It is always good practice to keep you Active Directory clean. One easy way to keep your Active Directory clean is by removing stale computer accounts periodically. I have always found that when Windows machines are disjoined from a domain, rebuilt with a different computer name, etc, removing computer accounts are often overlooked, or sysadmins are not informed that a computer has been removed or changed.
A windows machine will reset its computer account password every 30 days by default. Knowing this means we can assume that when a computer has not reset its account password for a length of time, say 90 or 120 days, then it is stale. If you have remote workers that do not connect back into your domain via VPN or any other way, I would always look to use the highest number of days that the password has not been reset.
The following script will look for all computer accounts in an OU you can set and where the password has not been set for over 90 days. I have left the -whatif switch in, so I can see what computer accounts will be affected first. It also writes this information to a txt file called computers.txt located in C:\Pshell\. This path can be changed to whatever you like.
You can download the script here or just copy the bellow script.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
<# .NOTES =========================================================================== Created by: Richard Hooper Organization: Pixel Robots. Version: 1.0.0 Date Created: 06/07/2016 Date Updated: 06/07/2016 Filename: Disable_and_Move_Inactive_AD_Computer_Accounts_from_OU.ps1 =========================================================================== .SYNOPSIS Script used to find all accounts which are inactive in Active Directory and move them to a specific OU and disable them .DESCRIPTION The script searches an OU for any computer that has been inactive for (90) days, will disable them, add the date they were disabled in the description and move them to a new OU. .LINK http://www.pixelrobots.com #> Import-Module ActiveDirectory #Specify the OU you want to search for inactive accounts $SourceOU="OU=Computers,DC=pixelrobots,DC=co,DC=uk" #Specify the OU you want to move your inactive computer accounts to $DestinationOU="OU=DisabledComputers,DC=pixelrobots,DC=co,DC=uk" #Specify the number of days that computers have been inactive for. The 90 is the number of days from today since the last logon. $lldate = [DateTime]::Today.AddDays(-90); #DO NOT MODIFY BELOW THIS LINE $computers=Get-ADComputer -Filter ‘PasswordLastSet -le $lldate’ -Searchbase $SourceOU foreach ($computer in $computers){ $desc="Contact Support, disabled on $(Get-Date) - $($computer.Description)" Set-ADComputer $Computer -Description $desc -Enabled $false -Whatif # remove -whatif to make the script work 100% Move-ADObject $computer -TargetPath $destinationOU -whatif # remove -whatif to make the script work 100% Add-Content C:\PShell\computers.txt -Value "Found $computer, Moved and disabled" } |
You will need to modify this script to reflect your Domain and OU structure. All you need to do is modify the $SourceOU to the OU where you would like the search to begin and it will also search all OUs underneath it. You will also need to modify the $DestinationOU to where you would like the computers moved to. Make sure you have this setup in your Active Directory first.
You can also change the number of days for a computer to be considered stale. If you know your users will always connect within 90 days then I would leave it to the default 90. you can change this under $lldate. I have made a decision for the script not to delete the computer accounts as you might have some non-windows computers in the OU which may act differently. What I do is check the OU once it has ran and leave them there for 30 days (set an Outlook reminder) and then delete them. If you have the active directory recycle bin active in your domain, you can always recover them from there.
5 Comments
Jensen · November 18, 2020 at 1:57 pm
The Script Doesn’t work.
Dan · December 10, 2020 at 9:43 am
Love the script, wanted something i could quickly copy/paste to get the job done and this worked a treat first time! The only one issue i had to amend is the additional space in this command “$computers=Get-ADComputer -Filter
‘PasswordLastSet -le $lldate’ -Searchbase $SourceOU” after the -Filter
Pixel Robots. · December 10, 2020 at 3:17 pm
Thanks Dan. I have fixed that now.
shane · April 30, 2021 at 7:06 pm
I’m new to powershell and have used this script. My question is, how can I add more search OU’s? I have script to find all devices in specific OU’s with last logon over 90 and then another script I use to move those results to our stale ou.
Adi · February 20, 2024 at 3:29 pm
Cracking script and thanks for your time and effort!