As a consultant for
clients one common problem I come across is IT doing a poor job at managing old
objects in Active Directory. So generally I have to do that cleanup. Here are some simple Powershell commands that
I find help disable these objects for security reasons. Once you have
disabled them and let changes soak for a bit you can easily find the disabled
accounts and delete them.
OpenPowershell as an
Administrator
Import the ActiveDirectory
Module for PowerShell.
Import-Module
activedirectory
Set the number of
days you want to check for inactivity, in my examples I will use 120 days.
$datecutoff =
(Get-Date).AddDays(-120)
To
Simply List those that have not been logged into in last 120 days (or # of days
defined above)
Computers:
Get-ADComputer -Properties LastLogonDate -Filter
{LastLogonDate -lt $datecutoff} | Sort LastLogonDate | FT Name, LastLogonDate
–Autosize
Users:
Get-ADUser -Properties LastLogonDate -Filter
{LastLogonDate -lt $datecutoff} | Sort LastLogonDate | FT Name, LastLogonDate
–Autosize
To test the
process but not execute the actual disable using the above criteria.
Computers:
Get-ADComputer -Properties LastLogonDate -Filter
{LastLogonDate -lt $datecutoff} | Set-ADComputer -Enabled $false –whatif
Users:
Get-ADUser -Properties LastLogonDate -Filter
{LastLogonDate -lt $datecutoff} | Set-ADUser -Enabled $false –whatif
Preform/Execute
the process and execute the actual disable using the above criteria.
Computers:
Get-ADComputer -Properties LastLogonDate -Filter
{LastLogonDate -lt $datecutoff} | Set-ADComputer -Enabled $false
Users:
Get-ADUser -Properties LastLogonDate -Filter
{LastLogonDate -lt $datecutoff} | Set-ADUser -Enabled $false
Hope anyone who finds this article finds it as useful as the commands have been for me.