Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the urvanov-syntax-highlighter domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in C:\home\site\wwwroot\wp-includes\functions.php on line 6114
Disable inactive computer accounts script – A Geeks World

Disable inactive computer accounts script

I did a webcast today about automating management of the datacenter with group policies and scripts. It was in Swedish, but I’ll make a blog series in English and share that information with all of you.

One of the attendees asked for the quick-and-dirty script I’ve scheduled to disable inactive computer-accounts. Here it is.

I’ve scheduled it to run with a Scheduled Task deployed in a GPO that only applies to the PDC Emulator, so all DC’s doesn’t run the script.

 

2 thoughts on “Disable inactive computer accounts script”

  1. Hi Les,
    By using just this query, you can find out which machines it would detect and set to disabled if the rest of the script would run;
    Search-ADAccount -ComputersOnly -AccountInactive -TimeSpan 0.00:00:00 | where Enabled -eq $true

    Microsoft has some documentation here around that command and the Switches;
    https://technet.microsoft.com/en-us/library/ee617247.aspx

    In our environment, we want to remove all inactive accounts that does not follow our naming standard CL**** at once, while we let computers that follow the naming standard stay longer.
    But just play around with the -TimeSpan value to find your sweetspot.

  2. Thank you Markus,

    I have been looking for just such a script for a while now, and almost all others I have been able to decipher what they are supposed to be doing, however none have worked correctly in my environment. (the last one disabled ALL computer accounts!!!)

    My PowerShell knowledge is new and very basic. Can you explain what each search query is doing?

    Search-ADAccount -ComputersOnly -AccountInactive -TimeSpan 0.00:00:00

    Is this searching for accounts that have NOT been inactive?
    If they have been inactive for a timespan of 0.00:00:00 would you want to disable them?

    The second Search-ADAccount seems to search for accounts that have been inactive for 30 days, which makes sense to me.

    Please point out what I must be misunderstanding.

    Thank you,
    LT

Leave a Reply