Active Directory AD Inactive Computer Cleanup Script

On of the most wanted scripts in every organization.

You definitely need a way to identify inactive computers in your network (active Directory) and get a detailed report, and perhaps act on this manually or automatically.

First Question : How to identify Inactive Computers ?

the answer is simply mentioned in one of my blog posts. For simplicity, you can identify inactive computer by looking at the Computer last Password reset attribute (pwdLastSet).

Each computer has a password in AD and each computer will attempt to change this password automatically every X days (by default once every 30 days). This behavior can be controlled by group policy under (Computer Configuration> Windows Setting > Security Settings> Security Options > ” Domain Member: Maximum machine account password age”).

So if every computer will (by default) contact domain controllers and change their password once every 30 days, then computers who didn’t change their password in 60 days for example, are considered for sure inactive. (60 Days is a very safe threshold, usually 45 days is a good practice)

ComputerPassword

Second Question : What to do with inactive computers?

Usually you don’t want to delete them, or maybe you want. I prefer created a separate a quarantined OU named (Inactive Computers)  , and then disable each inactive computer and move it to this OU.

Third Point/Question : What is the preferred frequency for doing cleanup.

It depends. I usually do it once every quarter.

Forth Point: Be careful

I have discovered that sometimes, some computer accounts like Cluster Computer objects or so , do not reset their passwords with AD. May be this was the case with legacy systems, but keep an eye on this.

I prefer that you do not invoke actions automatically on data center servers, instead, get a report on what is seemed to be inactive server and act manually on them after communicating with other teams.

The Script :

you can get the script from here :

DOWNLOAD LINK  : http://sdrv.ms/1eMAbfV

AD Inactive Computers 23232

Script Description 

Here we go…. now focus with me for five minutes.

Preparation :

You need to first make sure that the computer that is running the script has the (Active Directory Power Shell) module.  You need also to download Quest Active Directory PowerShell Extensions on that machine and run their MSI. It is a free AD PowerShell extension and the best in the market. (http://www.quest.com/powershell/activeroles-server.aspx)

This is for example how to install the Active Directory PowerShell module on Windows 7 machine (http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx)

For Quest Active Directory PowerShell extensions, the link i mentioned above contains the place to download the free quest PowerShell MSI extension.Just run the MSI and you are ready to go.

So why do we need those modules to be installed on the machine from which the script should run ? Well, we need Active Directory PowerShell module as we need to query Active Directory. We also need Quest Active Directory PowerShell extensions because they have very extended commands that makes it easy to query inactive directory.

Finally, you need to run the script with an account that has permission to read AD Computer objects, and the write to disable computer accounts and the write to move computer accounts to the quarantined OU.

Script Modes :

  1.  Report Mode : In this mode, the script will run and will identify inactive computers.It will also send you a nice email with the total number of inactive computers and a breakdown per OU. No actions will be performed
  2. Action Mode : In this mode, the script will Disable and Move inactive computers to a quarantined OU that you will specify in the first lines of the script + the script will send a nice report for inactive computers

You can control which mode the script will run, by modifying the script , by simply setting the    [bool]$ReportOnly  = $True .  

$True will trigger the script to work in report mode, while $false value will trigger it to work in Action Mode

Customize the script for your environment

[int]$DaysforPasswordSet     = 60   : this line of code means that the script will consider computers which dint reset their password with Active directory for more than 60 days , as inactive computers

[string]$ExcludedComputersG      = “Excluded Inactive Computers”  : If you create a security group in your active directory named (Excluded Inactive Computers), and you populate it with computer accounts, then the script will query this group and will not perform any action on those computers. Think of this as a bypass list of computers. I am using a normal security group to group those computers.

$QuarantineOU = “contoso.com/inactive computers” : this is the OU in which inactive computers will be moved to , if the script is running in the (action Mode)

$SearchBase_Sites    = “contoso.com/sites” : This is the root directory that the script will search in. In your case, you can set to to wider scope, like “contoso.com” or a narrow scope like “contoso.com/OU1/OU2”

Finally, the last line of the script will send an email with the result. By default, the script will set the email sender to (noreply@contoso.com), the recipient to (admin@contoso.com), the smtp server to (smtp.contoso.com). Ofcourse you need to customize those settings.

Final Thought

Imagine that someone came to you and ask you to enable a certain computer and move it back to its original OU.  Since the script will disable and move inactive computers to a quarantined OU in Action Mode, then how can you remember the original location of the computer before it was disabled and moved ?

The script will solve this for you. When the script moves a computer to the quarantined OU, it will write the original OU path of the computer on the computer’s custom attribute 1. So just open an attribute editor or adsi.edit, and browse to the computer’s custom attribute 1 , and you will find there the original location of the computer before it was moved.

Last Advise :

Run the script in Report mode once and twice until you are very sure that you fully understand the script power and logic. Also, prevent running the script in Action Mode to data center computers. Instead, run it in reporting mode, and send the results to your Data center admin.

 

6 comments on “Active Directory AD Inactive Computer Cleanup Script

  1. Great script! Very helpful for cleaning up our environment. We have a lot of computer accounts that haven’t been used in years, and maintenance of our AD has not ever really been managed. I’m looking how to adapt this to user accounts… If you have a script for user accounts, let me know!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s