PowerShell: Clean up AD Computer Accounts

Update (2009-11-03): I have posted a newer version of this script. Please visit this link for information.

—————

I recently wrote a script to clean up workstation accounts in our Active Directory domain. It’s not perfect, but it was a good learning experience, as I found out there are some gritty details when working with Integer8 values. I plan on adding more features in the future, including logging results of the script to an Excel document, for easy readability. If you have any suggestions, please send them my way; I may or may not have time to implement them, but am always open to constructive feedback.

I would suggest stepping through the code using a tool like PowerGUI so you can understand exactly what is happening. I also take no responsibility for your use of this code (aka. use at your own risk). This script automatically disables and deletes computer accounts in Active Directory! It is not necessarily suitable for all Active Directory configurations, depending on how your GPOs are set up, and so on, so please ensure that you understand its purpose prior to executing it.

Note: This script leverages the Description attribute of your computer accounts in AD, so it can be overwritten!

The way the script works is basically this:

1. You define an OU where disabled computer accounts will be moved to ($DisabledDn)

2. Stage 1: Script attempts to evaluate when computer accounts in the “Disabled OU” were disabled (from the description attribute — see Stage 2)

3. If the parsed disable date is greater than 30 days, it will delete it, otherwise it will leave it alone

4. Stage 2: Script evaluates pwdlastset attribute of workstation accounts in the domain

5. If pwdlastset is greater than 60 days, it will: 1) disable the account, 2) write the current date to the description attribute, and 3) move it to the disabled OU

Note: The first time you execute the script, the Stage 1 area will pretty much do nothing, since no workstations have been populated into the Disabled OU yet. Once the script begins disabling accounts, they will then be evaluated in Stage 1 each time the script is run. It’s kind of  backwards way of thinking about it, so it may not make sense right off the bat, but don’t think about it too much.

Note 2: The Stage 1 and Stage 2 verbage I used above are not identified in the script anywhere. Stage 1 correlates to the DeleteDisabledAccounts function, and Stage 2 correlates to the DisableOldAccounts function.

—————

#
# Author: Trevor Sullivan
#
# Lessons learned:
#
# 1. When using a DirectorySearcher object, property names are lower case
# 2. Must explicitly cast 64-bit integers from AD
#

${DisabledDn} = ‘ou=Disabled,ou=Workstations,dc=mycompany,dc=com’

function DisableOldAccounts(${TargetDn}, ${DisableAge} = 60)
{
${Computers} = GetComputerList ${TargetDn}

foreach (${Computer} in ${Computers})
{
# PwdLastSet is a 64-bit integer that indicates the number of 100-nanosecond intervals since 12:00 AM January 1st, 1601
# The FromFileTime method converts a 64-bit integer to datetime
# http://www.rlmueller.net/Integer8Attributes.htm
$PwdLastSet = [DateTime]::FromFileTime([Int64]”$(${Computer}.Properties[‘pwdlastset’])”)
${CompAge} = ([DateTime]::Now – $PwdLastSet).Days
if (${CompAge} -gt ${DisableAge})
{
LogMessage “$($Computer.Properties[‘cn’]) age is ${CompAge}. Account will be disabled” 2
DisableAccount $Computer.Properties[‘distinguishedname’]
}
else
{
LogMessage “$($Computer.Properties[‘cn’]) age is ${CompAge}, $($Computer.Properties[‘pwdlastset’]), ${PwdLastSet}” 1
}
}
}

function GetComputerList($TargetDn)
{
${tFilter} = ‘(&(objectClass=computer)(|(operatingSystem=Windows 2000 Professional)(operatingSystem=Windows XP*)(operatingSystem=Windows 7*)(operatingSystem=Windows Vista*))’
${Searcher} = New-Object System.DirectoryServices.DirectorySearcher $tFilter
${Searcher}.SearchRoot = “LDAP://${TargetDn}”
${Searcher}.SearchScope = [System.DirectoryServices.SearchScope]::Subtree
# Page size default in Active Directory is 1000
${Searcher}.PageSize = 1000
$Results = $Searcher.FindAll()
LogMessage “Found $($Results.Count) computer accounts to evaluate for disablement” 1
return $Results
}

