Friday, December 2, 2011

Managing Stale Computers

It happens to everyone. A Helpdesk staffer removes a computer from an office or lab, doesn't tell anyone, and sends it to the scrap heap. For small organizations, this isn't a big deal. Eventually, someone will notice and remove the corresponding object from Active Directory. In larger organizations, this can lead to hundreds or even thousands of orphaned accounts in AD over time, if left unattended. For places that base their inventories off of AD, or use data exports from AD as a foundation, this can make it a real pain.

To help combat this, I wrote a pretty straightforward PowerShell script that uses the ActiveDirectory module to give me two lists. One list shows all computer accounts that haven't had their passwords changed in a year or more. The other list shows all computers that are disabled. I just write the files to my desktop and deal with them by hand. It is certainly easy to modify this to move computers in these lists to a specific OU for review, or just to delete them, but I like to inspect each entry to make sure that I'm not deleting something that I shouldn't be.

You can see in the code that generates $OldList that I filter out all objects from an OU that contains the word "Encrypted". These notebooks are secured with Bitlocker and have their recovery keys stored in AD. They tend to be disconnected from our network for extended periods, so I don't want them in my list. If you don't have an issue like this, you can delete the entire where clause.

If you want to change the deadline to less than one year for when the computers should have last changed their password, just change the value in $Deadline from -365 to whatever you want. Make sure that you include the minus sign, or you won't receive the expected results.

As always, if you see any bugs, feel free to drop a comment.

No comments:

Post a Comment