Solved

I NEED A SCRIPT IN POWERSHELL TO MOVE INACTIVE COMPUTERS TO ANOTHER OU

Posted on 2014-11-19
18
932 Views
Last Modified: 2014-12-22
I'm trying to complete an AD cleanup. I have already the list of all inactive computers and users that should be moved to another OU, let's call it "DISABLED COMPUTERS" and "DISABLED USERS". This can't be done using GPO and I have no previous experience in scripting, so I will greatly appreciate if anyone of you can provide me a script or the steps to create one that can achieve that purpose. In summary this is what I need:

1. Check for the destination OU if not present create it.
2. Check for the users who meet the criteria if found move to that OU.
3. Check users in the destination OU and if more than x days then delete.
0
Comment
Question by:Hunter24
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 2
18 Comments
 
LVL 9

Accepted Solution

by:
RantCan earned 150 total points
ID: 40453629
I know you asked for powershell, but I have had good luck with Solarwinds Free Stale AD Users/Computers tool.

http://www.solarwinds.com/products/freetools/ad_admin_tools.aspx

This does what you request of the PSS.
0
 
LVL 29

Assisted Solution

by:becraig
becraig earned 350 total points
ID: 40455566
I have one question here, what is the qualifier you plan to use for inactive accounts ?

We can either check for where accounts have the disabled flag or for accounts (user and computer) which either have not "logged on for x days".

Once you let me know which route you plan to take, I can proceed to complete the script today for testing.
0
 

Author Comment

by:Hunter24
ID: 40455922
becraig:

I'll be using the "not logged on for X days" qualifier. I have more than 80 machines that are inactive but not being flagged at all.  All inactive users are now disabled but I'll need to move them to an OU and after a year of these accounts become inactive proceed to delete them.  Just let me know what else is needed. Thank you.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 29

Assisted Solution

by:becraig
becraig earned 350 total points
ID: 40456235
#Import AD Module
Import-Module ActiveDirectory

#define the time window --- we specify 90 days plus the official windows lag of 14 days
$time = (Get-Date).Adddays(-104)

#Check for existence of OU and create if not present
[string] $Path = 'OU=OUName,DC=domain,DC=com'
try
{
	if (!([adsi]::Exists("LDAP://$Path")))
	{
		#Create OU since it does not yet exist
		NEW-ADOrganizationalUnit “StaleComputers” –path “OU=SomeOU, DC=domain, DC=com”
	}
	else { Write-Debug "OU Already Exists:  $Path" }
}
catch [Exception]    {
	return $_.Exception.Message
}


#now we proceed to check for computers
Get-ADComputer -Filter { LastLogonTimeStamp -lt $time } | Move-ADObject -TargetPath $Path -WhatIf

#Now we check for inactive computers that are inactive
Search-ADAccount -accountinactive -ComputersOnly | ? { $_.lastlogondate -lt $time } | Move-ADObject -TargetPath $Path -WhatIf

Open in new window



I need to take a look at creating a time-stamp in one of the extended fields for the AD object so we can determine when to delete as you indicate above, I probably think also adding a piece to remove group memberships as well would be a good plugin.

I will look at it when I get home this evening.
0
 

Author Comment

by:Hunter24
ID: 40458394
becraig:

Ok. thank you so much.  As soon as you have completed it I'll check it.
0
 

Author Comment

by:Hunter24
ID: 40458454
RantCan:

Thank you for your posting.  I downloaded and tested this Solarwinds tool. The interface is very simple and the query was completed very quickly; it showed me exactly the same results that I got using AD Tidy. However, the only option available is just to remove the inactive computers, I rather prefer to have these objects disabled in another OU and after a certain amount of time delete them. Is there any other free tool that does that and that you recommend?
0
 

Author Comment

by:Hunter24
ID: 40462651
Hi becraig:

Do you have the final script so I can test it?
0
 
LVL 29

Expert Comment

by:becraig
ID: 40462662
I will have it in a bit, sorry was out for the weekend.
0
 
LVL 9

Assisted Solution

by:RantCan
RantCan earned 150 total points
ID: 40462857
I did some work with AD Tidy; it does indeed have the ability to add a task sequence to move a found entity to a specified OU, which the Solarwinds tool does not.
1
 

Author Comment

by:Hunter24
ID: 40463005
RantCan:

I see what you mean, I need to customize the actions to be executed.  That for sure will help me a lot, specially for inactive computers; all inactive user accounts are disabled and they are not as much as computers accounts. However, I still need to find the way to exclude some service accounts that were included in the report. I'll also need to test this in a virtual environment before doing the real thing in a prod environment. Thanks a lot, any other comment or idea is always welcome!
0
 
LVL 29

Assisted Solution

by:becraig
becraig earned 350 total points
ID: 40463069
Ok so before I complete this I think one of the other solutions might be less heavy lifting.

