码迷,mamicode.com
首页 > 其他好文 > 详细

Get AD Object and disable move delete AD account script 查询删除AD账户计算机

时间:2015-12-03 17:13:06      阅读:309      评论:0      收藏:0      [点我收藏+]

标签:get ad object and disable move delete ad account script 查询删除ad账户计算机

Get AD computer account.ps1


下面的脚本实现查询大于90天没有登录的计算机账户,并移动到一个OU中,也可以结合脚本将其disable和删除:

# Gets time stamps for all computers in thedomain that have NOT logged in since after specified date Mod by Tilo2013-08-27

import-module activedirectory 

$domain = "domain.mydom.com" 

$DaysInactive = 90 

$time = (Get-Date).Adddays(-($DaysInactive))

 

# Get all AD computers with lastLogonTimestamp less than our time

Get-ADComputer –searchBase “ou=computer_OU,dc=devin,dc=com” -Filter {LastLogonTimeStamp -lt $time}-Properties LastLogonTimeStamp | Move-ADObject –TargetPath“OU=test,DC=Devin,DC=com”

 



下面的几个命令是经常使用的,可以分开使用,包含查询后删除 disable 和 移动等操作

Other Way to resolve the issue:

-----------------------------------------------

# This PowerShell Command will query Active Directory and return thecomputer accounts which  have not loggedfor the past 60 days.  You can easilychange the number of days from 60 to any number of your choosing.  lastLogonDate is a Human Readable conversionof the lastLogonTimeStamp (as far as I am able to discern.  More details about the timestamp can

# be found at technet - http://bit.ly/YpGWXJ  --MWT, 03/12/13

$then = (Get-Date).AddDays(-60)

# The 60 is the number of days from today since the last logon.

Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt$then} | FT

Name,lastLogonDate

# If you would like to Disable these computer accounts,uncomment the following line:

Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt$then} | Set-ADComputer  -Enabled $false

# If you would like to Remove these computer accounts, uncomment the following line:

Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt$then} | Remove-

ADComputer

# If you would like to move these computer accounts to a OU, uncomment the followingline:

Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt$then} | Move-ADObject –TargetPath “OU=test,DC=Devin,DC=com”

 

## PS. 可以在其中添加searchscope,命令是:

Get-ADComputer –searchBase“ou=computer_OU,dc=devin,dc=com” -Property Name,lastLogonDate -Filter{lastLogonDate -lt $then} | Move-ADObject –TargetPath “OU=test,DC=Devin,DC=com”

 

 

Query disabled computer account:

Way 1:

# Only disabled computer accounts

Get-QADComputer -ldapFilter‘(userAccountControl:1.2.840.113556.1.4.803:=2)’

# Only enabled computer accounts

Get-QADComputer -ldapFilter‘(!(userAccountControl:1.2.840.113556.1.4.803:=2))’

 

Way 2:

dsquery computer –disabled –limit0                                                     

dsquery computer –disabled – limit0 | dsrm –noprompt

 

 

 

另外一种稍微复杂点需要使用get-qad 的方式:

Query the computer and move to one OU:

# set the date to be used as a limit - in this example: 120 daysearlier than the current date ->

$old = (Get-Date).AddDays(-120)

# get the list of computers with the date earlier than this date->

Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {$_.pwdLastSet -le $old }

# get a csv report ->

Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet-le $old } | select-object Name, ParentContainer, Description, pwdLastSet |export-csv c:\temp\outdated.csv

# move such computers to another OU ->

Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {$_.pwdLastSet -le $old } | Move-QADObject -to my.corp/obsolete

# remove the computer records from AD (since this actually deletesthe records, it would be preferable to run the command with -whatif switchbefore running without it) ->

Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where {$_.pwdLastSet -le $old } | Remove-QADObject -to my.corp/obsolete

 

Comment#1 -> use -SizeLimit0 to remove the default 1000 object retrieval limitation

Comment#2 -> select thecolumns  needed in the report with theSelect-Object cmdlet.

p.s. for the QADComputercommand, please refer to the following article:

http://www.powershelladmin.com/wiki/Quest_activeroles

download the 64-bit or 32-bitversion according to you system, and install it ,after that open the powershellwindows, run Add-PSSnapin Quest.ActiveRoles.ADManagementcommand to import the QADcomputer related module.


仅供参考,如有什么问题,可以发送邮件给,或是留言给我。

谢谢

本文出自 “苏兰网络” 博客,请务必保留此出处http://zhangfang526.blog.51cto.com/8588740/1719297

Get AD Object and disable move delete AD account script 查询删除AD账户计算机

标签:get ad object and disable move delete ad account script 查询删除ad账户计算机

原文地址:http://zhangfang526.blog.51cto.com/8588740/1719297

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!