Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Complex AD script for stale computer accounts

Posted on 2014-01-25
3
Medium Priority
?
712 Views
1 Endorsement
Last Modified: 2014-01-27
I am known as 'the PowerShell' guy at work, mainly because I have begun studying and know a little bit about PowerShell and nobody else does. Normally, I will research and write my own PS scripts, but I may be in over my head on this one and with a Monday deadline, I would appreciate any help I can get.

We have inherited a real Active Directory mess, and the stale computers in AD are really messing with our SCCM, licensing, and security reports.

The plan is for me to provide a script that will:

Disable and move workstation accounts that have not been online for 60 days to a Disabled Workstations OU for holding - then LOG at least the computer name
Delete those accounts in the Disabled Workstations OU after 30 days - then LOG at least the computer name
I'm not sure what they mean by log, but I imagine an Excel spreadsheet would do, at least in the short term. I can research in the future what other attributes can be added to entries in the log

MGMT wants a lot more added to the script in the future to make it more granular, and I imagine that it will be getting rather large over the next few weeks, but those 2 actions are required by Monday (or Maybe Tuesday if I grovel). I am really excited about the long-term project, this should be really informative.

The worst part about the timing of this is that I will be in a wedding party all day today, and won't have much free time this weekend...

----

I have a few lines of code:

$disacct = (Get-Date).AddDays(-60)

$delacct = (Get-Date).AddDays(-30)

 

 # For disabling the account:

Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $disacct} | Set-ADComputer -Enabled $false

#not sure about the correct syntax to add the move to different OU

--

# For deleting the account:

Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $delacct} | Remove-ADComputer

----

Once again, any assistance is sincerely appreciated. I know that I am asking a lot here.
1
Comment
Question by:Bruce Popovich
3 Comments
 
LVL 40

Accepted Solution

by:
Subsun earned 1000 total points
ID: 39808859
You may also use Search-ADAccount to searh for inactive accounts.. The following code should do your task.. As you may already know, you can use the commands with -WhatIf switch to test this..
#To move the inactive accounts
Search-ADAccount -ComputersOnly -AccountInactive -TimeSpan 60 | 
	Tee -FilePath C:\movelogs.txt | 
		Move-ADObject -TargetPath "OU=Inactive Computers,DC=Max,DC=Com"

#To Disable the account which are moved..
Get-ADComputer -Filter * -SearchBase "OU=Inactive Computers,DC=Max,DC=Com" | ?{$_.Enabled} | Disable-ADAccount

#To delete the moved accounts which are older than 30 days..
Get-ADComputer -Filter * -SearchBase "OU=Inactive Computers,DC=Max,DC=Com" -Properties whenChanged | 
	?{$_.whenChanged -le (Get-date).Adddays(-30)} |
	Tee -FilePath C:\Dellogs.txt | 
	Remove-ADComputer -Confirm:$False

Open in new window

0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1000 total points
ID: 39809325
By the way if you don't have time to test the powershell script by Monday there is also a nice 3rd party tool that can help   http://www.cjwdev.co.uk/Software/ADTidy/Info.html

looks like subsun has it for you but wanted to provide other options too.

Thanks

Mike
0
 

Author Closing Comment

by:Bruce Popovich
ID: 39812101
THANKS! to both of you.  I owe you big time on this one...
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question