# Set description on computer account, disable it, and move it to the Disabled OU
function DisableAccount($dn)
{
# LogMessage “DisableAccount method called with param: ${dn}” 1
# Get a reference to the object at <distinguishedName>
$comp = [adsi]”LDAP://${dn}”
# Disable the account
# LogMessage “userAccountControl ($($comp.Name)) is: $($comp.userAccountControl)”
$comp.userAccountControl = $comp.userAccountControl.Value -bxor 2
# Write the current date to the description field
$comp.Description = “$(([DateTime]::Now).ToShortDateString())”

# UNCOMMENT THESE LINES
[Void] $comp.SetInfo()
$comp.psbase.MoveTo(“LDAP://${DisabledDn}”)
}

# Parameter ($DeleteAge): Days from disable date to delete computer account
function DeleteDisabledAccounts($DeleteAge)
{
# Get reference to OU for disabled workstation accounts
${DisabledOu} = [adsi]”LDAP://${DisabledDn}”

${Searcher} = New-Object System.DirectoryServices.DirectorySearcher ‘(objectClass=computer)’
${Searcher}.SearchRoot = $DisabledOu
${Searcher}.SearchScope = [System.DirectoryServices.SearchScope]::Subtree
# Page size is used to return result count > default size limit on domain controllers. See: http://geekswithblogs.net/mnf/archive/2005/12/20/63581.aspx
${Searcher}.PageSize = 1000
LogMessage “Finding computers to evaluate for deletion in container: ${DisabledDn}” 1
${Computers} = ${Searcher}.FindAll()

foreach (${Computer} in ${Computers})
{
${DisableDate} = [DateTime]::Parse(${Computer}.Properties[‘description’])
trap {
LogMessage “Couldn’t parse date for $($Computer.Properties[‘cn’])” 3
continue
}
${CurrentAge} = ([DateTime]::Now – ${DisableDate}).Days
if (${CurrentAge} -gt ${DeleteAge})
{
LogMessage “$(${Computer}.Properties[‘cn’]) age is ${CurrentAge} and will be deleted” 2
#   $DisabledOu.Delete(‘computer’, ‘CN=’ + ${Computer}.Properties[‘cn’])
}
else
{
LogMessage “$(${Computer}.Properties[‘cn’]) age is ${CurrentAge} and will not be deleted” 1
}
}
}

function LogMessage(${tMessage}, ${Severity})
{
switch(${Severity})
{
1 {
$LogPrefix = “INFO”
$fgcolor = [ConsoleColor]::Blue
$bgcolor = [ConsoleColor]::White
}
2 {
$LogPrefix = “WARNING”
$fgcolor = [ConsoleColor]::Black
$bgcolor = [ConsoleColor]::Yellow
}
3 {
$LogPrefix = “ERROR”
$fgcolor = [ConsoleColor]::Yellow
$bgcolor = [ConsoleColor]::Red
}
default {
$LogPrefix = “DEFAULT”
$fgcolor = [ConsoleColor]::Black
$bgcolor = [ConsoleColor]::White
}
}

Add-Content -Path “AD-Workstation-Cleanup.log” -Value “$((Get-Date).ToString()) ${LogPrefix}: ${tMessage}”
Write-Host -ForegroundColor $fgcolor -BackgroundColor $bgcolor -Object “$((Get-Date).ToString()) ${LogPrefix}: ${tMessage}”
}

function Main()
{
Clear-Host

LogMessage “Beginning workstation account cleanup script” 1

# Start by deleting accounts that are already disabled, if they are old enough
DeleteDisabledAccounts 30

# Disable accounts that are older than X days
DisableOldAccounts ([adsi]””).distinguishedName 60

LogMessage “Completed workstation account cleanup script” 1
}

Main