Forum Discussion

dannytveria's avatar
dannytveria
Brass Contributor
Aug 26, 2021

Disable and removal of Computer accounts

Hi,

I made a script to disable old computer accounts.

My Sysadmin asked me to disable after 180 days and remove them after a year.

My goal is to disable computer accounts after 180 days and export to CSV

then delete computer accounts after 356 days and export to CSV.

 

Import-Module ActiveDirectory

# Set the Parameters since last logon
$DaysInactive = 180
$InactiveDate = (Get-Date).Adddays(-($DaysInactive))
$ForDisableLog = "C:\scripts\ComputerAccounts\Logs\For_Disable$((Get-Date).ToString('dd-MM-yyyy')).csv"

 

#-------------------------------
# FIND INACTIVE COMPUTERS
#-------------------------------

# Automated way (includes never logged on computers)
$Computers_For_Disable = Search-ADAccount -AccountInactive -DateTime $InactiveDate -ComputersOnly -SearchBase "DC=staff ,DC=local" | Where-Object {$_.distinguishedname -notlike "*,OU=Servers,*"} | Where-Object {$_.distinguishedname -notlike "*,OU=Test,*"} | Where-Object {$_.distinguishedname -notlike "*,OU=IT,*"} | Where-Object {$_.distinguishedname -notlike "*,OU=Laptops,*"} | Where-Object {$_.distinguishedname -notlike "*,CN=Computers,*"} | Select-Object Name, LastLogonDate, Enabled, DistinguishedName

#-------------------------------
# REPORTING
#-------------------------------
# Export results to CSV

$Computers_For_Disable | Export-Csv "C:\scripts\ComputerAccounts\Logs\For_Disable$((Get-Date).ToString('dd-MM-yyyy')).csv" -NoTypeInformation -Encoding UTF8

    • dannytveria's avatar
      dannytveria
      Brass Contributor
      Yes,
      I trying to disable the computer accounts that have not been logged for 180 days, and export them on CSV file.
      Also, I want to delete the computer's accounts that have not been logged for 365 days, and export them as well.
      • farismalaeb's avatar
        farismalaeb
        Steel Contributor

        dannytveria 

        I wrote a quick script to do what you need, but please note

        this script will REMOVE, and DISABLE adcomputer account, test it first and make sure its doing the result you need before applying it to production..

         

        So what you need to change only is the last line, 

        Get-BadPC -Days 180 -Action Disable

        Days= what ever number of day

        and action if you want to delete or disable.

         

        function Get-BadPC{
        param(
        [parameter(mandatory=$true)]$Days,
        [parameter(mandatory=$true)]
        [ValidateSet('Delete','Disable')]$Action
        )
        $InactiveDate = (Get-Date).Adddays(-($Days))
        $Computers_For_Action = Search-ADAccount -AccountInactive -DateTime $InactiveDate -ComputersOnly -SearchBase "DC=Test ,DC=local" | Where-Object {($_.distinguishedname -notlike "*,OU=Servers,*") -or ($_.distinguishedname -notlike "*,OU=Test,*") -or ($_.distinguishedname -notlike "*,OU=IT,*") -or ($_.distinguishedname -notlike "*,OU=Laptops,*") -or ($_.distinguishedname -notlike "*,CN=Computers,*")} 
        $Computers_For_Action | Export-Csv "C:\Users\Administrator\Downloads\$($Action)-$((Get-Date).ToString('dd-MM-yyyy')).csv" -NoTypeInformation -Encoding UTF8
        
        switch ($action){
        Disable {$Computers_For_Action | Disable-ADAccount }
        Delete {$Computers_For_Action | Remove-ADComputer -Confirm:$False }
        
        }
        
        }
        
        
        Get-BadPC -Days 180 -Action Disable 

Resources