Disclaimer
This is my personal blog. The opinions and views I express are my own. The information I provide is on an as-is basis. I make no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this blog and will not be liable for any errors, omissions, or delays in this information or any losses, injuries or damages arising from its use.

Active Directory Maintenance: Finding Stale Computer Objects w/ PowerShell

If you’re in a large Enterprise you may have computer objects lurking in Active Directory that have not authenticated to the Domain in a while. This script will allow you to find those objects, disable them and move them to an alternate Organizational Unit.

 
<#
*** THIS SCRIPT IS PROVIDED WITHOUT WARRANTY, USE AT YOUR OWN RISK ***

.DESCRIPTION
	1. Search an OU for computer accounts that have not authenticated in x number of days ($days)
    2. Disable those accounts
    3. Move those disabled computer accounts to another OU ($disabledOU)
    4. Also creates a logfile of all the computers that were disabled ($logpath)

.NOTES
	File Name: Get-StaleComputers.ps1
	Author: David Hall
	Contact Info: 
		Website: www.signalwarrant.com
		Twitter: @signalwarrant
		Facebook: facebook.com/signalwarrant/
		Google +: plus.google.com/113307879414407675617
		YouTube Subscribe link: https://www.youtube.com/channel/UCgWfCzNeAPmPq_1lRQ64JtQ?sub_confirmation=1
	Requires: PowerShell Remoting Enabled (Enable-PSRemoting) 
	Tested: PowerShell Version 5, Windows Server 2012 R2

.PARAMETER
		 
.EXAMPLE
     .\Get-StaleComputers.ps1
#>


####### Edit these Variables
# Gets todays Date
$date = Get-Date

# Number of days it's been since the computer authenticated to the domain
# In my case 1 day
$days = "-1"

# Sets a description on that object so other admins know why the object was disabled
$description = "Disabled by SignalWarrant on $date due to inactivity for 1 days."

# This is the OU you are searching for Stale Computer accounts
$ou = "CN=Computers,DC=signalwarrant,DC=local"

# This is where the disabled accounts get moved to.
$disabledOU = "OU=Disabled_Computers,DC=signalwarrant,DC=local"

# path to the log file
$logpath = "c:\scripts\stale_computers.csv"
####### Edit these Variables

# Finding Stale Computers
$findcomputers = Get-adcomputer –filter * -SearchBase $ou -properties cn, LastLogonDate | 
Where {$_.LastLogonDate –le [DateTime]::Today.AddDays($days) -and ($_.lastlogondate -ne $null) }

# Create a CSV containg all the Stale Computer Information
$findcomputers | export-csv $logpath

# Disable the Stale Computer Accounts
$findcomputers | set-adcomputer -Description $description –passthru | Disable-ADAccount

# Find all the Stale Computer Accounts we just disabled
$disabledAccounts = Search-ADAccount -AccountDisabled -ComputersOnly -SearchBase $ou

# Move the Disabled accounts to $disabledOU
$disabledAccounts | Move-ADObject -TargetPath $disabledOU

Website: www.signalwarrant.com
Twitter: @signalwarrant
Facebook: facebook.com/signalwarrant/
Google +: plus.google.com/113307879414407675617

1 Comment

  1. Ryan Moore | | Reply

    Thanks for the script, it worked perfectly first try, however when i change the target OU to find the computers from CN=Computers to another one i want to search it fails

Leave a Reply to Ryan Moore Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.