smart Z
asked on
script
Hi Experts,
I have windows active directory environment and I have 2 OUs that have computer accounts. I want to run a script to find out which computer accounts did not access the domain in the last 6 months. I want to disable them right away if there are any.
Can I please get assistance/help on a right script that I could run again each OU.
Thank you.
I have windows active directory environment and I have 2 OUs that have computer accounts. I want to run a script to find out which computer accounts did not access the domain in the last 6 months. I want to disable them right away if there are any.
Can I please get assistance/help on a right script that I could run again each OU.
Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It is a Powershell, ensure to import AD Snapins and this will run against the domain and will disable computers in the domain that have not logged on more than 3 months.
As-is, the PowerShell script will only show the accounts, not disable them. The lines to take action ("temporary" delete or "permanent" remove) are inactive. The corresponding (single) line needs to get the front hash tag removed.
Zak, sorry I didn't get back to you sooner.
Open Powershell as an administrator. There several places to open it from, remember to right-click and 'run as administrator'
Since you likely have not set it up at all, you will want to allow powershell to run scripts, by default it does not. (I know, kinda weird...)
In the elevated powershell window, type 'Set-ExecutionPolicy RemoteSigned', then yes to allow it to make changes.
To learn more about execution policy type get-help about_Execution_Policies there is ton of info in there.
Now you can run a script in powershell.
Open up notepad and copy/paste the code below.
Go back to the Elevated Powershell prompt and type cd (path to the newly create PS1 file. Something like d:\scripts\check-CA.ps1 (whatever the actual path is).
Depending on which lines have # in front of them (# comments out that line, so it does not get run by powershell) it will check or disable, or delete. I would recommend checking first. disable them next, and then in another X days, delete them.
Gl,
John
Open Powershell as an administrator. There several places to open it from, remember to right-click and 'run as administrator'
Since you likely have not set it up at all, you will want to allow powershell to run scripts, by default it does not. (I know, kinda weird...)
In the elevated powershell window, type 'Set-ExecutionPolicy RemoteSigned', then yes to allow it to make changes.
To learn more about execution policy type get-help about_Execution_Policies there is ton of info in there.
Now you can run a script in powershell.
Open up notepad and copy/paste the code below.
import-module activedirectory
$then = (Get-Date).AddDays(-180) # The 180 is the number of days from today since the last logon.
Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | FT Name,lastLogonDate
# If you would like to Disable these computer accounts, uncomment the following line:
# Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | Set-ADComputer -Enabled $false
# If you would like to Remove these computer accounts, uncomment the following line:
# Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | Remove-ADComputerGo back to the Elevated Powershell prompt and type cd (path to the newly create PS1 file. Something like d:\scripts\check-CA.ps1 (whatever the actual path is).
Depending on which lines have # in front of them (# comments out that line, so it does not get run by powershell) it will check or disable, or delete. I would recommend checking first. disable them next, and then in another X days, delete them.
Gl,
John
ASKER
how do I run it against the domain controller or the computer OU?