Be careful with new "Inactive Computer Account" Free Tool

First off I want to state I'm a long time Orion, APM, and NetFlow user and love the products. I also use ETS.

Today I downloaded the new free tool that is supposed to allow one to locate unused computer accounts. It installed quickly and easily. I ran it against my AD and I found a large number of machine accounts that it wanted to remove. I changed the setting to detect machines that had NOT contacted the DC in more than a year. I then broke a cardinal IT rule, I made a fairly significant AD change right before I had to leave the office. Fortunately there are other cardinal IT rules that I didn't break: always have a backup and document your changes.

Before I removed the 48 machine accounts suggested by ICA, I exported the list to a CSV file. I then told it to remove the machines from my AD. One of the machines it was not able to remove and I'm not sure why. I do not think it is protected. I then left for a meeting.

About an hour later I got a call that one of my users could not logon to their PC. I knew immediately what had happened. I logged in remotely and looked at my export from ICA. Sure enough that person's PC was on the list and I had been too stupid to check earlier. Fortunately I have AD item level backup so I was able to restore the account to the domain. Unfortunately I think the backup was too old so the Kerberos ticket had expired so I had to logon locally to the user's machine and manually re-add it to the domain using the local admin account.

I think the problem may be that the ICA is only checking if the machines have been authenticated against a specific DC and not the entire domain. That is my guess anyway. So please make sure before you run this you verify those machines are no longer on your LAN.

I think this is a great concept for a tool and I look forward to feedback regarding resolution of the issue.