OldCmp as mentioned above has some safeties built in, the list is: OldCmp also is flexible enough to add your own components to the filter so if you want to only find disabled computer accounts or computer accounts in the xx dept or whatever, you have the ability to add any standard LDAP queries onto the base filter generated.
LDAP QUERY TOOL WINDOWS 2003 PASSWORD
Generally, however, if the password on a computer account is between 90-120 days, you can safely remove it. There are exceptions like when a mobile user goes away and doesn't log into the network for a long time or for some poorly written SAN/NAS solutions that don't change the password on the machine accounts on a regular basis. I chose 90 days because computers should change their password at least every 30 days unless they have had their registries modified to prevent that password change. This means you are going after IDs that have not had their password reset in x days or you can go after accounts that haven't logged on x days where by default x, is 90 days. It can key off the pwdLastSet attribute or in a Windows 2003 Domain Functional Domain on lastLogonTimestamp. The tool will work with a Windows 2000 AD as well as a Windows 2003 AD. This appeals to the paranoid, scared, admin in myself. Note that you can still shoot yourself in the foot, it just takes more work. OldCmp has all sorts of safeties built in to try and prevent you from shooting your own foot. You can use dsget combined with dsrm but you are really taking your life in your hands. OldCmp was built because there was no decent way to find/report on/delete old computers in Active Directory.
Can also be used to clean up user accounts when the proper filter is specified. Primarily used to find and cleanup old computer accounts that haven't been used. OldCmp was designed to be a command line Active Directory query tool.