16 January 2014

Get rid of old computer accounts in Active Directory

If your Active Directory has been running for several years and you don’t cleanup old computer accounts, then you might run into Active Directoy Users and Computers (dsa.msc) warning:

image

When you really do have more than 2000 computers in your system, then you don’t need to do anything :) But having only tens or hundreds of computers, then you should clean up your AD, perhaps do it regularly.

Every active computer in domain changes it’s (computer account) password every 30 days. Very old Windows NT4 computers every 7 days. Every computer account in Active Directory has information, when the password was last changed (passwordlastset). Let’s assume, that some users go on vacation and don’t use the computer for a month or so. It means, that when you discover a computer account, with passwordlastset older than 60 days, it’s (almost) safe to delete it.

To get the list of computer accounts, that havent changed use this powershell command:

Get-ADComputer -Filter * -Properties passwordlastset | where {$_.passwordlastset -lt (get-date).adddays(-60)} | select Name,PasswordLastSet | ConvertTo-Csv  -Delimiter `t -NoTypeInformation | clip

image

After that you can paste the info into excel and take a look, what computers will be deleted, when you use the next command.

image

When the list is ok for deletion, then use this command:

Get-ADComputer -Filter * -Properties passwordlastset | where {$_.passwordlastset -lt (get-date).adddays(-60)} | Remove-ADObject –Recursive

You can also use -confirm switch to change behaviour of asking whether to delete. This is useful when using this command on scheduled task.

No comments:

Post a Comment