Solved

Complex AD script for stale computer accounts

Posted on 2014-01-25
3
681 Views
1 Endorsement
Last Modified: 2014-01-27
I am known as 'the PowerShell' guy at work, mainly because I have begun studying and know a little bit about PowerShell and nobody else does. Normally, I will research and write my own PS scripts, but I may be in over my head on this one and with a Monday deadline, I would appreciate any help I can get.

We have inherited a real Active Directory mess, and the stale computers in AD are really messing with our SCCM, licensing, and security reports.

The plan is for me to provide a script that will:

Disable and move workstation accounts that have not been online for 60 days to a Disabled Workstations OU for holding - then LOG at least the computer name
Delete those accounts in the Disabled Workstations OU after 30 days - then LOG at least the computer name
I'm not sure what they mean by log, but I imagine an Excel spreadsheet would do, at least in the short term. I can research in the future what other attributes can be added to entries in the log

MGMT wants a lot more added to the script in the future to make it more granular, and I imagine that it will be getting rather large over the next few weeks, but those 2 actions are required by Monday (or Maybe Tuesday if I grovel). I am really excited about the long-term project, this should be really informative.

The worst part about the timing of this is that I will be in a wedding party all day today, and won't have much free time this weekend...

----

I have a few lines of code:

$disacct = (Get-Date).AddDays(-60)

$delacct = (Get-Date).AddDays(-30)

 

 # For disabling the account:

Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $disacct} | Set-ADComputer -Enabled $false

#not sure about the correct syntax to add the move to different OU

--

# For deleting the account:

Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $delacct} | Remove-ADComputer

----

Once again, any assistance is sincerely appreciated. I know that I am asking a lot here.
1
Comment
Question by:Bruce Popovich
3 Comments
 
LVL 40

Accepted Solution

by:
Subsun earned 250 total points
ID: 39808859
You may also use Search-ADAccount to searh for inactive accounts.. The following code should do your task.. As you may already know, you can use the commands with -WhatIf switch to test this..
#To move the inactive accounts
Search-ADAccount -ComputersOnly -AccountInactive -TimeSpan 60 | 
	Tee -FilePath C:\movelogs.txt | 
		Move-ADObject -TargetPath "OU=Inactive Computers,DC=Max,DC=Com"

#To Disable the account which are moved..
Get-ADComputer -Filter * -SearchBase "OU=Inactive Computers,DC=Max,DC=Com" | ?{$_.Enabled} | Disable-ADAccount

#To delete the moved accounts which are older than 30 days..
Get-ADComputer -Filter * -SearchBase "OU=Inactive Computers,DC=Max,DC=Com" -Properties whenChanged | 
	?{$_.whenChanged -le (Get-date).Adddays(-30)} |
	Tee -FilePath C:\Dellogs.txt | 
	Remove-ADComputer -Confirm:$False

Open in new window

0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 39809325
By the way if you don't have time to test the powershell script by Monday there is also a nice 3rd party tool that can help   http://www.cjwdev.co.uk/Software/ADTidy/Info.html

looks like subsun has it for you but wanted to provide other options too.

Thanks

Mike
0
 

Author Closing Comment

by:Bruce Popovich
ID: 39812101
THANKS! to both of you.  I owe you big time on this one...
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html) provided 218 attendees with a step-by-step guide for identifying Acti…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now