Powershell to disable unused computer AD accounts.

Here is a powershell script that can be used to cleanup old computer AD accounts:


Import-Module ActiveDirectory

$date = get-date

$systems = Search-ADAccount -ComputersOnly -AccountInactive -TimeSpan 365

foreach($computer in $systems){

$computer | select-object Name, OperatingSystem, DistinguishedName, LastLogonTimeStamp >> “C:\Scheduled Tasks\AD Cleanup\SystemInfo.csv”

$computer | disable-adaccount

$computer | move-adobject -targetpath “ou=Dormant Computers,dc=xxxx,dc=xxx”

write-host “$computer will be moved to Dormant computers”

}

First we load the Active Directory Module into Powershell. This has to be added as a Winodws Feature first.
Then we search the AD for all computer accounts which have been inactive for the last 365 days.
In the foreach loop we write the name of the server and LastLogonDate to a csv file to keep as a log.
Then we disable the account and move it to a OU where we keept disabled accounts.
Last we output a stsus message to the console.

Staffan Olofsson

Advertisements
This entry was posted in AD and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s