Reporting new and dormant computer accounts

Colleagues just asked me to list Windows servers that have been just commissioned, and also those that might not have been decommissioned properly. I have multiple sources of information – Active Directory, CMDB, SCCM, monitoring systems (ideally, the numbers in all of those should match). So I have used Powershell to report out of AD. The idea is simple: whenCreated attribute indicates system commissioning date; pwdLastSet is computer password timestamp – and it changes every 30 days, so those older than 90 days ago are probably accounts of computers that no longer exist (or are non-Windows clients that don’t change passwords regularly, or are Windows cluster computer accounts); and operatingSystem attribute can be used to tell servers from workstations. The script is quite self-explanatory and doesn’t require Powershell modules:


 


# Based on: RemoveInactiveADUsers_v1.0.ps1 (http://gallery.technet.microsoft.com/scriptcenter/Remove-Inactive-user-2caf199a)


#——– Config – change $adPath to report on different domains, no privilege required
$adPath=”LDAP://DC=corp,DC=tailspintoys,DC=com
$thirtyDaysAgo = -30
$ninetyDaysAgo = -90


$objDomain=New-Object System.DirectoryServices.DirectoryEntry($adPath)
$objSearch=New-Object System.DirectoryServices.DirectorySearcher($objDomain)


#——– New computer objects (created in last 30 days)
$timestamp = “{0:yyyyMMddHHmmss}.0Z” -f (get-date).adddays($thirtyDaysAgo)


$ObjSearch.Filter = “(&(objectCategory=Computer)(objectClass=computer)(whenCreated>=”+$timestamp+”)(operatingSystem=*Server*))”
$allSearchResult = $ObjSearch.FindAll()
write-host “Created in the last 30 days: “, $allSearchResult.Count
foreach ($objSearchResult in $allSearchResult) { $objSearchResult.properties.name }


#——– Dormant computer objects (password not changed for 90 days)
$datetime =  ((get-date).adddays($ninetyDaysAgo)).ToFileTime()


$ObjSearch.Filter = “(&(objectCategory=Computer)(objectClass=computer)(pwdLastSet<=”+$datetime+”)(operatingSystem=*Server*))”
$allSearchResult = $ObjSearch.FindAll()
write-host “Possible zombie acconts: “, $allSearchResult.Count
foreach ($objSearchResult in $allSearchResult) { $objSearchResult.properties.name }


 


As always with Powershell, you can use search results with variety of cmdlets, such as Get-ADComputer or Test-Connection.


 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>