#Stale Computer removal
#get a list of all Computer Objects that have not reset their password for 90 days or more
# Exclude machines in the exception list, this may include hardware appliances and ClusterNames
# (Create an AD group called "Stale Computer Exception list" and add machines to it)
# If the operating System is a workstation OS (XP, Vista, Windows 7)
# delete the computer object from AD and email the list of delete workstions to helpdesk / change control
# If the OS is not a workstation create at ticket to have the machine investigated for removal or exception
# eventually once we have the list filtered down we should be able to just automatically remove all stale machines not on the exception list
#
#By default the password for the computer object is reset every 30 days
#pwdLastSet attribute is replicated to all Domain Controllers
$StartTime = Get-Date
IF (Get-PSSnapin | where {$_.name -eq "quest.activeroles.admanagement"})
{write-host "Quest Active Roles snapin already loaded"}
Else
{add-PSSnapin quest.activeroles.admanagement}
$InactiveDays = "90"
$InactiveFrom = [Math]::Round(( `
New-TimeSpan $(Get-Date("01/01/1601 00:00:00")) `
((Get-Date).AddDays(-$InactiveDays))).TotalSeconds, 0)
$InactiveFrom = "$($InactiveFrom.ToString())0000000"
$LdapFilter = "(&(pwdLastSet<=$InactiveFrom)(!pwdLastSet=0))"
#$StaleFile = "C:\StaleComputers.csv"
$DeletedComputerFile = "C:\scripts\Output\DeletedComputers.csv"
$StaleWorkstationsFile = "C:\scripts\Output\StaleWorkstations.csv"
$StaleServersFile= "C:\scripts\Output\StaleServers.csv"
$smtpServer = "mail.blah.com"
$WorkstationTo = "Help Desk <helpdesk@blah.com>"
$ServerTo = "Kevin Curran <kcurran@blah.com>"
$DeletedTo = "Kevin Curran <kcurran@blah.com>"
$From = "AD Reporting <ADReporting@blah.com>"
$StaleCompOU = "blah.com/Maintenance/StaleComputers"
#Delete machine accounts that have previously listed/notified as stale
#and moved to the StaleComputers OU for at least a week
$DeletedComputers =Get-QADComputer -SearchRoot $StaleCompOU -LastChangedBefore $(Get-Date).adddays(-6) `
-LdapFilter $LdapFilter -IncludedProperties pwdLastSet -NotMemberOf "IT Stale Computer Exceptions"
If ($DeletedComputers -eq $null)
{Write-Host "No stale computers to delete"}
Else {$DeletedComputers | Remove-QADObject -Force}
$StaleComputers =Get-QADComputer -LdapFilter $LdapFilter -IncludedProperties pwdLastSet `
-NotMemberOf "IT Stale Computer Exceptions" | where { $_.'ParentContainer' -ne $StaleCompOU }
#Move Stale Workstation Machines
$StaleWorkstations = $StaleComputers | where {$_.OperatingSystem -like "*XP*" -or
$_.OperatingSystem -like "Windows 7*" -or
$_.OperatingSystem -like "Windows Vista*"}
$StaleWorkstations | Move-QADObject -NewParentContainer $StaleCompOU
$StaleServers = $StaleComputers | where {$_.OperatingSystem -notlike "*XP*" -and
$_.OperatingSystem -notlike "Windows 7*" -and
$_.OperatingSystem -notlike "Windows Vista*"}
#foreach ($machine in $StaleComputers)
#{
# $machine | Add-Member -membertype noteproperty -name Pingable -Value $(Test-Connection -Quiet -Count 2 -ComputerName $machine.name)
## #need to catch error "No such host is known"
## $machine | Add-Member -membertype noteproperty -name NameResolution -Value `
## $([System.Net.Dns]::GetHostAddresses($machine.name)).IPAddressToString
#}
#$StaleComputers | export-CSV -NoTypeInformation $StaleFile
$StopTime = Get-Date
$ElapsedTime =$StopTime - $StartTime
If ($DeletedComputers -eq $null)
{Write-Host "No machines to Delete"}
Else {
$DeletedComputers | Select-Object Name, Description, operatingSystem, pwdLastSet, parentContainer |
sort pwdLastSet | Export-Csv -NoTypeInformation $DeletedComputerFile
$message ="The following Computer accounts have been deleted from the the `"$StaleCompOU`" "
$message = $message + "OU. This usually means the computer has not "
$message = $message + "been on or communicating with active directory for at least 90 days." + "`r`n`r`n"
$message = $message + $(foreach ($machine in $DeletedComputers) {$($machine.Name) + "`r`n"}) + "`r`n`r`n"
$message = $message + "This script was run by " + $env:username + " on " + $env:COMPUTERNAME
#Send Email
Send-MailMessage -From $From -To $DeletedTo -Bcc $Bcc -SmtpServer $smtpServer `
-Subject "Deleted computer Accounts" -Body $message -Attachments $DeletedComputerFile
}
If ($StaleWorkstations -eq $null)
{Write-Host "No stale Workstations have been found"}
Else {
$StaleWorkstations | Select-Object Name, Description, operatingSystem, pwdLastSet, parentContainer |
sort pwdLastSet | Export-Csv -NoTypeInformation $StaleWorkstationsFile
$message ="The following Stale Computer accounts are being moved to the `"$StaleCompOU`" "
$message = $message + "OU and will be deleted in a week if they do not update their Computer accounts "
$message = $message + "or get moved to a different OU. This usually means the computer has not "
$message = $message + "been on or communicating with active directory for at least 90 days." + "`r`n`r`n"
$message = $message + $(foreach ($machine in $StaleWorkstations) {$($machine.Name) + "`r`n"}) + "`r`n`r`n"
$message = $message + "This script was run by " + $env:username + " on " + $env:COMPUTERNAME
#Send Email
Send-MailMessage -From $From -To $WorkstationTo -SmtpServer $smtpServer `
-Subject "Deleting Stale Workstations" -Body $message -Attachments $StaleWorkstationsFile
}
If ($StaleServers -eq $null)
{Write-Host "No stale Servers have been found"}
Else {
$StaleServers | Select-Object Name, Description, operatingSystem, pwdLastSet, parentContainer |
sort pwdLastSet | Export-Csv -NoTypeInformation $StaleServersFile
$message = ""
$message = $message + "The following Stale Computer accounts should be removed from AD "
$message = $message + "or added to the `"IT Stale Computer Exceptions`" AD Group" + "`r`n`r`n"
$message = $message + $(foreach ($machine in $StaleServers) {$($machine.Name) + "`r`n"}) + "`r`n`r`n"
$message = $message + "This script was run by " + $env:username + " on " + $env:COMPUTERNAME
#Send Email
Send-MailMessage -From $From -To $ServerTo -SmtpServer $smtpServer `
-Subject "Stale Computer Accounts" -Body $message -Attachments $StaleServersFile
}
Write-host "Script completed in $([Math]::Round($ElapsedTime.TotalSeconds,0)) Seconds `r`n"