By default the output will be standard HTML. However you can specify Dynamic HTML (dhtml) or CSV as well. The dhtml allows for dynamic sorting by clicking on column headers.
You do not have to supply the email address. I would like you to fill that in though so that I have an idea on how popular a tool really is. If I see 1000 downloads with 900 different email addresses I know it is more widespread than one that has 1000 downloads and 200 different email addresses because the same person needed to keep downloading it for some reason.
As seen in
Download and type OldCmp /?
See current usage screens