|
|
Identify and manage inactive computers |
|
|
Identify and manage inactive computers |
Description Scans Active Directory for computers whose machine password has not been updated within a specified period. Active computers automatically renew their password at least monthly. Based on settings, inactive computers may have their accounts disabled and/or moved to a specified alternate OU/Container. Configuration Default configuration – Run "as is," the script will search the entire Active Directory to which you are connected. It will be read-only. The threshold for being inactive will be 100 days. There will be no computer account relocation or deactivation. You may change these defaults by editing values, in the script file, in the Configuration section of the script, starting at line 40. Search Root – In variable, strAdRootG. If this string value is empty ( "" ) the entire directory is searched. To set an alternate starting point for the search, set this value to the LDAP distinguishedName of a valid container/OU. The following will search the Computers container in Contoso.com. "CN=Computers,DC=Contoso,DC=com" Note: If using the account relocation feature, the search root cannot be the root of the AD. Log file – strLogPathG holds the fully qualified path/name of the log file. Inactive Period – intDaysG holds the number of days, without a password change, used as the threshold to declare the computer inactive. This should be something greater than 30. Disable Inactive Computers – blnDisableInactiveG is either vbTrue or vbFalse, determining whether inactive computers are disabled. (Disable = vbTrue) Move Inactive Computers - blnMoveInactiveG is either vbTrue or vbFalse, determining whether inactive computers are moved to a designated alternate container. True will cause the computer account to be moved. I set to True, the value of the Inactive Computers OU must be a valid value. If False, the value of Inactive Computers OU is not checked. Inactive Computers OU – strTargetOuG holds the LDAP value of the container/OU where inactive computes are moved if blnMoveInactive is True. The following specifies the Inactive Computers container in Fabricam.com. The container must exist prior to running the script. "CN=Inactive Computers,DC=Fabricam,DC=com" If relocating computers to an alternate container, the alternate container cannot be within the search scope of the scan, as specified in strAdRootG. This would cause a looping effect. The script tests for this condition and exits with a message. Note: Use ADSIEdit to explore Active Directory and display the distinguishedName of the target for the search root and relocation container. Open ADSIEdit and connect to the Default Naming Context. Then expand the tree to the desired object. Right-click and select Properties. Locate the distinguishedName property, double-click it and copy its value to the clipboard. Execution Once configured, simply run the script. It can be run from anywhere. If you will not move or disable computer accounts, elevated permissions, are not required. It is strongly suggested to run with both the disable and move account options disabled in an initial run. Documentation Just this |
|
