Have you ever had a need to clean a large number of unused computer accounts out of AD? This can be done quickly and easily with PowerShell. For AD work I personally prefer to use the Dell/Quest ActiveRoles Management Shell of Active Directory cmdlets, they are available free here. Since removing a massive amount of computer accounts can be career limiting if done wrong, this is the method I prefer:
- Identify computer accounts that have been inactive for 90 days.
- Move the accounts to a temporary OU
- Disable the computer accounts
- Delete the computer accounts once it has been determined they are no longer needed
Moving the accounts to an “inactive computer” OU and disabling them gives you a safety net should the computers just be laying around powered off somewhere and keeps tools like SCCM from discovering the unused computers accounts. From that point, I like to keep the disabled accounts around for a while since it is much easier to just re-enable an account than to re-join the domain, especially if the machine is in a remote location. Once I feel confident that the accounts are no longer needed, the accounts can be deleted.
Below is an example script that perform these actions:
#Add Snap-ins Add-PSSnapin "Quest.ActiveRoles.ADManagement" #Set OUs in Variables - You can use the root of the domain for the searchRoot if desired. $searchRoot = "yourdomain.com/OU" $inactiveOU = "yourdomain.com/inactiveOU" #Get computer accounts that have inactive for 90 days $InactiveComp = Get-QADComputer -InactiveFor 90 -SizeLimit 0 -SearchRoot $searchRoot #Move inactive computer accounts to your inactive OU $InactiveComp | move-QADObject -NewParentContainer $inactiveOU #Disable computer accounts in inactive OU Get-QADComputer -SizeLimit 0 -SearchRoot $inactiveOU | Disable-QADComputer