Wednesday, December 17, 2014

AD Cleanup - Move and Disable Computer Accounts based LastLogonTimeStamp Value

Cleaning up AD and getting rid of Computer Accounts that have not logged into the domain in over a year.  Pretty direct and worked fine.  I created a CSV file with all the computer accounts that were over a year old on LastLogonTimeStamp attribute. Moved them to a Custom OU and then Disabled the account.  Scripts below:

Located old computer accounts based on date of LastLogonTimeStamp Attribute

# import-module activedirectory  
$DaysInactive = 365  
$time = (Get-Date).Adddays(-($DaysInactive)) 
  
# Get all AD computers with lastLogonTimestamp less than our time 
Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonTimeStamp | 
  
# Output hostname and lastLogonTimestamp into CSV 
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | export-csv -Path "C:\Scripts\AD Computers\Old_Computers.csv" -notypeinformation
Pretty Easy.

Then import the CSV file into another script to move the old computer accounts to a custom OU.  I like to keep my scripts independent.

Move Computer Accounts based on Name of Account and Disable:
# List to deploy
$deploylist = "C:\Scripts\Sarepta\AD Computer\Old_Computers.csv"
Import-Csv $deploylist -UseCulture | %{
$_."Name"
get-adcomputer $_."Name" | Move-ADObject -TargetPath 'ou=Old Computers,dc=avibio,dc=com' 
get-adcomputer $_."Name" | Disable-ADAccount -Confirm:$false
}

Write-Output "Loop Complete"
For those with hundreds if not thousands of old Computer Accounts, these are very powerful tools.

-Boston TechGuy
Posted by at No comments:

Monday, October 6, 2014

GPO Updates Remotely with PowerShell

Here is a quick script that will allow you to remotely force a GPO Update on a machine.  This will work on Windows 2008 Servers.

Side Note: Windows 2012 and Windows 8 can leverage the PowerShell cmdlet INVOKE-GPUPDATE


<#  Quick Powershell Script to Force Update GPO on remote systems.
       Script can be used on Windows 7 and Windows 2008 Systems
#>

#     Create CSV File of the Remote Systems that you need to change remotely
$Deploylist = "Location of your .CSV file"

#    Using the Invoke-Command, you can call the GPUPDATE /FORCE command directly on the remote system.

Import-CSV $Deploylist -UseCulture | %{
  Invoke-Command -ComputerName $_."Remote_System_Name" {
      gpupdate /force}
}

The CSV File should look something
Remote_System_Name
System01
System02
System03

-BostonTechGuy
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)