Use PowerShell to Find and Remove Inactive Accounts from AD

Keeping Active Directory (AD) tidy can help reduce replication bandwidth if you have domain controllers in different sites, and make troubleshooting and management easier. In this Ask the Admin, I’ll show you how to easily remove a computer account from AD, and how to query the directory for accounts that haven’t been used in a long time.

Remove Computer Accounts Using PowerShell

To remove one or more computer accounts using PowerShell, log on to Windows Server 2012 R2, or a Windows 8 management workstation that’s a member of your Active Directory domain, using an account that has permission to delete AD objects. If you decide to run the commands on a machine that isn’t a domain controller, the AD module for PowerShell must be installed.

• Open a PowerShell prompt, using either the icon on the desktop taskbar (Windows Server), or by switching to the Start screen, typing powershell and selecting Windows PowerShell from the search results (Windows 8).
• In the PowerShell prompt, type remove-adcomputer -identity workstation01 and press ENTER, replacing workstation01 with the name of the computer account you want to remove.

Search AD for Inactive Computer Accounts

Now that we know how to remove computer accounts using the command line, let’s query AD for computer accounts that haven’t been used for a long time. Computer account passwords are automatically reset by AD every 30 days, so you can determine yourself what length of time you should let pass before deleting the accounts from AD. A year or more would likely be a safe option.

In this example, I’m going to use the get-adcomputer cmdlet, and the select and sort object cmdlets to format the results:

get-adcomputer -filter * -properties passwordlastset | select name, passwordlastset | sort passwordlastset

We need to add in the –properties parameter because the passwordlastset attribute is not displayed in the results by default. Select name and sort are then used to ‘pull out’ and order only the required information.

Now let’s add a more complex filter. We can use the get-date cmdlet to create a variable that sets the filter to show accounts that have had their accounts reset more than one year ago. To create the variable, type $date = (get-date).addyears(-1) and press Enter.

Now we can modify the command to include a less than (-lt) argument in the filter:

get-adcomputer -filter {passwordlastset -lt $date} -properties passwordlastset | select name, passwordlastset | sort passwordlastset

Finally, once we are sure the filter is right, we need to add the remove-adobject cmdlet as follows, without the select and sort cmdlets. Notice that I’m using the remove-adobject cmdlet and not remove-adcomputer, because remove-adcomputer is not able to delete accounts that have embedded ‘leaf’ objects, such as computer accounts for virtual machines.

 

get-adcomputer -filter {passwordlastset -lt $date} -properties passwordlastset | remove-adobject -recursive -verbose -confirm:$false

Via Use PowerShell to Find and Remove Inactive Accounts from AD.

Install Active Directory Management Service for Easy PowerShell Access.

Install Active Directory Management Service for Easy PowerShell Access – Hey, Scripting Guy! Blog – Site Home – TechNet Blogs.

You can control AD from remote PC or Server:

1.       Install .NET Framework 3.5 with Service Pack 1 on the domain controller.

2.       on the domain controller Download and install Active Directory Management Gateway Service Windows6.0-KB968934-x86.msu or Windows6.0-KB968934-x64.msu

3.       if you get this error “the update does not apply to your system”:

a.       There are two hotfixes that are required (and there are three options available—a .NET Framework update and an operating system–specific update):

                                                               i.      KB967574 hotfix which is already installed if the DC is running server 2008 SP 2.

                                                             ii.      969166 hotfix which is a .NET Framework 3.5 SP1 hotfix rollup – no need to reboot the DC after the installation.

                                                            iii.      For Windows Server 2003 and Windows Server 2003 R2, there is a specific hotfix that is described in KB 969429 – no need to install for 2008 DC.

                                        iv.    The third hotfix that is listed applies to Windows Server 2008. This hotfix, KB 967574, applies if you have not installed Service Pack 2 on the system.

4.     After the two updates are applied to the system and the Active Directory Management Gateway Service is installed, a reboot of the server is required.

5.     On the DC open the services.msc utility and verify that Active Directory Web Services service is created and running.

6.     Connect to the DC with Windows PowerShell from your Windows 7 desktop.

7.     Download and install the active directory powershell module on your Windows 7 desktop.

8.     Import the Active Directory module.

 

9.     end

Raise the Forest Functional Level

Raise the Forest Functional Level.

To raise the forest functional level

1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start , click Administrative Tools , and then click Active Directory Domains and Trusts .

2. In the console tree, right-click Active Directory Domains and Trusts , and then click Raise Forest Functional Level .

3. In Select an available forest functional level , select the value and then click Raise .

4. Do not raise the forest functional level higher if you have or will have any domain controllers running an earlier version of Windows Server.

Raise the Domain Functional Level

Raise the Domain Functional Level.

To raise the domain functional level

1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start , click Administrative Tools , and then click Active Directory Domains and Trusts .

2. In the console tree, right-click the domain for which you want to raise functional level, and then click Raise Domain Functional Level .

3. In Select an available domain functional level , select the value and then click Raise .

4. Do not raise the domain functional level to a higher value if you have or will have any domain controllers running earlier versions of Windows Server.

Can’t move OU in the same domain

When trying to move or delete an OU in AD you get the error of “Windows cannot move object because: access is denied”

To solve this issue:

• Open AD Users and Computer mmc.
• Enable Advanced Features.
• Go to the OU properties.
• Remove the “v” from Protect object from accidental deletion option.