We have 1200 machine objects in our AD. Only about 700 are still valid and in use. We need to implement a system that can be automated to cleanup stale/old machine accounts by retiring them after a set # of days of password age and then delete the accounts after a certain # of days after being retired. Here is what I have been told. 1. Machine accounts reset their passwords every 30 days. 2. If they have not reset their password in 60 days, AD "locks" the account out. 3. If a user attempts to connect on the network after 60 days, the machine will not be able to get on the network, even without the machine account being disabled. This is often the case for VPN users. Whenever they connect from home, their machine account passwords do not get reset, but they can get on the network because of VPN pass through. If these users were to come into the office and attempt to connect, AD will refuse the connection mimicking the affects of a disabled account. 4. We can automate any disabling/deleting processes whenever we determine how we would like to begin administering AD. This sounds straightforward but have been unable to find any M$ data to back it up . We want to start doing this, but really need to have data to back it up. At this point, we think that accounts 180 days and older can be disabled. Any thoughts? I agree Computing.net does need an edit button.