diff options
author | mjfernez <mjf@mjfer.net> | 2022-02-19 15:35:26 -0500 |
---|---|---|
committer | mjfernez <mjf@mjfer.net> | 2022-02-19 15:35:26 -0500 |
commit | 2f463d02d70445f45a20f04787578ac937a6a4de (patch) | |
tree | aa44260e5955576ef745344babe65558a13dee78 /AD-powershell-tools | |
parent | f47243fe63041008f1bb38fcf6de3549e31b7d8c (diff) | |
download | scripts-n-tools-master.tar.gz |
Diffstat (limited to 'AD-powershell-tools')
-rw-r--r-- | AD-powershell-tools/README.md | 1 | ||||
-rw-r--r-- | AD-powershell-tools/ad-bulk-reset.ps1 | 27 | ||||
-rw-r--r-- | AD-powershell-tools/inactive-ad-device-report.ps1 | 57 |
3 files changed, 85 insertions, 0 deletions
diff --git a/AD-powershell-tools/README.md b/AD-powershell-tools/README.md new file mode 100644 index 0000000..2b65598 --- /dev/null +++ b/AD-powershell-tools/README.md @@ -0,0 +1 @@ +Some useful AD scripts I use diff --git a/AD-powershell-tools/ad-bulk-reset.ps1 b/AD-powershell-tools/ad-bulk-reset.ps1 new file mode 100644 index 0000000..aa16515 --- /dev/null +++ b/AD-powershell-tools/ad-bulk-reset.ps1 @@ -0,0 +1,27 @@ +# Usage: ad-bulk-reset.ps1 <user-list-file>
+Import-Module ActiveDirectory
+
+function Gen-Random-Password {
+ $str = ""
+ for ($i = 0; $i -lt 24 ; $i++) {
+ $rand = Get-Random -Minimum 32 -Maximum 127
+ $str += [char]$rand
+ }
+ $newpwd = ConvertTo-SecureString -String [String]$str -AsPlainText -Force
+ return $newpwd
+}
+
+# Import users from CSV
+$csv = Get-Content $args[0]
+
+ForEach ($user in $csv) {
+ $newPassword = Gen-Random-Password
+
+ # Reset user password.
+ Set-ADAccountPassword -Identity $user -NewPassword $newPassword -Reset
+
+ # Force user to reset password at next logon.
+ # Remove this line if not needed for you
+ #Set-AdUser -Identity $user -ChangePasswordAtLogon $true
+ Write-Host $user"'s password has been reset"
+}
diff --git a/AD-powershell-tools/inactive-ad-device-report.ps1 b/AD-powershell-tools/inactive-ad-device-report.ps1 new file mode 100644 index 0000000..560a534 --- /dev/null +++ b/AD-powershell-tools/inactive-ad-device-report.ps1 @@ -0,0 +1,57 @@ +# PLEASE READ SCRIPT BEFORE RUNNING
+
+# Based largely on https://activedirectorypro.com/find-remove-old-computer-accounts-active-directory/
+# but changed his brack/object syntax to a string query
+
+# Usage
+# \inactive-ad-device-report.ps1 "OU=Workstations,DC=example,DC=com" "dd/MM/yyyy" [-report] [-disable]
+
+# Report and disable are optional switches to print the results to a CSV
+# and disable the computer accounts, respectively
+
+# A cutoff date and a search base, must be provided.
+
+# All computers with Login times before
+# the cutoff date are included in the results of the report
+
+# The search base is an LDAP filter that must (at a minimum) specify
+# your domain controller. And probably an OU you want to search, like:
+#
+# "OU=Workstations,DC=example,DC=com"
+
+# See here for an example: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps#example-4--get-computer-accounts-in-a-specific-location-using-an-ldapfilter
+param (
+ [Parameter(Mandatory)][string]$searchbase,
+ [Parameter(Mandatory)][string]$cutoff,
+ [switch]$report,
+ [switch]$disable
+)
+Import-Module ActiveDirectory
+$today=(get-date -Format "yyyy-MM-dd")
+try {
+ $filter = "(LastLogonDate -lt `"$cutoff`") -and (Enabled -eq `"$true`")"
+ $devices = Get-ADcomputer -filter $filter -properties LastLogonDate,Enabled,DistinguishedName `
+ -SearchBase $searchbase `
+ | select name, LastLogonDate, DistinguishedName
+ | sort LastLogonDate
+}
+catch {
+ write-error "Bad input. Usage: '.\inactive-ad-device-report.ps1 `"ldap-filter`" `"dd/MM/yyyy`" [-report] [-disable]'"
+}
+
+if ($disable) {
+ ForEach ($device in $devices) {
+ Set-ADComputer -Identity $device.Name -Enabled $false -Verbose -WhatIf
+ }
+
+ [Console]::Error.WriteLine("All devices disabled")
+}
+
+if($report) {
+ $fn = "old-computers-$today.csv"
+ $devices | export-csv .\$fn
+ [Console]::Error.WriteLine("Saved result list to $fn")
+} else {
+ [Console]::Error.WriteLine("Writing device list to stdout")
+ write-output $devices
+}
|