Step-by-Step Guide: Automating Active Directory Cleanup with OldCmp
Stale computer and user accounts pose a significant security risk and clutter your Active Directory (AD) environment. Over time, decommissioned laptops, departed employees, and temporary servers leave behind digital debris. Leaving these accounts active expands your attack surface, complicates compliance audits, and slows down directory queries.
While manual cleanup is tedious and error-prone, Joe Richards’ command-line utility, OldCmp, remains a reliable, lightweight tool for identifying and purging these inactive accounts. This guide walks you through the step-by-step process of safely automating your AD cleanup using OldCmp. Phase 1: Understanding OldCmp and LastLogonTimestamp
Before running any commands, it is crucial to understand how OldCmp determines if an account is “stale.”
By default, OldCmp relies on the lastLogonTimestamp attribute. Introduced in Windows Server 2003, this attribute replicates across domain controllers but is subject to a randomized delay (up to 14 days by default) to prevent replication traffic storms.
Because of this replication lag, never target accounts that have been inactive for fewer than 30 days. A safe, industry-standard baseline for automation is 90 days of inactivity. Phase 2: Safe Testing (Report Mode)
OldCmp is incredibly safe to use because it operates in a multi-stage workflow. You should never jump straight to disabling or deleting accounts. Your first step is always generating a report.
Download OldCmp and place the executable into a dedicated management folder (e.g., C:\ADCleanup</code>).
Open an elevated Command Prompt or PowerShell window as a Domain Administrator.
Run the following command to generate an HTML report of all computer accounts inactive for more than 90 days:
oldcmp -accounttype computer -age 90 -report -format html -file C:\ADCleanup\stale_computers.html Use code with caution. Key Parameters Explained:
-accounttype: Specifies whether you are targeting computer or user accounts. -age: The threshold of inactivity in days.
-report: Instructs the tool to only gather data without modifying AD.
-format html: Generates an easy-to-read webpage listing the stale accounts.
Review the generated HTML report. Verify that critical production servers or specialized service accounts are not erroneously listed. Phase 3: The Graduation Strategy (Disable, Move, Delete)
When you are ready to move past reporting, enforce a strict “graduation strategy.” Do not delete accounts immediately. Instead, disable them, move them to a staging Organizational Unit (OU), wait for a buffer period, and then delete them. Step 1: Disable the Accounts
Disabling accounts is a reversible action. If an active machine was misidentified, a helpdesk technician can re-enable it instantly. Run this command to disable computers inactive for over 90 days: oldcmp -accounttype computer -age 90 -disable Use code with caution. Step 2: Move to a Staging OU
Moving the disabled accounts out of their live production OUs makes tracking easier. Create an OU named _Stale_Objects in your AD root, then run:
oldcmp -accounttype computer -age 90 -move “OU=_Stale_Objects,DC=yourdomain,DC=com” Use code with caution. Step 3: The Final Purge
After the accounts have sat disabled and isolated in your staging OU for an additional 30 to 60 days without anyone complaining, it is safe to delete them. To delete accounts that have been inactive for 150 days (90 days initial + 60 days staging buffer), run: oldcmp -accounttype computer -age 150 -delete Use code with caution. Phase 4: Automating the Script with Task Scheduler
To make this a hands-off, automated process, combine these stages into a simple batch script and schedule it to run monthly. 1. Create the Batch Script
Create a text file named ad_cleanup.bat in your C:\ADCleanup</code> directory and paste the following logic:
@echo off REM Step 1: Disable computer accounts older than 90 days C:\ADCleanup\oldcmp.exe -accounttype computer -age 90 -disable -quiet REM Step 2: Move those 90-day-old accounts to the Stale OU C:\ADCleanup\oldcmp.exe -accounttype computer -age 90 -move “OU=_Stale_Objects,DC=yourdomain,DC=com” -quiet REM Step 3: Permanently delete accounts older than 150 days C:\ADCleanup\oldcmp.exe -accounttype computer -age 150 -delete -quiet Use code with caution.
(Note: The -quiet switch suppresses interactive screen prompts, allowing the script to run seamlessly in the background). 2. Configure Windows Task Scheduler
Open Task Scheduler on a management server or domain controller. Click Create Task (not Basic Task). On the General tab: Name the task “Automated AD Computer Cleanup”. Select Run whether user is logged on or not. Check Run with highest privileges.
Change the user account to a service account that holds Domain Admin or delegated object-management permissions.
On the Triggers tab, click New and set the task to run Monthly.
On the Actions tab, click New, select Start a program, and browse to your C:\ADCleanup\ad_cleanup.bat file.
Click OK and enter the credentials for the service account when prompted. Best Practices and Safeguards
Exempt Critical OUs: If you have an OU containing mission-critical servers that rarely log on but must never be touched, use the -b (base DN) parameter to target only specific workstation OUs, rather than the domain root.
Keep Logs: OldCmp automatically generates log files in the directory it is run from. Review these logs periodically to ensure the tool is executing correctly.
Monitor the Stale OU: Keep an eye on the _Stale_Objects OU. If a computer pops up there and a user reports login issues, you caught a false positive early enough to fix it with a simple right-click and “Enable.”
By implementing this automated OldCmp workflow, you ensure your Active Directory environment remains lean, compliant, and secure with zero ongoing manual effort.
To help refine this automation for your specific network, let me know:
What operating systems mostly populate your domain (Workstations, Servers, or both)? Do you have multiple domains or a single forest?
Leave a Reply