jschlackman · August 19, 2024 15:00
diff --git a/Get-OldADMachines.ps1 b/Get-OldADMachines.ps1
 <#
 Name: Get-OldADMachines.ps1
 Author: James Schlackman
 Last Modified: May 20 2024

 1. Finds computer accounts that have been inactive for more than specified time period and optionally disables them
 2. Finds computer accounts that have been disabled for more than specified time period and optionally deletes them
 #>

 #Requires -Modules ActiveDirectory

 Param(
    [Parameter()] [String[]] $SearchOUs = 'OU=Workstations,DC=contoso,DC=com',
    [Parameter()] [String] $DisabledOU = 'OU=Retired,OU=Workstations,DC=contoso,DC=com',
    [Parameter()] [Int] $DaysInactive = 180
    [Parameter()] [Boolean] $DisableDormantAccounts = $false,
    [Parameter()] [Boolean] $DeleteOldDisabledAccounts = $true
 )

 Import-Module ActiveDirectory

 $DisableAccounts = $null

 $time = (Get-Date).Adddays(-($DaysInactive)) 

 $QueryProperties = 'LastLogonTimestamp', 'OperatingSystem', 'PwdLastSet', 'OperatingSystemServicePack', 'SerialNumber', 'description'

 # Properties to be used for query output
 $DisplayProps = 'Name',
                'OperatingSystem',
                'Description',
                @{N='SerialNumber'; E={$_.SerialNumber[0]}},
                @{N='LastLogonTimestamp'; E={[DateTime]::FromFileTime($_.LastLogonTimestamp)}},
                @{N='PwdLastSet'; E={[DateTime]::FromFileTime($_.PwdLastSet)}},
                'DistinguishedName'

 If ($DisableDormantAccounts) {
    # Find inactive/dormant computer accounts
    $SearchOUs | ForEach-Object {

        $DisableAccounts += Get-ADComputer -SearchBase $_ -SearchScope Subtree -Filter {(LastLogonTimestamp -lt $time) -And (Enabled -eq $True)} -Properties $QueryProperties
    }

    If ([bool]@($DisableAccounts)) {
    
        Write-Host "`nInactive accounts found: $(@($DisableAccounts).Count)`nSee grid export for details and select accounts to be disabled.`n"
        $SelectedAccounts = $DisableAccounts | Select $DisplayProps | Out-GridView -OutputMode Multiple -Title ('Computer accounts that have been dormant for {0} days' -f $DaysInactive)

        # If accounts were selected to be disabled
        If ($SelectedAccounts) {

            # Confirm account action
            Write-Host ('Do you want to disable the {0} selected inactive computer accounts now? ' -f @($SelectedAccounts).Count) -ForegroundColor Red -NoNewline
            If ((Read-Host '[y/N]').ToUpper() -eq 'Y') {

                $SelectedAccounts | ForEach-Object {
                
                    # Disable accounts
                    Disable-ADAccount -Identity $_.DistinguishedName -Confirm:$false
            
                    # Move disabled objects to specified OU
                    Move-ADObject -Identity $_.DistinguishedName -TargetPath $DisabledOU -Confirm:$false
                }
                # Output log
                $OutputPath = "$(Get-Date -Format yyMMdd-HHmm) Inactive Computer Accounts.csv"
                Write-Host 'Exporting log to ' -NoNewline
                Write-Host $OutputPath -ForegroundColor Green
                $SelectedAccounts | Export-CSV -Path $OutputPath -NoTypeInformation

            }
        }
    }
 }

 If ($DeleteOldDisabledAccounts) {

    # Find disabled computer accounts that have been dormant for the selected period (including those disabled above)
    $PurgeAccounts = Get-ADComputer -SearchBase $DisabledOU -SearchScope Subtree -Filter {LastLogonTimestamp -lt $time} -Properties $QueryProperties


    Write-Host "`nDisabled accounts found: $(@($PurgeAccounts).Count)"
    If ($PurgeAccounts) {Write-Host "See grid export for details and select accounts to be deleted.`n"}

    $SelectedAccounts = $PurgeAccounts | Select $DisplayProps | Out-GridView -OutputMode Multiple -Title ('Disabled computer accounts that have been dormant for {0} days' -f $DaysInactive)

    # If accounts were selected for deletion
    If ($SelectedAccounts) {

        # Confirm account action
        Write-Host ('Do you want to PERMENANTLY DELETE the {0} selected disabled computer accounts now? ' -f @($SelectedAccounts).Count) -ForegroundColor Red -NoNewline
        If ((Read-Host '[y/N]').ToUpper() -eq 'Y') {

            # Delete disabled accounts
            $SelectedAccounts | ForEach-Object {Remove-ADObject -Identity $_.DistinguishedName -Recursive -Confirm:$false}

            # Output log
            $OutputPath = "$(Get-Date -Format yyMMdd-HHmm) Disabled Computer Accounts.csv"
            Write-Host 'Exporting log to ' -NoNewline
            Write-Host $OutputPath -ForegroundColor Green
            $SelectedAccounts | Export-CSV -Path $OutputPath -NoTypeInformation

