Get AD computer account.ps1
下面的脚本实现查询大于90天没有登录的计算机账户,并移动到一个OU中,也可以结合脚本将其disable和删除:
# Gets time stamps for all computers in thedomain that have NOT logged in since after specified date Mod by Tilo2013-08-27
import-module activedirectory
$domain = "domain.mydom.com"
$DaysInactive = 90
$time = (Get-Date).Adddays(-($DaysInactive))
# Get all AD computers with lastLogonTimestamp less than our time
Get-ADComputer –searchBase “ou=computer_OU,dc=devin,dc=com” -Filter {LastLogonTimeStamp -lt $time}-Properties LastLogonTimeStamp | Move-ADObject –TargetPath“OU=test,DC=Devin,DC=com”
下面的几个命令是经常使用的,可以分开使用,包含查询后删除 disable 和 移动等操作
Other Way to resolve the issue:
-----------------------------------------------
# This PowerShell Command will query Active Directory and return thecomputer accounts which have not loggedfor the past 60 days. You can easilychange the number of days from 60 to any number of your choosing. lastLogonDate is a Human Readable conversionof the lastLogonTimeStamp (as far as I am able to discern. More details about the timestamp can
# be found at technet - http://bit.ly/YpGWXJ --MWT, 03/12/13
$then = (Get-Date).AddDays(-60)
# The 60 is the number of days from today since the last logon.
Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt$then} | FT
Name,lastLogonDate
# If you would like to Disable these computer accounts,uncomment the following line:
Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt$then} | Set-ADComputer -Enabled $false
# If you would like to Remove these computer accounts, uncomment the following line:
Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt$then} | Remove-
ADComputer
# If you would like to move these computer accounts to a OU, uncomment the followingline:
Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt$then} | Move-ADObject –TargetPath “OU=test,DC=Devin,DC=com”
## PS. 可以在其中添加search的scope,命令是:
Get-ADComputer –searchBase“ou=computer_OU,dc=devin,dc=com” -Property Name,lastLogonDate -Filter{lastLogonDate -lt $then} | Move-ADObject –TargetPath “OU=test,DC=Devin,DC=com”
Query disabled computer account:
Way 1:
# Only disabled computer accounts
Get-QADComputer -ldapFilter‘(userAccountControl:1.2.840.113556.1.4.803:=2)’
# Only enabled computer accounts
Get-QADComputer -ldapFilter‘(!(userAccountControl:1.2.840.113556.1.4.803:=2))’
Way 2:
dsquery computer –disabled –limit0
dsquery computer –disabled – limit0 | dsrm –noprompt
另外一种稍微复杂点需要使用get-qad 的方式:
Query the computer and move to one OU:
# set the date to be used as a limit - in this example: 120 daysearlier than the current date ->
$old = (Get-Date).AddDays(-120)
# get the list of computers with the date earlier than this date->
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {$_.pwdLastSet -le $old }
# get a csv report ->
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet-le $old } | select-object Name, ParentContainer, Description, pwdLastSet |export-csv c:\temp\outdated.csv
# move such computers to another OU ->
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {$_.pwdLastSet -le $old } | Move-QADObject -to my.corp/obsolete
# remove the computer records from AD (since this actually deletesthe records, it would be preferable to run the command with -whatif switchbefore running without it) ->
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {$_.pwdLastSet -le $old } | Remove-QADObject -to my.corp/obsolete
Comment#1 -> use -SizeLimit0 to remove the default 1000 object retrieval limitation
Comment#2 -> select thecolumns needed in the report with theSelect-Object cmdlet.
p.s. for the QADComputercommand, please refer to the following article:
http://www.powershelladmin.com/wiki/Quest_activeroles
download the 64-bit or 32-bitversion according to you system, and install it ,after that open the powershellwindows, run Add-PSSnapin Quest.ActiveRoles.ADManagementcommand to import the QADcomputer related module.
仅供参考,如有什么问题,可以发送邮件给,或是留言给我。
谢谢