• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 53
  • Last Modified:

Stale computer script (PS)

Greetings Experts.  I have a script (thanks to EE Experts) that will audit, disable and move stale user accounts from one of my OU's.  I need to do the same thing for stale computer accounts.  I appreciate your help and contributions in advance.

Import-Module ActiveDirectory

$logPath = "C:\Tools\Logs\"  #directory to log output
$date = Get-Date
$todaysLog = $logPath + $date.Year + "_" + $date.DayOfYear + ".log"

function WriteLog($message)
{
    $message = (Get-Date).ToShortTimeString() + " - " + $message
    Add-Content -Path $todaysLog -Value $message
}

$disabledOU = "OU=Users,OU=Inactive,DC=state,DC=com"

$users = Get-ADUser -SearchBase "OU=Depts,DC=state,DC=com" -Filter * -Properties SAMAccountName, lastLogonTimeStamp | ?{[DateTime]::FromFileTime($_.lastLogonTimeStamp) -lt (Get-Date).AddDays(-49)}
foreach ($user in $users)
{
    try {
        Disable-ADAccount -Identity $user.SAMAccountName
        WriteLog("Disabled $($user.SAMAccountName)")
    } catch {
        WriteLog("Failed to disable $($user.SAMAccountName)")
    }
    
    try {
        Move-ADObject -Identity $user.SAMAccountName -TargetPath $disabledOU
        WriteLog("Moved $($user.SAMAccountName) to $disabledOU")
    } catch {
        WriteLog("Failed to move $($user.SAMAccountName) to $disabledOU")
    }
}

Open in new window

0
samiam41
Asked:
samiam41
1 Solution
 
Dariusz TykaICT Specialist ACommented:
Hi samiam41,

such script is already present in Microsoft galery. You can grab it from here:
https://gallery.technet.microsoft.com/scriptcenter/Move-and-disable-inactive-b1cf86c3
0
 
footechCommented:
You should be able to just substitute Get-ADComputer for Get-ADUser.  You may want to change some variable names accordingly.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
samiam41Author Commented:
@Ajit, thanks for the links but they didn't help.

@footech, yes, I would need to substitute the get-aduser for get-adcomputer while switching some variables.  Completely agree.  The variables are the reason for the question as I'm not sure what those variables are.

@Dariusz Tyka, checking into those now.  *Update* the script requires using quest powershell tools.  I shouldn't need to download additional tools to accomplish this task.  

Thanks experts.
0
 
samiam41Author Commented:
$then = (Get-Date).AddDays(-60) # The 60 is the number of days from today since the last logon.

Get-ADComputer -SearchBase "OU=Depts,DC=local" -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | FT Name,lastLogonDate

Open in new window


working on the logging portion now
0
 
PberSolutions ArchitectCommented:
Try this:

Import-Module ActiveDirectory

$logPath = "C:\Tools\Logs\"  #directory to log output
$date = Get-Date
$todaysLog = $logPath + $date.Year + "_" + $date.DayOfYear + ".log"

function WriteLog($message)
{
    $message = (Get-Date).ToShortTimeString() + " - " + $message
    Add-Content -Path $todaysLog -Value $message
}

$disabledOU = "OU=Computers,OU=Inactive,DC=state,DC=com"

$computers = Get-ADComputer -SearchBase "OU=Depts,DC=state,DC=com" -Filter * -Properties DistinguishedName, SAMAccountName, lastLogonTimeStamp | ?{[DateTime]::FromFileTime($_.lastLogonTimeStamp) -lt (Get-Date).AddDays(-49)}
foreach ($computer in $computers)
{
    try {
        Disable-ADAccount -Identity $computer.DistinguishedName -WhatIf
        WriteLog("Disabled $($computer.SAMAccountName)")
    } catch {
        WriteLog("Failed to disable $($computer.SAMAccountName)")
    }
    
    try {
        Move-ADObject -Identity $computer.DistinguishedName -TargetPath $disabledOU -WhatIf
        WriteLog("Moved $($computer.SAMAccountName) to $disabledOU")
    } catch {
        WriteLog("Failed to move $($computer.SAMAccountName) to $disabledOU")
    }
}

Open in new window

2
 
samiam41Author Commented:
Knockout!

Thank you for the solid solution.  Exactly what I needed.
0
 
samiam41Author Commented:
If any experts have some time to show me what I'm missing on this script in the new question, I would appreciate it.  Thank you.  https://www.experts-exchange.com/questions/29072772/Modify-date-format-of-file-name-powershell.html
0
 
footechCommented:
Just to be clear, the variables name don't have to be changed  (i.e. it won't affect functionality).  It's just a matter of readability of the code.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now