        }
    }
 }
	<#
	Name: Get-OldADMachines.ps1
	Author: James Schlackman
	Last Modified: May 20 2024

	1. Finds computer accounts that have been inactive for more than specified time period and optionally disables them
	2. Finds computer accounts that have been disabled for more than specified time period and optionally deletes them
	#>

	#Requires -Modules ActiveDirectory

	Param(
	[Parameter()] [String[]] $SearchOUs = 'OU=Workstations,DC=contoso,DC=com',
	[Parameter()] [String] $DisabledOU = 'OU=Retired,OU=Workstations,DC=contoso,DC=com',
	[Parameter()] [Int] $DaysInactive = 180
	[Parameter()] [Boolean] $DisableDormantAccounts = $false,
	[Parameter()] [Boolean] $DeleteOldDisabledAccounts = $true
	)

	Import-Module ActiveDirectory

	$DisableAccounts = $null

	$time = (Get-Date).Adddays(-($DaysInactive))

	$QueryProperties = 'LastLogonTimestamp', 'OperatingSystem', 'PwdLastSet', 'OperatingSystemServicePack', 'SerialNumber', 'description'

	# Properties to be used for query output
	$DisplayProps = 'Name',
	'OperatingSystem',
	'Description',
	@{N='SerialNumber'; E={$_.SerialNumber[0]}},
	@{N='LastLogonTimestamp'; E={[DateTime]::FromFileTime($_.LastLogonTimestamp)}},
	@{N='PwdLastSet'; E={[DateTime]::FromFileTime($_.PwdLastSet)}},
	'DistinguishedName'

	If ($DisableDormantAccounts) {
	# Find inactive/dormant computer accounts
	$SearchOUs \| ForEach-Object {

	$DisableAccounts += Get-ADComputer -SearchBase $_ -SearchScope Subtree -Filter {(LastLogonTimestamp -lt $time) -And (Enabled -eq $True)} -Properties $QueryProperties
	}

	If ([bool]@($DisableAccounts)) {

	Write-Host "`nInactive accounts found: $(@($DisableAccounts).Count)`nSee grid export for details and select accounts to be disabled.`n"
	$SelectedAccounts = $DisableAccounts \| Select $DisplayProps \| Out-GridView -OutputMode Multiple -Title ('Computer accounts that have been dormant for {0} days' -f $DaysInactive)

	# If accounts were selected to be disabled
	If ($SelectedAccounts) {

	# Confirm account action
	Write-Host ('Do you want to disable the {0} selected inactive computer accounts now? ' -f @($SelectedAccounts).Count) -ForegroundColor Red -NoNewline
	If ((Read-Host '[y/N]').ToUpper() -eq 'Y') {

	$SelectedAccounts \| ForEach-Object {

	# Disable accounts
	Disable-ADAccount -Identity $_.DistinguishedName -Confirm:$false

	# Move disabled objects to specified OU
	Move-ADObject -Identity $_.DistinguishedName -TargetPath $DisabledOU -Confirm:$false
	}
	# Output log
	$OutputPath = "$(Get-Date -Format yyMMdd-HHmm) Inactive Computer Accounts.csv"
	Write-Host 'Exporting log to ' -NoNewline
	Write-Host $OutputPath -ForegroundColor Green
	$SelectedAccounts \| Export-CSV -Path $OutputPath -NoTypeInformation

	}
	}
	}
	}

	If ($DeleteOldDisabledAccounts) {

	# Find disabled computer accounts that have been dormant for the selected period (including those disabled above)
	$PurgeAccounts = Get-ADComputer -SearchBase $DisabledOU -SearchScope Subtree -Filter {LastLogonTimestamp -lt $time} -Properties $QueryProperties


	Write-Host "`nDisabled accounts found: $(@($PurgeAccounts).Count)"
	If ($PurgeAccounts) {Write-Host "See grid export for details and select accounts to be deleted.`n"}

	$SelectedAccounts = $PurgeAccounts \| Select $DisplayProps \| Out-GridView -OutputMode Multiple -Title ('Disabled computer accounts that have been dormant for {0} days' -f $DaysInactive)

	# If accounts were selected for deletion
	If ($SelectedAccounts) {

	# Confirm account action
	Write-Host ('Do you want to PERMENANTLY DELETE the {0} selected disabled computer accounts now? ' -f @($SelectedAccounts).Count) -ForegroundColor Red -NoNewline
	If ((Read-Host '[y/N]').ToUpper() -eq 'Y') {

	# Delete disabled accounts
	$SelectedAccounts \| ForEach-Object {Remove-ADObject -Identity $_.DistinguishedName -Recursive -Confirm:$false}

	# Output log
	$OutputPath = "$(Get-Date -Format yyMMdd-HHmm) Disabled Computer Accounts.csv"
	Write-Host 'Exporting log to ' -NoNewline
	Write-Host $OutputPath -ForegroundColor Green
	$SelectedAccounts \| Export-CSV -Path $OutputPath -NoTypeInformation

	}
	}
	}