Feeds:
Posts
Comments

Archive for May, 2012

I recently needed to find all disabled computers in my Active Directory Installation.  So, rather than open up Active Directory Users and Computers and manually search through multiple OU’s and create a list I decided to use PowerShell.

So, I started playing around with the command Search-ADAccount

Using Get-Help Search-ADAccount I am able to determine that the syntax for a query is fairly simple.  There are several switches for the command all of which are self explanatory.

-AccountDisabled

-AccountExpired

-AccountExpiring

-AccountInactive

-LockedOut

So, my first reaction was to run the command

Search-ADAccount –AccountDisabled

Which returned a long list of items with more information than I needed and in a format that was very hard to read. 

AccountExpirationDate :
DistinguishedName     : CN=Guest,CN=Users,DC=DOMAIN,DC=com
Enabled               : False
LastLogonDate         :
LockedOut             : False
Name                  : Guest
ObjectClass           : user
ObjectGUID            : 1e4955ce-df97-4ecc-8a46-f4356ba2e6cc
PasswordExpired       : False
PasswordNeverExpires  : True
SamAccountName        : Guest
SID                   : S-1-5-21-1058032114-1936565697-1108674531-501
UserPrincipalName     : guest@DOMAIN.COM

My next addition to the command was to pipe the results to Format-Table to make it easier to read.

Search-ADAccount –AccountDisabled | Format-Table –AutoSize

This was much better, now I could see that my list not only included computers but users as well.  I didn’t want the users so I needed to look for another switch for the Search-ADAccount command.  Tada!  I found the switch –ComputersOnly which gives me exactly what I needed.  But now I only want to see some of the columns in my table so lets modify the command a little more. 

Search-ADAccount –AccountDisabled -ComputersOnly | Format-Table –AutoSize Name, LastLogonDate, DistinguishedName

This is perfect, now the results are readable and I can easily determine what computers in my environment are Disabled. 

Name LastLogonDate DistinguishedName
AUX-2B CN=AUX-2B,OU=OLD Computers,DC=DOMAIN,DC=com
TECH-GC 10/5/2010 4:11:36 PM CN=TECH-GC,OU=OLD Computers,DC=DOMAIN,DC=com
TS-2 8/19/2010 5:40:54 PM CN=TS-2,OU=OLD Computers,DC=DOMAIN,DC=com
WPIX CN=WPIX,OU=Newark,DC=DOMAIN,DC=com
CITRIX 5/5/2010 9:46:26 PM CN=CITRIX,OU=OLD Computers,DC=DOMAIN,DC=com
SERVER-TEST 6/3/2010 7:16:24 PM CN=SERVER-TEST,OU=OLD Computers,DC=DOMAIN,DC=com
ARCHIVE2 9/1/2010 11:36:09 AM CN=ARCHIVE2,OU=OLD Computers,DC=DOMAIN,DC=com
ACCT-USR2 CN=ACCT-USR2,OU=OLD Computers,DC=DOMAIN,DC=com
TECH-GC7 6/2/2011 12:24:32 AM CN=TECH-GC7,OU=OLD Computers,DC=DOMAIN,DC=com
TECH7-GC 4/9/2012 8:35:46 PM CN=TECH7-GC,OU=OLD Computers,DC=DOMAIN,DC=com

At this point I now have all the computer accounts in my Active Directory that are disabled.  And it took me all of about a minute to type out the command and hit return.  Much more efficient than going through AD manually and looking.

At this point I could manually go into AD and remove the accounts but since I am already in PowerShell all I need to do is change the command slightly and I could remove those accounts in a flash.  To do this I need to pipe this to another command and remove them

Remove-ADComputer

By piping the results to Remove-ADComputer PS will automatically remove the computers from Active Directory.

Search-ADAccount –AccountDisabled -ComputersOnly |

Remove-ADComputer –WhatIf

My advice is ALWAYS, ALWAYS run your command with the –WhatIF switch first so you are sure that the command will do what you expect it to.  You wouldn’t want to run this and find out that half of your AD has been unintentionally obliterated by the command.

This same command can be changed slightly to look for AD Users as well.

Search-ADAccount –AccountDisabled –UsersOnly | Format-Table –AutoSize Name, LastLogonDate, DistinguishedName

Read Full Post »