Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Windows AD Scripting - Excluding Machines

Avatar of nouses9
nouses9Flag for United States of America asked on
Operating Systems
4 Comments1 Solution831 ViewsLast Modified:
Hello all,

Hopefully this is in the right place.  I have a script that I found online that does exactly what I need to do except for one small thing (I don't do a lot of scripting so I thought I would turn to all of you for help).  Here is the script and what it is supposed to do:

'This script enumerates the AD and creates a record set of all machine accounts
'It then loops through the record set checking the machine accounts password age
'and comparing it to the age that was entered. Any machine account that has a
'password age older than that which is specified will be listed.
'Keep in mind that by default a machine will renew it's password after 30 days so
'if a password is 60 days old then it has not been powered on and attached to the
'network for at least 30 days.

'The second inputbox is to decide if you only wish to run this in list mode, which
'will only list the machines in a text file but will not take any other action.
'If you select Yes to run in delete mode, then it will still write to the text
'file but it will also prompt you with the machine account name and its password
'age for each machine account that is greater than the age specified and ask if
'you wish to delete it from AD or not.

'Don't forget to replace "yourdom.com" with your domain name.
DomainName = "yourdom.com"

limit = inputbox("Enter max age")
DeleteMode = Msgbox("Do you wish to run in delete mode?", vbYesNo)

'****************Setup Log file******************************************************

Set fso = CreateObject("Scripting.FileSystemObject")
'The 8 in this line will append to an existing file, replace with a 2 to override
set txtStream = fso.OpenTextFile("System.txt", 8, True)
txtStream.WriteLine "Ran on " & Date & " *******************************"

'****************Setup ADSI connection and populate ADSI Collection******************

Set objADOconnADSI = CreateObject("ADODB.Connection")
objADOconnADSI.Open "Provider=ADsDSOObject;"
Set objCommandADSI = CreateObject("ADODB.Command")
objCommandADSI.ActiveConnection = objADOconnADSI
'there is a 1000 object default if these next 2 lines are omited.
objCommandADSI.Properties("Size Limit")= 10000
objCommandADSI.Properties("Page Size")= 10000
objCommandADSI.Properties("Sort on") = "sAMAccountName"
objCommandADSI.CommandText = "<LDAP://" & DomainName & ">;(objectClass=computer);sAMAccountName,pwdLastSet,name,distinguishedname;subtree"
Set objRSADSI = objCommandADSI.Execute

'Loop through record set and compare password age*************************************

do while NOT objRSADSI.EOF
if not isnull(objRSADSI.Fields("distinguishedname")) and objRSADSI.Fields("distinguishedname") <> "" then
objDate = objRSADSI.Fields("PwdLastSet")
'Go to function to make sense of the PwdLastSet value from AD for the machine account.
dtmPwdLastSet = Integer8Date(objDate, lngBias)
'calculate the current age of the password.
DiffADate = DateDiff("d", dtmPwdLastSet, Now)
'Is the password older than the specified age.
if DiffADate > int(limit) then
'Are we running in delete mode or not.
if DeleteMode = vbYes then
'Ask if this machine account should be deleted from AD.
intReturn = Msgbox("Are you sure you want to delete this computer account?", vbYesNo, "Delete " & objRSADSI.Fields("name"))
'If yes then write info to log file and then delete it else just log it.
If intReturn = vbYes Then
Set objComputer = GetObject("LDAP://" & objRSADSI.Fields("distinguishedname"))
strComputer = objComputer.CN
txtStream.WriteLine objRSADSI.Fields("name") & "," & dtmPwdLastSet & "," & DiffADate & " -- Deleted"
objComputer.DeleteObject (0)
txtStream.WriteLine objRSADSI.Fields("name") & "," & dtmPwdLastSet & "," & DiffADate & " -- Not Deleted"
End If
'If running in list only mode then just write entry to log file and move on to next record.
txtStream.WriteLine objRSADSI.Fields("name") & "," & dtmPwdLastSet & "," & DiffADate & " -- List Only"
end if
end if
end if
wscript.echo "Done!"

'I found this function and it seems to work greate. I don't pretend to fully understand it though.
'I don't know who wrote it or I would give them credit.
Function Integer8Date(objDate, lngBias)
' Function to convert Integer8 (64-bit) value to a date, adjusted for
' local time zone bias.
Dim lngAdjust, lngDate, lngHigh, lngLow
lngAdjust = lngBias
lngHigh = objDate.HighPart
lngLow = objdate.LowPart
' Account for bug in IADslargeInteger property methods.
If lngLow < 0 Then
lngHigh = lngHigh + 1
End If
If (lngHigh = 0) And (lngLow = 0) Then
lngAdjust = 0
End If
lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
+ lngLow) / 600000000 - lngAdjust) / 1440
Integer8Date = CDate(lngDate)
End Function

The only thing is that when the record set of all machine accounts is created, I don't want it to include any machines whose name ends in LT (those are laptops and I don't need to know anything about them).  It doesn't sound like it should be to hard, but whne you don't do this often, you sometimes underestimte the challenges.  Any help would be appreciated...

Avatar of 1r2d2c3po

Our community of experts have been thoroughly vetted for their expertise and industry experience.

This problem has been solved!
Unlock 1 Answer and 4 Comments.
See Answers