Complex AD script for stale computer accounts

Posted on 2014-01-25
Medium Priority
1 Endorsement
Last Modified: 2014-01-27
I am known as 'the PowerShell' guy at work, mainly because I have begun studying and know a little bit about PowerShell and nobody else does. Normally, I will research and write my own PS scripts, but I may be in over my head on this one and with a Monday deadline, I would appreciate any help I can get.

We have inherited a real Active Directory mess, and the stale computers in AD are really messing with our SCCM, licensing, and security reports.

The plan is for me to provide a script that will:

Disable and move workstation accounts that have not been online for 60 days to a Disabled Workstations OU for holding - then LOG at least the computer name
Delete those accounts in the Disabled Workstations OU after 30 days - then LOG at least the computer name
I'm not sure what they mean by log, but I imagine an Excel spreadsheet would do, at least in the short term. I can research in the future what other attributes can be added to entries in the log

MGMT wants a lot more added to the script in the future to make it more granular, and I imagine that it will be getting rather large over the next few weeks, but those 2 actions are required by Monday (or Maybe Tuesday if I grovel). I am really excited about the long-term project, this should be really informative.

The worst part about the timing of this is that I will be in a wedding party all day today, and won't have much free time this weekend...


I have a few lines of code:

$disacct = (Get-Date).AddDays(-60)

$delacct = (Get-Date).AddDays(-30)


 # For disabling the account:

Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $disacct} | Set-ADComputer -Enabled $false

#not sure about the correct syntax to add the move to different OU


# For deleting the account:

Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $delacct} | Remove-ADComputer


Once again, any assistance is sincerely appreciated. I know that I am asking a lot here.
Question by:Bruce Popovich
LVL 40

Accepted Solution

Subsun earned 1000 total points
ID: 39808859
You may also use Search-ADAccount to searh for inactive accounts.. The following code should do your task.. As you may already know, you can use the commands with -WhatIf switch to test this..
#To move the inactive accounts
Search-ADAccount -ComputersOnly -AccountInactive -TimeSpan 60 | 
	Tee -FilePath C:\movelogs.txt | 
		Move-ADObject -TargetPath "OU=Inactive Computers,DC=Max,DC=Com"

#To Disable the account which are moved..
Get-ADComputer -Filter * -SearchBase "OU=Inactive Computers,DC=Max,DC=Com" | ?{$_.Enabled} | Disable-ADAccount

#To delete the moved accounts which are older than 30 days..
Get-ADComputer -Filter * -SearchBase "OU=Inactive Computers,DC=Max,DC=Com" -Properties whenChanged | 
	?{$_.whenChanged -le (Get-date).Adddays(-30)} |
	Tee -FilePath C:\Dellogs.txt | 
	Remove-ADComputer -Confirm:$False

Open in new window

LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1000 total points
ID: 39809325
By the way if you don't have time to test the powershell script by Monday there is also a nice 3rd party tool that can help   http://www.cjwdev.co.uk/Software/ADTidy/Info.html

looks like subsun has it for you but wanted to provide other options too.



Author Closing Comment

by:Bruce Popovich
ID: 39812101
THANKS! to both of you.  I owe you big time on this one...

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

If you need to implement application level security in an Access database application or other VBA code, I strongly encourage you to take advantage of Active Directory groups.
In this article, we will discuss how you can secure Active Directory using free tools, and how you can choose a safe and secure Active Directory security auditing tool.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question