HOWTO: How to Detect and Remove Inactive Machine Accounts

ID: Q197478

The information in this article applies to:
  • Microsoft Windows NT Server versions 3.5, 3.51, 4.0

SUMMARY

This procedure uses batch files and resource kit utilities to create a list of machine accounts sorted by the last time the machine account's password was updated. The list then needs to be examined by an administrator to remove all machine accounts that are deemed active, leaving only the old machine accounts in the remaining list. The remaining list is then read by a batch file that systematically deletes the old machine accounts using Windows NT resource kit utilities.

  1. Create the following batch files from their listings below: Oldms.bat, Oldms2.bat, Oldms3.bat, Oldms4.bat, Deloldms.bat, and Bat2.bat.


  2. Run the Oldms.bat file from a command prompt while logged on as an administrator. Use the following syntax:

    OLDMS.BAT DomainName


  3. Open the Output.txt file using a text editor, and REMOVE all lines that contain machine accounts that are VALID. The remaining lines in Output.txt should contain only machine accounts that will be deleted.


  4. Run the Deloldms.bat file. This file will read the Output.txt file, and delete each machine account by calling the Netdom.exe resource kit utility.


Contents of Oldms.bat: 

   @echo off
   if "%1"=="" goto nodomain
   set dom=%1
   set deloldms=
   netdom /d:%1 bdc | find "Found PDC" > temp4.txt
   for /f "tokens=3" %%a in (temp4.txt) do set pdc=%%a
    if exist ms2.txt del ms2.txt
    if exist output.txt del output.txt
    if exist out2.txt del out2.txt
    if exist temp4.txt del temp4.txt
   echo.
   echo Generating Server List of Member Servers and Workstations
   echo.
   echo Please Wait...
   netdom /d:%1 /noverbose member > MS.TXT
   for /F "delims=\\ tokens=1" %%a in (ms.txt) do echo %%a >> MS2.TXT
   cls
   echo.
   echo Generating List of Member Servers and Workstations - Done
   echo.
   echo List Generated.  Checking Password Ages.
   echo.
   echo Please Wait...
   for /F "delims=  tokens=1" %%a in (ms2.txt) do call oldms2.bat %%a %dom%
   %pdc%
   sort < output.txt > out2.txt
   del output.txt
   echo Machine account ages for domain: %dom% >> output.txt
   echo ------------------------------------------------ >> output.txt
   type out2.txt >> output.txt
    if exist ms.txt del ms.txt
    if exist out2.txt del out2.txt
    if exist temp3.txt del temp3.txt
    if exist ms2.txt del ms2.txt
    if exist temp.txt del temp.txt
    if exist temp4.txt del temp4.txt
    if exist total.txt del total.txt
    if exist working.txt del working.txt
   FOR /F "SKIP=2 tokens=1,2,3" %%A IN (OUTPUT.TXT) DO echo %%A %%B
   %%C>>working.txt
   type working.txt|find " " /c>total.txt
   for /f "tokens=1" %%A in (total.txt) do set deloldms=%%A
   echo.
   Echo List Complete
   echo.
   Echo %deloldms% machine accounts found.
   echo.
   echo Now edit OUTPUT.TXT and remove all valid machine accounts.
   echo Machine accounts remaining in OUTPUT.TXT will be deleted.
   echo After OUTPUT.TXT has been modified, run DELOLDMS.BAT to
   echo delete machine accounts.
   echo.
   if exist total.txt del total.txt
   if exist working.txt del working.txt
   goto end
   :nodomain
   echo Specify the target domain on the command line
   echo EXAMPLE: oldms MyDomainName
   :end

Contents of Oldms2.bat: 

   rem %1 = member server
   rem %2 = domain
   rem %3 = pdc
   nltest /server:%3 /user:%1$ | find "PasswordLastSet" > temp.txt
   for /F "delims== tokens=2" %%a in (temp.txt) do oldms3.bat %%a %1

Contents of Oldms3.bat: 

   rem %1 = date
   rem %2 = time
   rem %3 = member server
   echo %1 > temp3.txt
   for /F "delims=/ tokens=1,2,3" %%a in (temp3.txt) do oldms4.bat %%a %%b
   %%c %2 %3

Contents of Oldms4.bat 

   rem %1 = month
   rem %2 = day
   rem %3 = year
   rem %4 = time
   rem %5 = member server
   echo %3/%1/%2 %4 %5 >> output.txt

Contents of Deloldms.bat 

   @echo off
   set dom=
   set deloldms=
   if exist total.txt del total.txt
   if exist working.txt del working.txt
   FOR /F "SKIP=2 tokens=1,2,3" %%A IN (OUTPUT.TXT) DO echo %%A %%B
   %%C>>working.txt
   type working.txt|find " " /c>total.txt
   for /f "tokens=1" %%A in (total.txt) do set deloldms=%%A
   cls
   echo.
   Echo NOTICE: %deloldms% machine accounts found in OUTPUT.TXT, ready for
   deletion
   Echo Press Ctrl + C to abort or..
   echo.
   pause
   FOR /f "tokens=6" %%a in (output.txt) do set dom=%%a
   if "%dom%"=="" goto nodomain
   FOR /F "SKIP=2 TOKENS=3" %%A IN (OUTPUT.TXT) DO CALL BAT2 %%A
   if exist total.txt del total.txt
   if exist working.txt del working.txt
   goto end
   :nodomain
   Echo Domain Name Missing from OUTPUT.TXT
   Echo Re-run OLDMS.BAT
   :end

Contents of Bat2.bat: 

   NETDOM /d:%dom% MEMBER %1 /DELETE


MORE INFORMATION

As a part of Windows NT security, machine account passwords are changed every seven days. The process described in this article relies on the age of the machine account password to determine validity. It is possible for an administrator to disable automatic machine account password changes. This process can be done on a domain-wide or per-system basis. If this process has been done, the administrator cannot rely on the password age to determine the validity of the account. You will need to cross reference with your internally documented valid machine accounts when editing Output.txt. If this information is not available, this technique should not be used.


REFERENCES

For additional information, please see the following article(s) in the Microsoft Knowledge Base:

Q154501 How to Disable Automatic Machine Account Password Changes

Q158148 Domain Secure Channel Utility -- Nltest.exe

Additional query words: Server Manager Clean Up Cleanup

Keywords : ntdomain
Version : WinNT:3.5,3.51,4.0
Platform : winnt
Issue type : kbhowto


Last Reviewed: February 26, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.