PowerShell: AD Workstation Cleanup Script version 2.0 « Trevor Sullivan’s Tech Room


A little while ago, I posted a PowerShell script that detects old machine accounts in Active Directory, and disables or deletes them, based on certain ages (in days). I’ve continued work on this script, such that it now logs information to Excel about actions (disable or deletion) that it takes. This requires that Excel 2007 be installed on the computer which you are running it on; I have not tested the script with other versions of Excel. I haven’t really made the script very user friendly (eg. taking command-line parameters) yet, because I have pretty much been the sole user of it, so please keep this in mind.

PowerShell: AD Workstation Cleanup Script version 2.0 « Trevor Sullivan's Tech Room

Add the IE8 ADM file to available GPOs

This little utility installs the IE8 GPO settings on your domain controller so that the IE8 GPO settings are available for you to populate throughout your hierarchy.  Distribute it using your favorite software distribution app, or install directly on the domain controller that houses the GPMC.

Download: IE8 GPO Installation

Installation developed with SMS Installer.

Steve Rachui’s Manageability blog – ConfigMgr/OpsMgr : Discovering AD Security Groups in OpsMgr 2007


A common method of identifying machines for deploying overrides, etc is to place unique registry keys on them that can be discovered by Opsmgr.  While this is workable it does require introducing manual config onto individual managed systems. 

Folks have asked for a while for a better method – one that would allow discovery of AD Security Group membership for agent systems so that this information could be used to build these override targets.

I've finally finished putting together a sample MP (with the help of Joel from the Product Group – thanks Joel!) that will do just that.

The MP works by deploying a script to every monitored agent.  The script runs and makes an LDAP query to determine the agents AD security group membership.  This information is posted back to the RMS and stored in the ADSecuritygroupMembershipDiscovery.Class as shown


The returned object are of type Windows Local Application so they cannot be directly used to consistently apply overrides (depending on the type of object you are trying to override, it might work, but not guaranteed).  To make this object set useful for overriding you can create groups that key off of the discovered information and convert it to the corresponding windows computer type.  This is done by editing the XML directly – which might sound scary but really isn't that bad.

My suggestion for creating groups is to start with the UI to create the skeleton group – create a group with a very simple expression.  Then, export the modified MP.  If you look in the XML you will see the group configuration


The bolded section above contains the group population criteria for a group that will be built based on membership in my AD group.  Just replace your expression section with the one above and change the pattern field to represent your AD Group information.  Reimport the MP and, magically, you now have a group that contains Windows Computer objects.


Now, depending on exactly what you are trying to do there might be some additional editing in the XML – but it shouldn't be too bad.

The sample MP is attached for download.  Remember, this is a sample only and carries the normal disclaimers.  Note also that this MP has not been tested in large scale production environments.

Steve Rachui's Manageability blog – ConfigMgr/OpsMgr : Discovering AD Security Groups in OpsMgr 2007

ADMT 3.1 released and now available for download

The Active Directory Migration Tool version 3.1 (ADMT v3.1) simplifies the process of migrating objects and restructuring tasks in an Active Directory® Domain Service (AD DS) environment. You can use ADMT v3.1 to migrate users, groups, and computers between AD DS domains in different forests (inter-forest migration) or between AD DS domains in the same forest (intra-forest migration). ADMT can also perform security translation (to migrate local user profiles) when performing inter-forest migrations.