Solved

Complex AD script for stale computer accounts

Posted on 2014-01-25
3
692 Views
1 Endorsement
Last Modified: 2014-01-27
I am known as 'the PowerShell' guy at work, mainly because I have begun studying and know a little bit about PowerShell and nobody else does. Normally, I will research and write my own PS scripts, but I may be in over my head on this one and with a Monday deadline, I would appreciate any help I can get.

We have inherited a real Active Directory mess, and the stale computers in AD are really messing with our SCCM, licensing, and security reports.

The plan is for me to provide a script that will:

Disable and move workstation accounts that have not been online for 60 days to a Disabled Workstations OU for holding - then LOG at least the computer name
Delete those accounts in the Disabled Workstations OU after 30 days - then LOG at least the computer name
I'm not sure what they mean by log, but I imagine an Excel spreadsheet would do, at least in the short term. I can research in the future what other attributes can be added to entries in the log

MGMT wants a lot more added to the script in the future to make it more granular, and I imagine that it will be getting rather large over the next few weeks, but those 2 actions are required by Monday (or Maybe Tuesday if I grovel). I am really excited about the long-term project, this should be really informative.

The worst part about the timing of this is that I will be in a wedding party all day today, and won't have much free time this weekend...

----

I have a few lines of code:

$disacct = (Get-Date).AddDays(-60)

$delacct = (Get-Date).AddDays(-30)

 

 # For disabling the account:

Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $disacct} | Set-ADComputer -Enabled $false

#not sure about the correct syntax to add the move to different OU

--

# For deleting the account:

Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $delacct} | Remove-ADComputer

----

Once again, any assistance is sincerely appreciated. I know that I am asking a lot here.
1
Comment
Question by:Bruce Popovich
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 40

Accepted Solution

by:
Subsun earned 250 total points
ID: 39808859
You may also use Search-ADAccount to searh for inactive accounts.. The following code should do your task.. As you may already know, you can use the commands with -WhatIf switch to test this..
#To move the inactive accounts
Search-ADAccount -ComputersOnly -AccountInactive -TimeSpan 60 | 
	Tee -FilePath C:\movelogs.txt | 
		Move-ADObject -TargetPath "OU=Inactive Computers,DC=Max,DC=Com"

#To Disable the account which are moved..
Get-ADComputer -Filter * -SearchBase "OU=Inactive Computers,DC=Max,DC=Com" | ?{$_.Enabled} | Disable-ADAccount

#To delete the moved accounts which are older than 30 days..
Get-ADComputer -Filter * -SearchBase "OU=Inactive Computers,DC=Max,DC=Com" -Properties whenChanged | 
	?{$_.whenChanged -le (Get-date).Adddays(-30)} |
	Tee -FilePath C:\Dellogs.txt | 
	Remove-ADComputer -Confirm:$False

Open in new window

0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 39809325
By the way if you don't have time to test the powershell script by Monday there is also a nice 3rd party tool that can help   http://www.cjwdev.co.uk/Software/ADTidy/Info.html

looks like subsun has it for you but wanted to provide other options too.

Thanks

Mike
0
 

Author Closing Comment

by:Bruce Popovich
ID: 39812101
THANKS! to both of you.  I owe you big time on this one...
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question