One of the items that I find time, and time again, once I join an organisation, is that there’s an enormous multitude of old computer accounts left littering Active Directory. Though it’d not appear to be an enormous problem, this creates an asset and security management overhead that’s really unnecessary. Here’s some cool PowerShell that you simply can schedule to run an automatic pack up on a daily basis.
It is preferable to disable old computer accounts instead of delete them immediately , together of them will invariably begin of the woodwork at some stage. Deleting the pc account would require re-joining them to the domain, whereas a disabled account are often instantly re-enabled able to go.
What I normally do is:
- Identify Computer Accounts that are inactive for over 6 months (180 days) during a particular OU
- Disabled the accounts
- Update the pc Description to point out that it had been disabled and when it are often safely deleted (usually a month later)
- Move them to a separate OU that I’ve created (_Disabled Accounts, during this case)
- Document that they need been disabled to file
import-Module ActiveDirectory
$date = get-date
$results = @()
$expiryDate = (get-date).AddDays(31)
$systems = Search-ADAccount -ComputersOnly -AccountInactive -TimeSpan “-180” -SearchBase “OU=Workstations, OU=Dave Lab, DC=davelab, DC=local” | Where {$_.Enabled -eq $true}
if ($systems)
{
foreach($computer in $systems)
{
$results += $computer | select-object Name, OperatingSystem, DistinguishedName, LastLogonTimeStamp
$computer | disable-ADaccount
$computer | Set-ADComputer -Description “Disabled on $date. Can be deleted safely after $expiryDate”
$computer | move-ADobject -targetpath “OU=_Disabled Accounts, OU=Workstations, OU=Dave Lab, DC=davelab, DC=local”
write-host “$computer has been disabled and moved.”
}
$dateForFilename = $date.ToShortDateString() | foreach {$_ -replace “/”, “”}
$results | export-csv “C:\Scheduled Tasks\AD Cleanup\$dateForFilename – Inactive Computers Check.csv” -NoTypeInformation
}
else
{
write-host No inactive and enabled computer accounts found.
}
Set this to run as a scheduled task (say once a month), and it’ll undergo and cleanup your stale AD Computer Accounts, move them to a centralised disabled accounts OU, and write you a log file and outline on the thing so you recognize when it had been deleted.