The following command line will trundle through Active Directory and pull out a list of any machine/computer accounts which have been inactive for more than 12 weeks:
Dsquery computer “OU=Example Standard Computers,OU=Desktops,OU=All Workstations,DC=web,DC=local” –inactive 12
If you want the command to then disable the accounts you can pipe the dsmod command onto the end of the line:
Dsquery computer “OU=Example Standard Computers,OU=Desktops,OU=All Workstations,DC=web,DC=local” –inactive 12 | dsmod computer –disabled yes
Alternatively if you want the command to then delete the accounts you can change the end of the command to the following:
Dsquery computer “OU=Example Standard Computers,OU=Desktops,OU=All Workstations,DC=web,DC=local” –inactive 12 | dsrm -c -noprompt
NB: the Delete command should be used with caution. Since the last logon times (which inform the -inactive part of the query) are not replicated between Domain Controllers, it is always a good idea to first disable all the machine accounts, leave them for a few weeks and then delete them.
You can paste any of these commands into notepad and save it as a batch file (add the suffix .bat onto the filename when you Save As...). The batch file can then be used as part of a Scheduled Task to automate the process and keep Active Directory tidy. You can also run these commands as Powershell commands.
Nice script, thanks for sharing the helpful script to retrieve a list of computer accounts from active directory environment. I tested the automated tool from https://blog.netwrix.com/2018/02/15/the-ten-best-free-active-directory-management-tools/ which provides the automate facilitate to generate a list of active directory computer accounts and manage inactive accounts.
ReplyDelete