powershell @ garzafx.com
Mark A Z P Garza

Cleaning up Active Directory Computers with Powershell

For better management of Active Directory computer objects across two domains, I had configured a scheduled Windows task to perform clean up of computer objects from a Windows 7 VM. Specifically, I had wanted to disable and delete computer accounts after moving them in a specific OU. Note, this had previously worked on Windows 2008 R1; however, the script eventually had stopped processing because of an access denied error message, Windows Powershell issue with move-adoobject access denied, KB article 2806748. I had attempted running the script with different versions and languages of powershell but, to no available. I had ultimately updated the problem domain to Windows 2008 R2.

This script below had continued to work on Windows 2008 R2 and above plus Windows 2003 with Active Directory Management Gateway Service. Modify the below directions for your environment.

1. Create a folder named C:\scripts.

2. Create a powershell file labeled movecomputers.ps1 inside C:\scripts

3. Copy and paste the below and save into movecomputer.ps1

# a. Get Computers on Active Directory Domain: garzafx.com and move to Disabled Computers OU over 60 days old

get-adcomputer -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).adddays(-60) } | Move-ADObject -TargetPath “OU=Disabled Computers,DC=garzafx,DC=com” -Confirm:$false -Verbose

# b. Get Computers over 60 days old on Domain: garzafx.com  and DISABLE

get-adcomputer -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).adddays(-60) } | Disable-ADAccount

# c. Get Computers over 70 days old on Domain: garzafx.com  and DELETE and export to file

Search-ADAccount -AccountDisabled -Searchbase “OU=Disabled Computers,DC=garzafx,DC=com” -ComputersOnly | where { $_.lastLogonDate -lt (get-date).adddays(-75) } | Remove-ADObject -Recursive -Confirm:$False –Verbose | export-csv c:\scripts\deletedcomputers.garzafx.com.csv

4. Create a service account with domain admin rights (i.e. powershell@garzafx.com).

5. Create an OU labeled DISABLED COMPUTER in the root of Active Directory.

6. Create a scheduled task labeled adcomputer.cleanup.

7. Run under service account (i.e. powershell@garzafx.com).

8. Select option to,”Run whether user is logged on or not.”

9. Choose, “Run with highest privileges enabled.”

10. Select trigger options (i.e. every day, 7am) and verify status, enabled.

11. Under Actions tab, select,”Start a Program.”

12. For Program/script enter: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

13. Under Add-arguments,”-file C:\scripts\.\movecomputers.ps1

ps

14.  Click OK and enter credentials as necessary.

powershell @ garzafx.com

Read More:

Windows Powershell issue with move-adoobject access denied, KB article 2806748 (Microsoft)

Active Directory Management Gateway Service, Active Directory Web Service for Windows Server 2003 (Microsoft)

Resolving computer object replication conflicts (ourwinblog.blogspot.com)

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s