How to find and remove inactive computer accounts from active-directory

While researching how to clean up active directory for a large client I came across the following instructions for removing inactive computer accounts from active directory.
First the Adminpak for Windows Server must be installed – the latest can be found here:

You’ll want it for other uses such as diagnosing active directory problems anyway so it’s good to have.

Now check for computer that haven’t logged in in a period of time – the example below uses 8 weeks – from the command line enter:

dsquery computer -inactive 8 -limit 0

After reviewing this list to make sure these computers no longer exist on your network you can use the following command to find and delete them:

dsquery computer -inactive 8 -limit 0 | dsrm -noprompt

Troubleshooting Event ID: 1202 SceCli

On a recent service Call I found myself looking at an event log full of errors consisting of:

Event ID: 1202
Source: SceCli

Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

Advanced help for this problem is available on Query for “troubleshooting 1202 events”.

I was able to resolve this particular error by the following steps:

Run the following command from the command line:
Find /I “Cannot find” %SYSTEMROOT%\Security\Logs\winlogon.log

In my case this resulted in:

Cannot find Remote Desktop.
Cannot find Remote Desktop.
Cannot find Remote Desktop.

Goto Start, Run, and type “rsop.msc” to launch the “Resultant Set of Policy” mmc.

Notice a Red X over either Computer Configuration or Windows configuration.

Expand the folders under the appropriate category until you see a policy with a red X over it containing the user or group noted in the above error. In a column on the right it will show shich Group policy this is configured in. Most likely the policy is referencing a user or group that was deleted or has become corrupt. Adjusting the effected policy to remove the group corrects this issue.

Certificate Services Fails to Start

While troubleshooting an 802.1x wireless client on my network I came across an issue where certificate service on a 2003 active directory server kept crashing with the following error:

Event ID: 7024
Source: Service Control Manager

The Certificate Services service terminated with service-specific error 2148204801 (0x800B0101)

Attempting to start Certificate Services from the Certificate Authority console yeilded:

A required certificate is not whtin its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)

Upon further research I discovered that this is caused by an expired CA Authority Certificate.

This Technet article gave the solution.

To renew a root certification authority

1. Log on to the system as a Certification Authority Administrator.
Certification Authority (Computer)/CA name

• If you want to generate a new public and private key pair for the certification authority’s certificate, click Yes. • If you want to reuse the current public and private key pair for the certification authority’s certificate, click No.Note

To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.