Find orphaned accounts in Active Directory
As an administrator I would of course never forget to delete a computer account 
, but if someone else should forget it quite a lot of orphaned accounts would exist in the Active Directory over time. So how would one detect accounts that hasn’t been used for a while? Well, again the answer is PowerShell. With this simple, little script below you are able to choose the age of the accounts you want displayed. Of course you could easily edit the script so it deleted the accounts right away by using Remove-QADObject. You could also use the Get-QADUser cmdlet to search for user accounts instead of computer accounts.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | Add-PSSnapin -name Quest.ActiveRoles.ADManagement $searchRoot = "domain.local/Workstations" $age = 60 # in days $accounts = Get-QADComputer -IncludedProperties LastLogonTimeStamp -SearchRoot $searchRoot | Sort-Object -Property LastLogonTimeStamp -Descending $today = Get-Date foreach( $account in $accounts ) { if( $account.LastLogonTimeStamp -eq $null ) { Write-Host $account.Name "last logon: Never" } else { $res = $today - $account.LastLogonTimeStamp $days = $res.Days if( $days -gt $age ) { Write-Host $account.Name "last logon:" $days "days ago" } } } |
No comments yet.