The first thing you would have to do is to create a custom attribute in AD so we could place the timestamp there when we disable a user or computer account.
That would involve schema modification, but would make it easier to do your periodic check for deletion.

Here is some info, let me know if you still want to try that route.
https://www.youtube.com/watch?v=EBkQlTUsXww

We would create the custom field disableddate in the AD then once updated we can edit the script to set that value once the user account or computer account is disabled then simply delete after X days.
0
 
LVL 29

Assisted Solution

by:becraig
becraig earned 350 total points
ID: 40464886
On second thought I just realized I could probably update one of the other already present fields and then simply query that value.

I will make a quick test today.
0
 
LVL 29

Assisted Solution

by:becraig
becraig earned 350 total points
ID: 40465352
So here is a quick look at something that should work (I am updating the upn of the user and computer account with the date for deletion later):


#Import AD Module
Import-Module ActiveDirectory
#Define Arrays
$Computers = @()
$users = @()
$ddate = "Disabled@" + (Get-Date -format yyyyMMdd)

#define the time window --- we specify 90 days plus the official windows lag of 14 days
$time = (Get-Date).Adddays(-104)

#Check for existence of OU and create if not present
[string] $Path = 'OU=OUName,DC=domain,DC=com'
try
{
	if (!([adsi]::Exists("LDAP://$Path")))
	{
		#Create OU since it does not yet exist
		NEW-ADOrganizationalUnit “StaleComputers” –path “OU=SomeOU, DC=domain, DC=com”
	}
	else { Write-Debug "OU Already Exists:  $Path" }
}
catch [Exception]    {
	return $_.Exception.Message
}


#now we proceed to check for computers
$computers += Get-ADComputer -Filter { LastLogonTimeStamp -lt $time } | select distinguishedname, samaccountname, userprincipalname
$users += Get-ADUser -Filter { LastLogonTimeStamp -lt $time } | select distinguishedname, samaccountname, userprincipalname

#Now we check for inactive computers that are inactive
$computers += Search-ADAccount -accountinactive -ComputersOnly | ? { $_.lastlogondate -lt $time } | select distinguishedname, samaccountname, userprincipalname
$users += Search-ADAccount -accountinactive -UsersOnly | ? { $_.lastlogondate -lt $time } | select distinguishedname, samaccountname, userprincipalname


$computers | % 
{
#Move the object in AD
Move-ADObject -Identity $_.distinguishedname -TargetPath $path -WhatIf
#Change the upn to the disabled date
Set-ADComputer -Identity $_.distinguishedname -userprincipalname $ddate -WhatIf
#Disable the account
Disable-ADAccount -Identity $_.distinguishedname -WhatIf
}

$users | %  {
#Move the object in AD
Move-ADObject -Identity $_.distinguishedname -TargetPath $path -WhatIf
#Change the upn to the disabled date
Set-ADUser -Identity $_.distinguishedname -userprincipalname $ddate -WhatIf
#Disable the account
Disable-ADAccount -Identity $_.distinguishedname -WhatIf
}

#now we check for computers in the AD in our OU that meet the date criteria
Get-ADComputer –Filter “Name –like ‘*’”–SearchBase $Path | %  {
$timer = ($_.userprincipalname).split("@")[1]
if ($timer -gt (Get-date).AddDays(-100)) {Remove-ADObject -Identity $_.distinguishedname }
}

Open in new window

0
 

Author Comment

by:Hunter24
ID: 40465545
becraig:

Thanks for your support on this, I'll like to test this script when it is completed. I'm using the AD Tidy app for the cleanup because I need to complete this task next week, after the month closing. However, once this is done I prefer to test this script and put in the the prod environment so that the task is automated. I'll be waiting your feedback.
0
 
LVL 29

Assisted Solution

by:becraig
becraig earned 350 total points
ID: 40465557
I will let you know once I complete a quick test of it, from first run it works as expected but I need to ensure there are no glitches.

I will probably have some time on the plane tonight so I might go ahead and clean it up and post an update.
0
 

Assisted Solution

by:Hunter24
Hunter24 earned 0 total points
ID: 40504917
Thank you all again!
0
 

Author Closing Comment

by:Hunter24
ID: 40512630
Thank you all, becraig did a great job with the script but I prefered to use a simpler solution as the one recommended by  RantCan
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question