Redirect to www.shellandco.net

Disable and move inactive computer accounts

This script disable and move inactive Active Directory computer account. The steps are the following :
  • list all computer accounts inactive for more than 90 days
  • ping each inactive computers
  • if the inactive computer is unreachable, the computer account is disabled using the dsmod tool
  • the computer account is moved to a specific OU
  • the description of the computer account is updated with the source OU to keep a backup of the original location of the object. This description is merged with the existing one

Script :
$Inactive_computer_OU = "OU=Inactive Computers,DC=domain,DC=local,DC=net"
$PingMachines = Get-QADComputer -InactiveFor 90
ForEach($host In $PingMachines){
    $MachineName = $host.name
    $PingStatus = Gwmi Win32_PingStatus -Filter "Address = '$MachineName'" | Select-Object StatusCode
    If ($PingStatus.StatusCode -ne 0){
        Write-Host $MachineName " : offline" -Fore "Red"
        $comp = Get-QADComputer $MachineName |select dn,description
        dsmod computer $comp.dn -disabled yes
        Write-Host "Move the computer account $MachineName to the OU $Inactive_computer_OU"
        Move-QADObject $MachineName -NewParentContainer $Inactive_computer_OU
        Write-Host "Update the computer account description with the source OU name"
        $new_desc = ($comp).dn + " - " + ($comp).description
        Set-QADComputer $MachineName -Description $new_desc
    }
}