Stale Computer Accounts 

You know stale computer accounts are like stale peanuts . You just want to get rid of them as fast as possible. Its a good idea to have a script that is scheduled to run for this type of task. The same thing can be said for stale user accounts but let’s focus on the stale computer accounts.

Here is the script in its entirety :

Function Process-ComputerObject ($server)
{

# set the date to be used as a limit - 180 days earlier than the current date
$old = (Get-Date).AddDays(-180)

#Disabled Computers OU
$DestOU = "contoso.com/disabled Computers"

#This pipeline creates the report.
Get-QADComputer -Identity $server.Name -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old }|select-object Name,ParentContainer,OperatingSystem,Description,pwdLastSet |Format-Table -AutoSize| Out-File -Append -Width 700 ".\Disabled_Computers.txt"

#This pipeline is to actually Disable the server and move it to the disabled computers OU
Get-QADComputer -Identity $server.Name -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } |%{ Disable-QADComputer $_ } | %{Move-QADObject $_ -NewParentContainer $DestOU}

}

Function Send-EmailReport ()
{

#Send Mail message
send-mailmessage -from "ServerTeam@contoso.com" -to "Supportperson@contoso.com" -subject "180 Day Stale Computer Object Report.**PLEASE DO NOT REPLY**" -body "Please see the following attached text file for Computer objects that were disabled and moved to the disabled computers OU." -Attachments ".\Disabled_Computers.txt" -smtpServer mysmtpserver

}

####################Entry Point of Script##########################

#Load Quest Cmdlets
Add-PSSnapin Quest.ActiveRoles.ADManagement

# No Errors shown
$ErrorActionPreference = "SilentlyContinue"

#Builds an Array of Ad Computer Objects and Uses the Quest CmdLets.This is where 2 filters are defined.
#One that excludes the OU's that we do not want to search and another that defines the Type of Systems we want to search.
#$Computers is the variable that holds this Array.

$Computers = Get-QADObject -SizeLimit 0 -SearchScope OneLevel |? {$_.Name -ne "Australia"} | ? {$_.Name -ne "Disabled Computers"} | ? {$_.Name -ne "NetIQRecycleBin"} | % {Get-QADComputer -SearchRoot $_.DN -Includedproperties pwdLastSet -sizelimit 0 -OSName 'Windows 2000 Server*','Windows Server 2003*','Windows Server 2008*'}

#Start pipeline
$Computers | %{ `

#Clear Errors
$error.clear()

# Load .net Ping Class Object
$net = New-Object System.Net.NetworkInformation.Ping

#perform ping on Server
$result =$net.send($_.Name)
if ($Error)
{

Process-ComputerObject $_

}

}

#Call the Send-emailmessage function
Send-EmailReport

sleep -Seconds 10

#Delete Text File
del ".\disabled_computers.txt"

Now that you see the script let me explain some of the parts .There are 2 functions : one to process the object and another to send an e-mail to the support team that includes a report attached.

Let’s start at the entry point into the script :

I’m using the Quest cmdlets which are really easy to work with . So that is what I do first is load the PSnappin.
Add-PSSnapin Quest.ActiveRoles.ADManagement

Remember we are going to run this as a scheduled task and want to make sure that the quest ad cmdlets get loaded.

Next is we do not want errors shown . (I may change this in the future) $ErrorActionPreference = “SilentlyContinue”

The next part is a bit tricky .We have a variable $computers . What we are doing is creating a list of OU’s we want to exclude. You might not want to search everyOU.

So we set $computers to get every object on the root level of AD then we build our exclude list : In this case I DO NOT want to search the Australia OU ,Disabled ComputersOU or the NetIQrecyclebin OU.

The rest of the objects pass thru the pipeline. Now I use the Get-QADComputer cmdlet to get computers (only servers in this case) 2000,2003,2008 Servers . I include the pwdlstset property which I’m interested in.

Now $computers is set to go … I start my final pipeline ….

Clear any errors from $error. Load the .net ping class .

I perform a ping on the System to see if its offline . This is important cause you will find some systems like Cluster Names that might have a stale pwdlast set value but they are very much alive and needed . That might be because they haven’t failed over to the other node in a long time. So I want two conditions met (Not online and pwdlastset greater than 180 days.)

If not online then I call the process computer object function.

This function processes the computer object ,disables it if its past 180’s and moves it to the disabled computers OU . I also creates the text file to be used in the report.

Last but not least I call the mail function which uses the send-mailmessage cmdlet .

Hope this helps you fight those stale computer objects in your environment. Now where did I put those peanuts again ? 🙂

Advertisements