Using Command-Line-Interface
Finding inactive accounts, and disabling or deleting them can be performed using the command prompt, by using the following command line tools:
• Dsquery
The dsquery command line tool searches for AD objects according to the specified criteria. One can use this to find out inactive users and computers in the active directory. The search results can be given as input to dsmod and dsrm command lines for disabling and deleting.
The general syntax of dsquery command line is :
dsquery computer [-inactive
or
dsquery user [-inactive
• ‘Dsmod’ and ‘dsrm’
The dsmod command line modifies the attributes of the specified AD objects. It can be used to disable the queried AD computers and users. The dsrm command line deletes the specified AD objects. It can be used to delete the queried AD computers and users.
Note: One must have installed Active Directory Domain Services (AD DS) server role.
5 Steps total
Step 1: Open Command Prompt
Open Start menu, right-click the Command Prompt, and click Run as administrator.
Step 2: Find computers/users that are inactive
To find the computers/users that are inactive for seven weeks, run:
dsquery computer -inactive 7 -limit 200
or
dsquery user -inactive 1 -limit 200
dsquery computer -inactive 7 -limit 200
or
dsquery user -inactive 1 -limit 200
Step 3: Disable inactive computers/users
To disable the inactive computers/users, run:
dsquery computer -inactive 7 | dsmod computer –disabled yes
or
dsquery user -inactive 7 | dsmod user –disabled yes
dsquery computer -inactive 7 | dsmod computer –disabled yes
or
dsquery user -inactive 7 | dsmod user –disabled yes
Step 4: Find disabled computers/users and delete them
To find the disabled computers/users and to delete them, run:
dsquery computer –disabled | dsrm -noprompt
or
dsquery user -disabled | dsrm -noprompt
Note: while using -noprompt, no confirmation will be requested before deletion.
dsquery computer –disabled | dsrm -noprompt
or
dsquery user -disabled | dsrm -noprompt
Note: while using -noprompt, no confirmation will be requested before deletion.
Step 5: Delete Inactive Users/Computer account
Instead of disabling the inactive computers/users first, one can directly delete them by running :
dsquery computer -inactive 7 | dsrm -noprompt
or
dsquery user -inactive 7 | dsrm -noprompt
dsquery computer -inactive 7 | dsrm -noprompt
or
dsquery user -inactive 7 | dsrm -noprompt
With a few simple command line tools, administrators can find inactive computer as well as user accounts of the Active Directory. Such accounts can be disabled and deleted as per the organizational policy; they can be deleted directly too.
--------------------------------------------------------------------------------------------
Using Powershell
PowerShell is one of the many tools that can help you find inactive computers in your Active Directory. Using PowerShell, you can get inactive computers and export them to a CSV file; you can even schedule a script to run regularly to report on stale computers.
5 Steps
Step 1: Open the PowerShell ISE
Open the PowerShell ISE → Run the following script, adjusting the value of the $DaysInactive variable to suit your needs:
Step 2: Script Code
$DaysInactive = 90
$time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Properties Name, OperatingSystem, SamAccountName, DistinguishedName
$time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Properties Name, OperatingSystem, SamAccountName, DistinguishedName
Step 3: Export to CSV
To export the output to a CSV file, add the Export-CSV PowerShell cmdlet, as shown below:
Step 4: Script Code
Get-ADComputer -Filter {LastLogonTimeStamp -lt $time}
-ResultPageSize 2000 -resultSetSize $null -Properties Name,
OperatingSystem, SamAccountName, DistinguishedName | Export-CSV
“C:\Temp\StaleComps.CSV” –NoTypeInformation
Step 5: Review the results
Open the file produced by the script in MS Excel.
No comments:
Post a Comment