
close
close
Keeping Active Directory (AD) tidy can help reduce replication bandwidth if you have domain controllers in different sites, and make troubleshooting and management easier. In this Ask the Admin, I’ll show you how to easily remove a computer account from AD, and how to query the directory for accounts that haven’t been used in a long time.
To remove one or more computer accounts using PowerShell, log on to Windows Server 2012 R2, or a Windows 8 management workstation that’s a member of your Active Directory domain, using an account that has permission to delete AD objects. If you decide to run the commands on a machine that isn’t a domain controller, the AD module for PowerShell must be installed.
advertisment
Now that we know how to remove computer accounts using the command line, let’s query AD for computer accounts that haven’t been used for a long time. Computer account passwords are automatically reset by AD every 30 days, so you can determine yourself what length of time you should let pass before deleting the accounts from AD. A year or more would likely be a safe option.
In this example, I’m going to use the get-adcomputer cmdlet, and the select and sort object cmdlets to format the results:
get-adcomputer -filter * -properties passwordlastset | select name, passwordlastset | sort passwordlastset
We need to add in the –properties parameter because the passwordlastset attribute is not displayed in the results by default. Select name and sort are then used to ‘pull out’ and order only the required information.
advertisment
Now let’s add a more complex filter. We can use the get-date cmdlet to create a variable that sets the filter to show accounts that have had their accounts reset more than one year ago. To create the variable, type $date = (get-date).addyears(-1) and press Enter.
Now we can modify the command to include a less than (-lt) argument in the filter:
get-adcomputer -filter {passwordlastset -lt $date} -properties passwordlastset | select name, passwordlastset | sort passwordlastset
In my test environment, I don’t have any computer accounts more than a month old, so to prove the filter works, I can change the date variable to $date = (get-date).adddays(-16).
Finally, once we are sure the filter is right, we need to add the remove-adobject cmdlet as follows, without the select and sort cmdlets. Notice that I’m using the remove-adobject cmdlet and not remove-adcomputer, because remove-adcomputer is not able to delete accounts that have embedded ‘leaf’ objects, such as computer accounts for virtual machines.
advertisment
get-adcomputer -filter {passwordlastset -lt $date} -properties passwordlastset | remove-adobject -recursive -verbose -confirm:$false
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Active Directory
Microsoft Releases Out-Of-Band Patches to Fix Windows AD Authentication Issues
May 20, 2022 | Rabia Noureen
Cloud Conversations – Ståle Hansen on Digital Wellbeing and Viva Explorers
May 19, 2022 | Laurent Giret
Microsoft Rolls Out Azure AD Verifiable Credentials Service to More Customers
May 11, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group