Active Directory Script Highlight: Identify Old Computer Objects Before AD Migrations

old-computerIn the last of my Active Directory cleanup post, I have given you some options to identify, disable, and move User objects based on a certain time of inactivity.  In this post I am going to give you some simple scripts to do the same thing for your Computer objects.  The hope it that by following these posts you will be left with the real target of objects to be migrated, or to give your Active Directory a good spring cleaning that often gets neglected in the day to day management of your environments.

The first script will give some basic information back on Computer Objects that have not set their computer password in the last 180 days that are not already disabled.  Output gives SamAccountName, LastPasswordSet, Name, DistinguishedName, and confirmation that the Computer Object is enabled.   Sorts the output by LastLogonDate attribute and Exports the output to a CSV location.  This is a broad sweep to get an idea of what is out there so you can make determinations about location and age of Computer Objects.

Search-ADAccount –ComputersOnly -AccountInactive -TimeSpan 180.00:00:00 | ?{$_.enabled -eq $True} | sort LastLogonDate| Format-Table samaccountname, LastLogonDate, name, distinguishedname, enabled | Out-File -width 256 c:\temp\Outfile.txt

Modifying the output to include more or less attributes is as simple as adding them to the select-object string.

Start the Cleaning:

So after you have reviewed the output, what do you do with the data?  This is where cleaning house starts to come in.  After you have determined that the accounts are the target that you want, you can then take action to disable them.  I recommend disabling them instead of deleting them because it is inevitable that someone will come back after a long sabbatical and have trouble logging on because their Computer Object has been deleted. The script below identifies the same group of Computer Objects over 180 days since their computer renewed its password as we did before, sets it as a variable and disables all of those identified Computer Objects and then moves them to a designated DisabledComputers OU.

Search-ADAccount –ComputersOnly-AccountInactive -TimeSpan 180.00:00:00 | ?{$_.enabled -eq $True}

Disable-ADAccount $DComputers

Get-ADComputer -Properties * -Filter * | ? Enabled -eq $False | Move-ADObject “OU=DisabledComptuers,DC=YourDomain,DC=Local”

Targeted Determination:

One more modification to the above script as searching your entire domain as the script above to identify all Computer Objects over 180 days old most certainly will be too broad. The script below targets an OU.  In most environments you will probably have your Computer Objects in one OU and your Server Objects in another OU.   They are all Computer Objects in Active Directory so the script below will allow you to target just the right OU to make sure your disabling doesn’t reach the wrong population of Computer Objects.   By Specifying “-SearchBase” you can target only Computer Objects location you desire.

$DComputers = Search-ADAccount –SearchBase “OU=YourComputersOU,DC=YourDomain,DC=Local”  -ComputersOnly -AccountInactive -TimeSpan 180.00:00:00 | ?{$_.enabled -eq $True}

Disable-ADAccount $DComputers

Get-ADComptuers –SearchBase “OU=YourComputersOU,DC=YourDomain,DC=Local” -Properties * -Filter * | ? Enabled -eq $False | Move-ADObject “OU=DisabledComputers,DC=YourDomain,DC=Local”


Have your own Active Directory cleanup scripts. Computers? Users? Groups?.  Help out and add them in the comments section.

This entry was posted in Active Directory, PowerShell and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s