This is a How-To article on using Goverlan to detect and quarantine stale Active Directory computer records.
As your organization grows, your IT infrastructure follows. Over time, this growth can easily get out of control if some effort is not put into maintaining a healthy set of Active Directory records. As organizations shift and change, it is common for new computers to be put into operation, old computers to be decommissioned, or existing computers to be renamed; labs and training centers are built one day and retired another day. These actions create disconnections between the physical network objects and their Active Directory counterparts. Eventually, Active Directory becomes polluted with stale computer accounts that are no longer associated with an existing computer. Maintaining a valid and current set of AD accounts is particularly important in preventing security compliance issues.
This article explains one method which can be regularly used to detect and remove these stale computer records from Active Directory.
An Active Directory Computer account is associated with a password and although this operation is transparent to us humans, computers also login to the Active Directory domain and change their password on a regular basis. By default, computers change their passwords every 30 days (see: the Microsoft blog on Machine Account Password Process here).
This is a very interesting fact as it allows us to detect stale computer records. We simply need to query the password age of all computers and return those records where the age is greater than a pre-determined, reasonable threshold. For instance, if an AD computer account has a password age older than 180 days, then it can be flagged as a stale record.
For large companies, due diligence needs to be performed and the reasonable threshold needs to be determined accordingly. It may be necessary for some computers not to be turned on or logged-in to the domain all the time. For instance, laptops, training or lab computers may not be able to change their password in Active Directory for extended periods.
Nonetheless, the password age attribute of computer accounts in Active Directory provides us with a solid criterion to perform stale account clean-up procedures. So how do we query this attribute en masse?
To calculate the age of a computer password, we need to query an Active Directory attribute named pwdLastSet. This attribute can be queried via a script using WMI or PowerShell or LDAP.
Sounds easy enough! Here is the official definition of this attribute as per Microsoft’s documentation:
Pwd-Last-Set Attribute The date and time that the password for this account was last changed. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). If this value is set to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon.
Hmmm… not as easy as we thought!
Thankfully, we do not need to directly query this attribute. The Goverlan Remote Administration Suite can be used to report on any Active Directory attribute. Goverlan also includes a Password Age property (in days) for user or computer accounts in Active Directory.
Generating a Stale Computer Records Report using Goverlan
Generating a report of computer accounts for which the password age is greater than a specified value is done easily using the Goverlan Scope Action feature.
Here is how it’s done:
Create a Scope Action object and define its scope to be the entire domain in your Active Directory (Note: You can also target a particular set of OUs).
Now that we have the scope defined, we need to specify the actions to perform on it. For now, we are simply going to report the computer name and its password age in days. Later on, I will explain how you can quarantine the account or even delete it as needed.
To generate a list of computer accounts whose password age is older than 6 months, we select to report on the computer account’s password age. Then we configure the condition that the password age must be greater than 180 days for the computer to be included in the report:
Once we have our Scope Action configured, we simply run it and get a nicely formatted report:
At this stage, the accuracy of the generated report can be further fine-tuned by adding additional conditions to the result list. For instance, we could exclude any accounts which include the key phrase ‘do not delete’ within the description field by using the condition shown below.
Taking actions upon detection
Once you are satisfied with the accuracy of the result set generated by the Goverlan Scope Action, you can configure actions to be performed on these accounts. For instance, you can ask Goverlan to delete an account if it is stale, however, I would highly advise against this! I would first transition, or demote these accounts before the irreversible account deletion.
Let’s configure Goverlan to move stale computer records into an existing Quarantine OU and then to disable the computer account. Some records may still be incorrectly be flagged as stale (i.e., laptops, training or lab computers) but at least this can reversed before the computer record is deleted.
We add the following Actions into the Action Module configuration:
- Set Action> Computer Property > Account Information > Account Disabled to TRUE
- Execute Action > Computer Action > Move Object to the Quarantine OU
Finalize this process by executing the scope action again. All computer records detected as stale are then automatically disabled and quarantined. Then you can decide to delete these machines if necessary to maintain a clean AD.
This concludes how Goverlan can be used to easily perform clean-up procedures on your active directory object set to maintain a healthy and compliant repository.