Discussion:
DSQUERY - [WildPacket]
(too old to reply)
WILDPACKET
2006-01-26 13:36:03 UTC
Permalink
When I run the following command to find inactive computers this is the error
I receive. Running Windows 2003 Server DC.

C:\>dsquery computer domainroot -inactive 2
dsquery failed:The parameter is incorrect.:Windows could not run this query
beca
use you are connected to a domain that does not support this query.

Does it have to do anything with Mixed or Native mode?

Advise please.

Thank you.
Paul Bergson
2006-01-26 13:54:27 UTC
Permalink
The object -inactive isn't available on the domain you have run this on. You
are probably on a Windows 2000 domain.

Go to joeware.net and download oldcmp
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
Post by WILDPACKET
When I run the following command to find inactive computers this is the error
I receive. Running Windows 2003 Server DC.
C:\>dsquery computer domainroot -inactive 2
dsquery failed:The parameter is incorrect.:Windows could not run this query
beca
use you are connected to a domain that does not support this query.
Does it have to do anything with Mixed or Native mode?
Advise please.
Thank you.
WILDPACKET
2006-01-26 14:40:05 UTC
Permalink
Paul thank you for your response.

I did download "oldcmp" and it shows only DISABLED COMPUTERS which are 47.
These 47 computers have RED X beside them.

My domain has over 300 computers which are gone/unplugged but theystill
reside in my AD. Those are the inactive ones I want to get rid of.

Advise please.
Post by Paul Bergson
The object -inactive isn't available on the domain you have run this on. You
are probably on a Windows 2000 domain.
Go to joeware.net and download oldcmp
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by WILDPACKET
When I run the following command to find inactive computers this is the error
I receive. Running Windows 2003 Server DC.
C:\>dsquery computer domainroot -inactive 2
dsquery failed:The parameter is incorrect.:Windows could not run this query
beca
use you are connected to a domain that does not support this query.
Does it have to do anything with Mixed or Native mode?
Advise please.
Thank you.
Paul Bergson
2006-01-26 15:12:07 UTC
Permalink
I have a script that read AD and reports on users. I'm hoping to convert
and put machines in this but haven't gotten to it. If you want to look at
it you could change to machine accounts and grab machine info..

http://pbbergs.dynu.com/windows/windows.htm
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
Post by WILDPACKET
Paul thank you for your response.
I did download "oldcmp" and it shows only DISABLED COMPUTERS which are 47.
These 47 computers have RED X beside them.
My domain has over 300 computers which are gone/unplugged but theystill
reside in my AD. Those are the inactive ones I want to get rid of.
Advise please.
Post by Paul Bergson
The object -inactive isn't available on the domain you have run this on. You
are probably on a Windows 2000 domain.
Go to joeware.net and download oldcmp
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by WILDPACKET
When I run the following command to find inactive computers this is the error
I receive. Running Windows 2003 Server DC.
C:\>dsquery computer domainroot -inactive 2
dsquery failed:The parameter is incorrect.:Windows could not run this query
beca
use you are connected to a domain that does not support this query.
Does it have to do anything with Mixed or Native mode?
Advise please.
Thank you.
Frederik De Muyter
2006-01-26 14:20:03 UTC
Permalink
It is possible that it will work only in windows 2003 mode.
Try the following

dsquery computer domainroot -stalepwd 90 (now it are days not weeks)
Post by WILDPACKET
When I run the following command to find inactive computers this is the error
I receive. Running Windows 2003 Server DC.
C:\>dsquery computer domainroot -inactive 2
dsquery failed:The parameter is incorrect.:Windows could not run this query
beca
use you are connected to a domain that does not support this query.
Does it have to do anything with Mixed or Native mode?
Advise please.
Thank you.
WILDPACKET
2006-01-26 14:44:03 UTC
Permalink
Thank you Frederik for your response.

I ran this command om the DC
DSQUERY COMPUTER DOMAINROOT -STALEPWD 90 -LIMIT 2000 > STALEPWD.TXT

and it showed me 690 computers, does this mean these are the boxes I need to
remove. I will check these first and move them to a seperate OU as you
suggested.

Advise please.
Post by Frederik De Muyter
It is possible that it will work only in windows 2003 mode.
Try the following
dsquery computer domainroot -stalepwd 90 (now it are days not weeks)
Post by WILDPACKET
When I run the following command to find inactive computers this is the error
I receive. Running Windows 2003 Server DC.
C:\>dsquery computer domainroot -inactive 2
dsquery failed:The parameter is incorrect.:Windows could not run this query
beca
use you are connected to a domain that does not support this query.
Does it have to do anything with Mixed or Native mode?
Advise please.
Thank you.
WILDPACKET
2006-01-26 14:48:02 UTC
Permalink
Ran the same command to find 180 days old pwd and it came up with 485
computers??
Post by WILDPACKET
Thank you Frederik for your response.
I ran this command om the DC
DSQUERY COMPUTER DOMAINROOT -STALEPWD 90 -LIMIT 2000 > STALEPWD.TXT
and it showed me 690 computers, does this mean these are the boxes I need to
remove. I will check these first and move them to a seperate OU as you
suggested.
Advise please.
Post by Frederik De Muyter
It is possible that it will work only in windows 2003 mode.
Try the following
dsquery computer domainroot -stalepwd 90 (now it are days not weeks)
Post by WILDPACKET
When I run the following command to find inactive computers this is the error
I receive. Running Windows 2003 Server DC.
C:\>dsquery computer domainroot -inactive 2
dsquery failed:The parameter is incorrect.:Windows could not run this query
beca
use you are connected to a domain that does not support this query.
Does it have to do anything with Mixed or Native mode?
Advise please.
Thank you.
Frederik De Muyter
2006-01-26 15:47:03 UTC
Permalink
By default windows 2000,xp and 2003 try to change their password every 30 days:

-stalepwd
Searches for all computers that have not changed their password for the
specified number of days.

