diff options
| author | mjfernez <mjf@mjfer.net> | 2022-02-19 15:35:26 -0500 |
|---|---|---|
| committer | mjfernez <mjf@mjfer.net> | 2022-02-19 15:35:26 -0500 |
| commit | 2f463d02d70445f45a20f04787578ac937a6a4de (patch) | |
| tree | aa44260e5955576ef745344babe65558a13dee78 /AD-powershell-tools/inactive-ad-device-report.ps1 | |
| parent | f47243fe63041008f1bb38fcf6de3549e31b7d8c (diff) | |
| download | scripts-n-tools-2f463d02d70445f45a20f04787578ac937a6a4de.tar.gz | |
Add AD scripts and bitwarden to pass script
Diffstat (limited to 'AD-powershell-tools/inactive-ad-device-report.ps1')
| -rw-r--r-- | AD-powershell-tools/inactive-ad-device-report.ps1 | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/AD-powershell-tools/inactive-ad-device-report.ps1 b/AD-powershell-tools/inactive-ad-device-report.ps1 new file mode 100644 index 0000000..560a534 --- /dev/null +++ b/AD-powershell-tools/inactive-ad-device-report.ps1 @@ -0,0 +1,57 @@ +# PLEASE READ SCRIPT BEFORE RUNNING
+
+# Based largely on https://activedirectorypro.com/find-remove-old-computer-accounts-active-directory/
+# but changed his brack/object syntax to a string query
+
+# Usage
+# \inactive-ad-device-report.ps1 "OU=Workstations,DC=example,DC=com" "dd/MM/yyyy" [-report] [-disable]
+
+# Report and disable are optional switches to print the results to a CSV
+# and disable the computer accounts, respectively
+
+# A cutoff date and a search base, must be provided.
+
+# All computers with Login times before
+# the cutoff date are included in the results of the report
+
+# The search base is an LDAP filter that must (at a minimum) specify
+# your domain controller. And probably an OU you want to search, like:
+#
+# "OU=Workstations,DC=example,DC=com"
+
+# See here for an example: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps#example-4--get-computer-accounts-in-a-specific-location-using-an-ldapfilter
+param (
+ [Parameter(Mandatory)][string]$searchbase,
+ [Parameter(Mandatory)][string]$cutoff,
+ [switch]$report,
+ [switch]$disable
+)
+Import-Module ActiveDirectory
+$today=(get-date -Format "yyyy-MM-dd")
+try {
+ $filter = "(LastLogonDate -lt `"$cutoff`") -and (Enabled -eq `"$true`")"
+ $devices = Get-ADcomputer -filter $filter -properties LastLogonDate,Enabled,DistinguishedName `
+ -SearchBase $searchbase `
+ | select name, LastLogonDate, DistinguishedName
+ | sort LastLogonDate
+}
+catch {
+ write-error "Bad input. Usage: '.\inactive-ad-device-report.ps1 `"ldap-filter`" `"dd/MM/yyyy`" [-report] [-disable]'"
+}
+
+if ($disable) {
+ ForEach ($device in $devices) {
+ Set-ADComputer -Identity $device.Name -Enabled $false -Verbose -WhatIf
+ }
+
+ [Console]::Error.WriteLine("All devices disabled")
+}
+
+if($report) {
+ $fn = "old-computers-$today.csv"
+ $devices | export-csv .\$fn
+ [Console]::Error.WriteLine("Saved result list to $fn")
+} else {
+ [Console]::Error.WriteLine("Writing device list to stdout")
+ write-output $devices
+}
|