Deleting inactive computer accounts in Active Directory with PowerShell scripts

 

After some years of AD life in your company  you will probably get a lot of computer accounts in AD that are not used anymore. How we clean AD from this kind of objects? Let’s start with how to identify them. Computer account have two attributes that can maybe help. LastLogon and LastLogonTimeStamp. Only one of these will give us right status of computer account. LastLogon represent time of last logon on domain controller we are connected with and checking this attribute. LastLogonTimeStamp will give us last computer account logon on all domain. We will use this value to determine old computer account.

image

LastLogonTimeStamp value represent number of 100-nanosecond intervals that have elapsed since the 0 hour on January 1, 1601 till the date/time that is being stored. If you want to convert this value to normal readable format you can use this Windows command

w32tm.exe /ntte 128271382742968750
148462 05:57:54.2968750 - 24.6.2007. 6:57:54

This command converts LastLogontimeStamp value to number of days + hours, and then it converts it to date and local computer time (+1 CET).

Lets  get all computer account from our AD that has LastLogonTimeStamp older than specified time (2 years) and export it to csv file with some attributes. Before doing anything you need to run “import-module ActiveDirectory” in powershell window  We will use this Powershell script:

$time = (Get-Date).AddYears(-2)  

Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties * | select name, distinguishedname| export-csv computers.txt
 

you will get computers.txt csv file with all computer account with LastLogonTimeStamp older than 2 years. If you just don’t care you can simply pipe this output and remove computer accounts with command Remove-ADComputer. Script will look like:

$time=(Get-Date).AddYears(-2)

Get-ADcomputer -Filter {LastLogonTimeStamp -lt $time}  -Properties name, lastlogondate | Remove-ADComputer 

You will probably want to have some control, so lets make script to delete computer account objects from import-csv values. It is little complication but with my knowledge of Powershell it is only way I know. First of all we will use csv file we get earlier from previous script.

$adcomputer= import-csv C:\users\username\computers.txt

foreach ($comp in $adcomputer)
{

$distinguishedname= $comp.distinguishedname

Remove-ADObject -Identity "$distinguishedname" -Recursive -Confirm:$true

}

Why I used Remove-ADobject instead of Remove-ADComputers? Because if you use Remove-ADComputers you will probably get this error: “The directory service can perform the requested operation only on a leaf object.” It means that computer account hide some more objects inside computer account. Not all but some are.  You can see it only with ADSIEdit tool. Remove-ADcomputers can not remove leaf objects, and that’s why we use Remove-ADObject with –Recursive switch to delete all objects down under. I put confirm true but you can set it false if you don’t want to confirm every deletion yourself

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s