Solved

Removing old computer accounts across several domains

Posted on 2013-12-05
6
278 Views
Last Modified: 2013-12-23
Hello all,

I need to either find a tool (such as ADtidy or oldcomp) or write a powershell script that will allow me to identify and then delete (as required) computer accounts that have not logged into the domain over a given time period.  The real challenge is I need to be able to check across several domains.

I'm using the following powershell script as a basis but this only references one domain:
(Thanks Matt Vogt)

$time = Read-host
$time = get-date ($time) $date = get-date ($time) -UFormat %d.%m.%y
Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonTimeStamp
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | export-csv .all_old_computers_timestamps

My scripting skills are very rusty so need some help!

Good luck!
0
Comment
Question by:johnp3472
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 13

Accepted Solution

by:
Felix Leven earned 250 total points
ID: 39697848
I still prefer to do this with the Quest AD cmdlets:

Import the Module:
Add-PSSnapin Quest.ActiveRoles.ADManagement

Open in new window


the cmdlet Get-QADComputer can search for inactive or password not chaged accounts.

Get-QADComputer -Inactive

Open in new window

and
Get-QADComputer -PasswordNotChangedFor

Open in new window


you can connect to different domaints as well:

connect-QADService -Service 'server.domian.local:389'

Open in new window

0
 
LVL 40

Assisted Solution

by:footech
footech earned 250 total points
ID: 39698006
I'm assuming you mean all domains are in the same forest.  So really you just need to direct your queries to a DC in each domain using the -server parameter (depending on what you want to do, sometimes you can use a single global catalog instead).  You may also want to look at using the Search-ADAccount cmdlet as it has a -AccountInactive parameter.
$srvs = (Get-ADForest).domains | ForEach { (Get-ADDomain $_).PDCEmulator }
foreach ($srv in $srvs)
{
   #code here
}

Open in new window

0
 

Author Comment

by:johnp3472
ID: 39698074
Thanks for the comments so far guys!  Yes footech, they are all in the same forest.
0
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

 
LVL 40

Expert Comment

by:footech
ID: 39701600
Did that give you the info you needed or are you still facing issues?
0
 

Author Comment

by:johnp3472
ID: 39706011
Footech,  I still need to set up a clone of one of our DC's.  Until I've done that, I wont be able to test the script.  Occured to me though that I will need some way to authenticate across the domains!  I think I have the required commands.....  Thanks for checking back!  And now it seems my mobo does not support 64bit architecture.  Now waiting for a new 64bit desktop to arrive!
0
 

Author Comment

by:johnp3472
ID: 39735584
Got everything up and running.  Many thanks to you both MrGraves and Footech.  I am going to go split the points as both were helpful!  Have a great christmas guys!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question