Been doing some AD clean up lately and I wanted to automate the process for stagnant computer accounts. To do so I wrote two PowerShell scripts that I run once a month as a scheduled task. As you’ll see below, I did need to exclude a few machines that have a certain naming standard.
Disable Computer Account with LastLogon Older Than 6 Months:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
########### #Variables# ########### #SMTP variables $strSMTPServer = "SMTPSERVERNAME" $strSMTPTo = "All Techs <alltechs@domain.com>" $strSMTPFrom = "Domain Automation <alerts@domain.com>" $strSMTPSubj = "Computer Accounts Have Been Disabled" $strSMTPBodyDescription = "The following computer accounts have been disabled because they have not been seen by AD in over 6 months: `n" $strSMTPBody = "" #Domain distinguished name $strDomainDN = "DC=DOMAIN,DC=LOCAL" #How far back to look $dtDateThreshold = [DateTime]::Today.AddDays(-180) #Array of enabled computers that have not checked in with AD in over six months $arrOldComputers = Get-ADComputer -SearchBase $strDomainDN -Filter {LastLogonDate -le $dtDateThreshold -and Enabled -eq "True"} -Properties LastLogonDate,modifyTimeStamp,OperatingSystem,DistinguishedName ################ #Let's Do Stuff# ################ foreach($tmpComputer in $arrOldComputers) { if($tmpComputer.Name -notlike 'XCOMPUTER*') { if($tmpComputer.Name -notlike 'YCOMPUTER*') { Disable-ADAccount -Identity $tmpComputer $strSMTPBody += $tmpComputer.Name + "`n" } } } #Send email notifications if($strSMTPBody -ne "") { $strSMTPBodyFull = $strSMTPBodyDescription + $strSMTPBody Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject $strSMTPSubj -Body $strSMTPBodyFull } |
Delete Computer Account with LastLogon Older Than 1 Year:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
########### #Variables# ########### #SMTP variables $strSMTPServer = "SMTPSERVERNAME" $strSMTPTo = "All Techs <alltechs@domain.com>" $strSMTPFrom = "Domain Automation <alerts@domain.com>" $strSMTPSubj = "Computer Accounts Have Been Deleted" $strSMTPBodyDescription = "The following computer accounts have been deleted because they have not been seen by AD in over one year: `n" $strSMTPBody = "" #Domain distinguished name $strDomainDN = "DC=DOMAIN,DC=LOCAL" #How far back to look $dtDateThreshold = [DateTime]::Today.AddDays(-365) #Array of computers that have not checked in with AD in over one year $arrOldComputers = Get-ADComputer -SearchBase $strDomainDN -Filter {LastLogonDate -le $dtDateThreshold} -Properties LastLogonDate,modifyTimeStamp,OperatingSystem,DistinguishedName ################ #Let's Do Stuff# ################ foreach($tmpComputer in $arrOldComputers) { if($tmpComputer.Name -notlike 'XCOMPUTER*') { if($tmpComputer.Name -notlike 'YCOMPUTER*') { Remove-ADComputer -Identity $tmpComputer -Confirm:$false $strSMTPBody += $tmpComputer.Name + "`n" } } } #Send email notifications if($strSMTPBody -ne "") { $strSMTPBodyFull = $strSMTPBodyDescription + $strSMTPBody Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject $strSMTPSubj -Body $strSMTPBodyFull } |
