Hello All,<\/p>\n
Good Active Directory hygiene is important for many reasons. One easy way to keep your directory clean is by periodically removing stale computer accounts.\u00a0Many times when a Windows machine is disjoined from a domain, rebuilt with a different name etc…, removing the computer account is often overlooked or Administrators are not notified that a machine is no longer being\u00a0used. A Windows\u00a0machine will reset its computer account password every 30 days by default. A good indicator that a Windows computer is stale is when that account has not reset its password for a good length of time such as 90 or 120 days. The following script will look for all computer accounts where the password has not been set for over 90 days. You will need to have the “Active Directory Module for PowerShell” installed on the computer you are running it from as it uses the “Get-ADComputer” cmdlet.<\/p>\n
The Script<\/strong><\/span><\/p>\n Import-Module ActiveDirectory The Output<\/strong><\/span><\/p>\n The output will contain the following properties for each computer account:<\/p>\n DistinguishedName Of course you will have to modify this script to reflect your Domain and OU structure. All you need to do is point the searchbase to the OU where you would like the search to begin and it will also search all OUs underneath it. You can also increase the number of days for a computer to be considered stale.The other important thing is to always check your list after its run before removing any accounts. There may be a good reason a machine has not reset its password for a long period of time such as the account is not for a Windows machine or it is a remote user that has not been in the office for a while.<\/p>\n I decided to take this a bit further. Using some additional code, I put together something that will email a list of all computer accounts where the password has not been set for over 90 days in HTML format. This script will do the following:<\/p>\n The Script<\/strong><\/span>\u00a0<\/span><\/p>\n StaleMachineEmail.txt<\/a><\/p>\n Since some of the lines in this script above\u00a0were too long to output properly on this page I have also inserted the StaleMachineEmail link\u00a0above containing the\u00a0 code so it is easier to copy and view. Also, if you have any\u00a0feedback\u00a0on this script, ideas\u00a0to make it\u00a0more efficient or robust please leave a comment!<\/p>\n Related Links:<\/p>\n Using PowerShell and a Text File to Delete Multiple Active Directory Groups<\/strong><\/a><\/p>\n Using PowerShell to export Active Directory Group Members to a CVS File<\/a><\/strong><\/p>\n Using PowerShell and Active Directory to Create a Server or Workstation Inventory<\/a><\/strong><\/p>\n Using PowerShell to find Stale Computers in Active Directory<\/a><\/strong><\/p>\n Moving Stale Computers in Active Directory to an OU using PowerShell<\/a><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":" Hello All, Good Active Directory hygiene is important for many reasons. One easy way to keep your directory clean is by periodically removing stale computer accounts.\u00a0Many times when a Windows machine is disjoined from a domain, rebuilt with a different … Continue reading
\n$date = [DateTime]::Today.AddDays(-90)
\nGet-ADComputer -Filter\u00a0 ‘PasswordLastSet -le $date’ -SearchBase “OU=WhereIStoreComputers,DC=pipe2,DC=Text,DC=com” -properties PasswordLastSet<\/p>\n
\nDNSHostName
\nEnabled
\nName
\nObjectClass
\nObjectGUID
\nPasswordLastSet
\nSamAccountName
\nSID<\/p>\n\n