Categories
Auditing Powershell

Auditing: Report and Disable Inactive AD Computer Accounts

The below can be run as a scheduled task to detect and disable accounts that have not been used for a specified amount of days or for accounts which have never been used.

Report outputs to a CSV and is displayed as follows:

$Output = @()


#Dates
$DaysSinceLastLogon = $(Get-Date).AddDays(-30)
$MinimumAccountAge = $(Get-Date).AddDays(-7)
$TodaysDate = Get-Date


#OU
$OUSearchbase = "INSERT SEARCHBASE"


$AllDomainComputers = Get-ADDomainController -Filter * |
ForEach-Object{
	Get-ADComputer -Filter * -SearchBase $OUSearchbase -Properties LastLogon -Server $_.HostName |
	Select-Object SamAccountName, Name, @{ Name = 'LastLogon'; Expression = { [DateTime]::FromFileTime($_.LastLogon) } }
}


$Computers = foreach ($Computer in $AllDomainComputers | Group-Object SamAccountName)
{
	$Computer.Group | Sort-Object -Property LastLogon -Descending | Select-Object -First 1
}


foreach ($Computer in $Computers)
{
	$ComputerDetail = Get-ADComputer $Computer.SamAccountName -Properties whencreated, name
	$Enabled = $ComputerDetail.Enabled
	
	
	if ($Computer.LastLogon -eq "01/01/1601 00:00:00" -and $Enabled -eq $True -and $ComputerDetail.whencreated -lt $MinimumAccountAge)
	{
		
		
		Set-ADComputer $Computer.Name -Enabled $false -whatif
		
		
		$Output += New-Object psobject -Property @{
			
			
			Name  = $Computer.Name
			
			
			"Inactive For (Days)" = "Never logged on"
			
			
			Action = "Disabled account"
			
			
			Created = $ComputerDetail.WhenCreated
			
			
		}
		
		
	}
	elseif ($Computer.LastLogon -lt $DaysSinceLastLogon -and $Enabled -eq $True -and $ComputerDetail.whencreated -lt $MinimumAccountAge)
	{
		
		
		$LastLogon = $Computer.LastLogon
		
		
		$DaysSinceLogon = ($TodaysDate - $Computer.LastLogon).Days
		
		
		Set-ADComputer $Computer.Name -Enabled $False -whatif
		
		
		$Output += New-Object psobject -Property @{
			
			
			Name  = $Computer.Name
			
			
			"Inactive For (Days)" = "$DaysSinceLogon"
			
			
			Action = "Disabled account"
			
			
			Created = $ComputerDetail.WhenCreated
			
			
		}
		
		
	}
	elseif ($Computer.LastLogon -eq "01/01/1601 00:00:00" -and $Enabled -eq $False -and $ComputerDetail.whencreated -lt $MinimumAccountAge)
	{
		
		
		$Output += New-Object psobject -Property @{
			
			
			Name  = $Computer.Name
			
			
			"Inactive For (Days)" = "Never logged on"
			
			
			Action = "Account Already Disabled"
			
			
			Created = $ComputerDetail.WhenCreated
			
			
		}
		
		
	}
	elseif ($Computer.LastLogon -lt $DaysSinceLastLogon -and $Enabled -eq $False -and $AccountDetail.whencreated -lt $MinimumAccountAge)
	{
		
		
		$lastlogon = $Account.LastLogon
		
		
		$DaysSinceLogon = ($todaysdate - $Account.LastLogon).days
		
		
		$Output += New-Object psobject -Property @{
			
			
			Name  = $Computer.Name
			
			
			"Inactive For (Days)" = "$DaysSinceLogon"
			
			
			Action = "Account Already Disabled"
			
			
			Created = $ComputerDetail.WhenCreated
			
			
		}
		
		
	}
	
	
}
$Output | Export-Csv c:\ADCReport.csv -NoClobber -NoTypeInformation

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.