As most serious Windows administrators do, I run WSUS to manage testing and rollout of Microsoft hotfixes for all of the computers at work.
For the most part, WSUS runs great and provides us with a lot features and manageability, but one thing has been bugging me for a while. There is no "native" way of removing stale computer accounts, or even automatically remove computers that has been removed from Active Directory.
Until now, I've been unaware of the sample app called CleanStaleComputers, that comes with the Update Services 3.0 API Samples and Tools download.
The API Samples also include a few other code snippets and examples, but the most useful one is by far the CleanStaleComputers one.
Download and install it on the WSUS server and you'll find the tool located in %ProgramFiles%\Update Services 3.0 API Samples and Tools\CleanStaleComputers\.
Usage is pretty straight forward, but here is an example:
CleanStaleComputers.exe /DAYS:60 /DELETE:NO /PROMPT:NO
This command will move all computers that hasn't contacted the WSUS server in the last 60 days into a "Stale Computers" computer group in WSUS. That makes the task of checking the list of stale computers much easier.
Of course, you can have the tool automatically delete the computers from WSUS as well, but I prefer to look over the list manually and double check the validity of the accounts before I delete them.
Erroneously deleting a compuer account in WSUS isn't that big a deal really, as the computers autoregister themselves again next time they sync anyway.
0 Comments so far