Active Directory is awesome, except for it to be effective it must be maintained and loved. A crucial maintenance step is cleanup, which involves removing objects that are not any longer in use or required. These include:
- User Accounts
- Computer Objects
Recently I wrote a guest article to cleanup Active Directory using PowerShell. along side all of the small print and how-to I developed an entire PowerShell that cleans up your Active Directory environment for you. These are often scheduled and may be configured to look a particular scope, exclude certain sorts of objects and you’ll also choose the sort of processing you would like to try to once you find inactive AD objects. The choices available are report, disable and delete.
All of the small print and links to the PowerShell scripts to urge you began to cleanup Active Directory.
Import-Module ActiveDirectory
# Set the number of days since last logon
$DaysInactive = 90
$InactiveDate = (Get-Date).Adddays(-($DaysInactive))
#——————————-
# FIND INACTIVE COMPUTERS
#——————————-
# Below are three options to find inactive computers. Select the one that is most appropriate for your requirements:
# Get AD Computers that haven’t logged on in xx days
$Computers = Get-ADComputer -Filter { LastLogonDate -lt $InactiveDate -and Enabled -eq $true } -Properties LastLogonDate | Select-Object Name, LastLogonDate, DistinguishedName
# Get AD Computers that have never logged on
$Computers = Get-ADComputer -Filter { LastLogonDate -notlike “*” -and Enabled -eq $true } -Properties LastLogonDate | Select-Object Name, LastLogonDate, DistinguishedName
# Automated way (includes never logged on computers)
$Computers = Search-ADAccount -AccountInactive -DateTime $InactiveDate -ComputersOnly | Select-Object Name, LastLogonDate, Enabled, DistinguishedName
#——————————-
# REPORTING
#——————————-
# Export results to CSV
$Computers | Export-Csv C:\Temp\InactiveComputers.csv -NoTypeInformation
#——————————-
# INACTIVE COMPUTER MANAGEMENT
#——————————-
# Below are two options to manage the inactive computers that have been found. Either disable them, or delete them. Select the option that is most appropriate for your requirements:
# Disable Inactive Computers
ForEach ($Item in $Computers){
$DistName = $Item.DistinguishedName
Set-ADComputer -Identity $DistName -Enabled $false
Get-ADComputer -Filter { DistinguishedName -eq $DistName } | Select-Object Name, Enabled
}
# Delete Inactive Computers
ForEach ($Item in $Computers){
Remove-ADComputer -Identity $Item.DistinguishedName -Confirm:$false
Write-Output “$($Item.Name) – Deleted”
}