In this article we’ll look at using Get-ADComputer and Set-ADComputer to list computer accounts which haven’t logged in for xx days, and then automatically disable them.
In part 1 we looked at how to use Get-ADComputer to list computers by name and sort them by their last logon date with the premise that we can use the information to remove historic computer accounts from the domain.
Now we know the computer accounts we want to work with we will look at modifying the PowerShell command to automatically disable them.
As a recap, the command that we ended up with from part 1 was:
Get-ADComputer -Filter * -Properties * | Sort LastLogonDate | FT Name, LastLogonDate -Autosize | Out-File C:\Temp\ComputerLastLogonDate.txt
A comment from part 1 of this series by Ryan pointed out that it would use less resources to use -Properties LastLogonDate, rather than -Properties * so to keep things as efficient as possible I’ll be using -Properties LastLogonDate from now on.
So the current command we have is:
Get-ADComputer -Filter * -Properties LastLogonDate | Sort LastLogonDate | FT Name, LastLogonDate -Autosize | Out-File C:\Temp\ComputerLastLogonDate.txt
As we want to list computers that haven’t logged on for xx days, we first need to find todays’ date and set an offset for the number of days old we are looking for.
So let’s start with Get-Command *Date* to list all commands with Date in them.
Ok, so lets take a look at Get-Date.
Next let’s add an offset to todays’ date and save it in a variable.
$datecutoff = (Get-Date).AddDays(-120)
So now we can specify a date xx days ago, all we need to do it compare this to the last logon data to give us out list of computer accounts we are interested in working with. I’ve changed the order of -Properties and -Filter because it makes more sense to me logically,
$datecutoff = (Get-Date).AddDays(-365)
Get-ADComputer -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Sort LastLogonDate | FT Name, LastLogonDate -Autosize
Now we have our list of computer accounts older than 365 days on this example, we need to look at disabling them. There are a couple of Commands we can use to do this. Set-ADComputer is the obvious choice as we are already using Get-ADComputer, another option would be Disable-ADAccount.
So to disable a computer account the command is:
Set-ADComputer -Enabled $false
Now combining the two commands together I’ve added the -WhatIf switch so the command doesn’t actualy make any changes, but describes what would happen if the command was run.
Get-ADComputer -Properties LastLogonDate -Filter {LastLogonData -lt $datecutoff} | Set-ADComputer -Enabled $false -whatif
From the output above you can set that for each computer account listed the set command will be run against it, which is exactly what we want.
So the final commands to disable computer accounts over 365 days old (in our example) is:
$datecutoff = (Get-Date).AddDays(-365)
Get-ADComputer -Properties LastLogonDate -Filter {LastLogonData -lt $datecutoff} | Set-ADComputer -Enabled $false
Remember if you are using SBS 2011 you’ll need to either run the PowerShell as Administrator by right clicking the PowerShell icon and selecting Run as Administrator.
Then, we’ll need to import the Active Directory Module with the command:
Import-Module activedirectory
Alternatively you could run the Active Directory Module for Windows PowerShell from the Start – Administrative Tools menu.
Below are some links to Microsoft Technet references.
Get-ADComputer can be found here: http://technet.microsoft.com/en-us/library/ee617192.aspx
Dates and time information can be found here: http://technet.microsoft.com/en-us/library/ff730960.aspx
Comparison Operators information can be found here: http://technet.microsoft.com/en-gb/library/hh847759.aspx
Set-ADComputer cmdlet can be found here: http://technet.microsoft.com/en-us/library/ee617263.aspx
Disable-ADAccount cmdlet can be found here: http://technet.microsoft.com/en-gb/library/ee617197.aspx
Related Posts:
1. PowerShell: Get-ADComputer to retrieve computer last logon date – part 1
2. PowerShell: Get-ADUser to retrieve logon scripts and home directories – Part 1
3. PowerShell: Get-ADUser to retrieve password last set and expiry information
4. Exchange PowerShell: How to find users hidden from the Global Address List
5. Exchange PowerShell: How to enumerate and modify Distribution Group properties
The post PowerShell: Get-ADComputer to retrieve computer last logon date (and disable them) – part 2 appeared first on Oxford SBS Guy.