So if you type 90 it will give you all computer accounts that have not
changed there password during the last 90 days.
Hope this helps.
Post by WILDPACKET
Thank you Frederik for your response.
I ran this command om the DC
DSQUERY COMPUTER DOMAINROOT -STALEPWD 90 -LIMIT 2000 > STALEPWD.TXT
and it showed me 690 computers, does this mean these are the boxes I need to
remove. I will check these first and move them to a seperate OU as you
suggested.
Advise please.
Post by Frederik De Muyter
It is possible that it will work only in windows 2003 mode.
Try the following
dsquery computer domainroot -stalepwd 90 (now it are days not weeks)
Post by WILDPACKET
When I run the following command to find inactive computers this is the error
I receive. Running Windows 2003 Server DC.
C:\>dsquery computer domainroot -inactive 2
dsquery failed:The parameter is incorrect.:Windows could not run this query
beca
use you are connected to a domain that does not support this query.
Does it have to do anything with Mixed or Native mode?
Advise please.
Thank you.
WILDPACKET
2006-01-26 16:06:03 UTC
Permalink
Thanks Frederik.

All clear.
Post by Frederik De Muyter
-stalepwd
Searches for all computers that have not changed their password for the
specified number of days.
So if you type 90 it will give you all computer accounts that have not
changed there password during the last 90 days.
Hope this helps.
Post by WILDPACKET
Thank you Frederik for your response.
I ran this command om the DC
DSQUERY COMPUTER DOMAINROOT -STALEPWD 90 -LIMIT 2000 > STALEPWD.TXT
and it showed me 690 computers, does this mean these are the boxes I need to
remove. I will check these first and move them to a seperate OU as you
suggested.
Advise please.
Post by Frederik De Muyter
It is possible that it will work only in windows 2003 mode.
Try the following
dsquery computer domainroot -stalepwd 90 (now it are days not weeks)
Post by WILDPACKET
When I run the following command to find inactive computers this is the error
I receive. Running Windows 2003 Server DC.
C:\>dsquery computer domainroot -inactive 2
dsquery failed:The parameter is incorrect.:Windows could not run this query
beca
use you are connected to a domain that does not support this query.
Does it have to do anything with Mixed or Native mode?
Advise please.
Thank you.
Paul Williams [MVP]
2006-01-26 14:46:14 UTC
Permalink
OLDCMP.EXE is the best way of doing this. You'll get decent html-based log
files and can easily schedule it.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
WILDPACKET
2006-01-26 15:07:01 UTC
Permalink
Thank you Paul for your response.

I used it but it only finds 47 Disabled Computers and in my case that is not
right.
We have over 500 inactive computers which are long gone.
Post by Paul Williams [MVP]
OLDCMP.EXE is the best way of doing this. You'll get decent html-based log
files and can easily schedule it.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-01-26 17:21:12 UTC
Permalink
Don't look for disabled accounts. Look for accounts that haven't changed
their passwords in more than, for example, 45 days.

Something like this:

oldcmp -age 45 -report -sh
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
WILDPACKET
2006-01-26 20:01:03 UTC
Permalink
ok.

Thanks.
Post by Paul Williams [MVP]
Don't look for disabled accounts. Look for accounts that haven't changed
their passwords in more than, for example, 45 days.
oldcmp -age 45 -report -sh
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
WILDPACKET
2006-01-26 20:18:07 UTC
Permalink
I am but confused.

When you say accounts do you mean users accounts? who did have not changed
their pwds since X days.

I am looking for inactive computes and this command picks up computers which
are still active on our network?

Advise please.
Post by Paul Williams [MVP]
Don't look for disabled accounts. Look for accounts that haven't changed
their passwords in more than, for example, 45 days.
oldcmp -age 45 -report -sh
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Bergson
2006-01-26 21:32:49 UTC
Permalink
He is referring to computer accounts. Both users and computers authenticate
to the domain.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
Post by WILDPACKET
I am but confused.
When you say accounts do you mean users accounts? who did have not changed
their pwds since X days.
I am looking for inactive computes and this command picks up computers which
are still active on our network?
Advise please.
Post by Paul Williams [MVP]
Don't look for disabled accounts. Look for accounts that haven't changed
their passwords in more than, for example, 45 days.
oldcmp -age 45 -report -sh
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Cary Shultz
2006-01-29 04:07:52 UTC
Permalink
And please note that it defaults to computer account objects. You can
easily change the filter used so that you can use it for user account
objects.

Once you learn this tool you will not go anywhere else. It is really quite
valuable.
--
Cary W. Shultz
Roanoke, VA 24012
Post by Paul Bergson
He is referring to computer accounts. Both users and computers
authenticate to the domain.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by WILDPACKET
I am but confused.
When you say accounts do you mean users accounts? who did have not changed
their pwds since X days.
I am looking for inactive computes and this command picks up computers which
are still active on our network?
Advise please.
Post by Paul Williams [MVP]
Don't look for disabled accounts. Look for accounts that haven't changed
their passwords in more than, for example, 45 days.
oldcmp -age 45 -report -sh
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Loading...