Solved

Complex AD script for stale computer accounts

Posted on 2014-01-25
3
674 Views
1 Endorsement
Last Modified: 2014-01-27
I am known as 'the PowerShell' guy at work, mainly because I have begun studying and know a little bit about PowerShell and nobody else does. Normally, I will research and write my own PS scripts, but I may be in over my head on this one and with a Monday deadline, I would appreciate any help I can get.

We have inherited a real Active Directory mess, and the stale computers in AD are really messing with our SCCM, licensing, and security reports.

The plan is for me to provide a script that will:

Disable and move workstation accounts that have not been online for 60 days to a Disabled Workstations OU for holding - then LOG at least the computer name
Delete those accounts in the Disabled Workstations OU after 30 days - then LOG at least the computer name
I'm not sure what they mean by log, but I imagine an Excel spreadsheet would do, at least in the short term. I can research in the future what other attributes can be added to entries in the log

MGMT wants a lot more added to the script in the future to make it more granular, and I imagine that it will be getting rather large over the next few weeks, but those 2 actions are required by Monday (or Maybe Tuesday if I grovel). I am really excited about the long-term project, this should be really informative.

The worst part about the timing of this is that I will be in a wedding party all day today, and won't have much free time this weekend...

----

I have a few lines of code:

$disacct = (Get-Date).AddDays(-60)

$delacct = (Get-Date).AddDays(-30)

 

 # For disabling the account:

Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $disacct} | Set-ADComputer -Enabled $false

#not sure about the correct syntax to add the move to different OU

--

# For deleting the account:

Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $delacct} | Remove-ADComputer

----

Once again, any assistance is sincerely appreciated. I know that I am asking a lot here.
1
Comment
Question by:Bruce Popovich
3 Comments
 
LVL 40

Accepted Solution

by:
Subsun earned 250 total points
Comment Utility
You may also use Search-ADAccount to searh for inactive accounts.. The following code should do your task.. As you may already know, you can use the commands with -WhatIf switch to test this..
#To move the inactive accounts
Search-ADAccount -ComputersOnly -AccountInactive -TimeSpan 60 | 
	Tee -FilePath C:\movelogs.txt | 
		Move-ADObject -TargetPath "OU=Inactive Computers,DC=Max,DC=Com"

#To Disable the account which are moved..
Get-ADComputer -Filter * -SearchBase "OU=Inactive Computers,DC=Max,DC=Com" | ?{$_.Enabled} | Disable-ADAccount

#To delete the moved accounts which are older than 30 days..
Get-ADComputer -Filter * -SearchBase "OU=Inactive Computers,DC=Max,DC=Com" -Properties whenChanged | 
	?{$_.whenChanged -le (Get-date).Adddays(-30)} |
	Tee -FilePath C:\Dellogs.txt | 
	Remove-ADComputer -Confirm:$False

Open in new window

0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
Comment Utility
By the way if you don't have time to test the powershell script by Monday there is also a nice 3rd party tool that can help   http://www.cjwdev.co.uk/Software/ADTidy/Info.html

looks like subsun has it for you but wanted to provide other options too.

Thanks

Mike
0
 

Author Closing Comment

by:Bruce Popovich
Comment Utility
THANKS! to both of you.  I owe you big time on this one...
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now