Use Powershell to Disable Computer and User accounts in Active Directory over XXX days

As a consultant for clients one common problem I come across is IT doing a poor job at managing old objects in Active Directory.  So generally I have to do that cleanup.  Here are some simple Powershell commands that I find help disable these objects for security reasons.  Once you have disabled them and let changes soak for a bit you can easily find the disabled accounts and delete them.

 

OpenPowershell as an Administrator

 

Import the ActiveDirectory Module for PowerShell.
Import-Module activedirectory

 

Set the number of days you want to check for inactivity, in my examples I will use 120 days.
$datecutoff = (Get-Date).AddDays(-120)

 

To Simply List those that have not been logged into in last 120 days (or # of days defined above)

Computers:

Get-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Sort LastLogonDate | FT Name, LastLogonDate –Autosize

Users:

Get-ADUser  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Sort LastLogonDate | FT Name, LastLogonDate –Autosize

 

To test the process but not execute the actual disable using the above criteria.

Computers:

Get-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADComputer -Enabled $false –whatif

Users:

Get-ADUser  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADUser -Enabled $false –whatif

 

Preform/Execute the process and execute the actual disable using the above criteria.

Computers:

Get-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADComputer -Enabled $false

Users:

Get-ADUser  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADUser -Enabled $false


Hope anyone who finds this article finds it as useful as the commands have been for me.

 

Disconnected Network Drive with Red X on Server 2012 R2 RDS using DFS Namespace

Came across an issue where drive mappings from the DFS Namespace would show up correctly for the first user that logs in.  Each additional users the drive mappings from would show as "Disconnected Network Drive" with a Red X.  In the logs the error was logged as, Group Policy object did not apply because it failed with error code '0x80070055 The local device name is already in use.'

OS: 2012 R2 Fully patched as off 6/30/215
RDS and Citrix XenApp 7.6
UAC is disable not by GPO but by pulling bar to lowest level
DFS Namespace used for all drive mappings profiles
Drives mapped through GPO Preferences

Symptom:
2 drives of the 6 mapped using namespace will one show as connected for 1st user to login after that the other users get "Disconnected Network Drive" with a Red X.  You can double-click and gain access to the drive but it continues to be shown as disconnected. 

Attempts to resolve:
Changed mappings to login script instead of GPO...no change
Changed different settings on the drive mappings in GPO...no change
Many other solutions tested, not worth mentioning...no change

Our Solution:
Created a Computer Based GPO and in Preferences - Registry deleted the following registry key: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableLinkedConnections

This solved the issue!