I recently needed to find all disabled computers in my Active Directory Installation. So, rather than open up Active Directory Users and Computers and manually search through multiple OU’s and create a list I decided to use PowerShell.
So, I started playing around with the command Search-ADAccount
Using Get-Help Search-ADAccount I am able to determine that the syntax for a query is fairly simple. There are several switches for the command all of which are self explanatory.
-AccountDisabled
-AccountExpired
-AccountExpiring
-AccountInactive
-LockedOut
So, my first reaction was to run the command
Search-ADAccount –AccountDisabled
Which returned a long list of items with more information than I needed and in a format that was very hard to read.
AccountExpirationDate :
DistinguishedName : CN=Guest,CN=Users,DC=DOMAIN,DC=com
Enabled : False
LastLogonDate :
LockedOut : False
Name : Guest
ObjectClass : user
ObjectGUID : 1e4955ce-df97-4ecc-8a46-f4356ba2e6cc
PasswordExpired : False
PasswordNeverExpires : True
SamAccountName : Guest
SID : S-1-5-21-1058032114-1936565697-1108674531-501
UserPrincipalName : guest@DOMAIN.COM
My next addition to the command was to pipe the results to Format-Table to make it easier to read.
Search-ADAccount –AccountDisabled | Format-Table –AutoSize
This was much better, now I could see that my list not only included computers but users as well. I didn’t want the users so I needed to look for another switch for the Search-ADAccount command. Tada! I found the switch -ComputersOnly which gives me exactly what I needed. But now I only want to see some of the columns in my table so lets modify the command a little more.
Search-ADAccount –AccountDisabled -ComputersOnly | Format-Table –AutoSize Name, LastLogonDate, DistinguishedName
This is perfect, now the results are readable and I can easily determine what computers in my environment are Disabled.
| Name | LastLogonDate | DistinguishedName |
| AUX-2B | CN=AUX-2B,OU=OLD Computers,DC=DOMAIN,DC=com | |
| TECH-GC | 10/5/2010 4:11:36 PM | CN=TECH-GC,OU=OLD Computers,DC=DOMAIN,DC=com |
| TS-2 | 8/19/2010 5:40:54 PM | CN=TS-2,OU=OLD Computers,DC=DOMAIN,DC=com |
| WPIX | CN=WPIX,OU=Newark,DC=DOMAIN,DC=com | |
| CITRIX | 5/5/2010 9:46:26 PM | CN=CITRIX,OU=OLD Computers,DC=DOMAIN,DC=com |
| SERVER-TEST | 6/3/2010 7:16:24 PM | CN=SERVER-TEST,OU=OLD Computers,DC=DOMAIN,DC=com |
| ARCHIVE2 | 9/1/2010 11:36:09 AM | CN=ARCHIVE2,OU=OLD Computers,DC=DOMAIN,DC=com |
| ACCT-USR2 | CN=ACCT-USR2,OU=OLD Computers,DC=DOMAIN,DC=com | |
| TECH-GC7 | 6/2/2011 12:24:32 AM | CN=TECH-GC7,OU=OLD Computers,DC=DOMAIN,DC=com |
| TECH7-GC | 4/9/2012 8:35:46 PM | CN=TECH7-GC,OU=OLD Computers,DC=DOMAIN,DC=com |
At this point I now have all the computer accounts in my Active Directory that are disabled. And it took me all of about a minute to type out the command and hit return. Much more efficient than going through AD manually and looking.
At this point I could manually go into AD and remove the accounts but since I am already in PowerShell all I need to do is change the command slightly and I could remove those accounts in a flash. To do this I need to pipe this to another command and remove them
Remove-ADComputer
By piping the results to Remove-ADComputer PS will automatically remove the computers from Active Directory.
Search-ADAccount –AccountDisabled -ComputersOnly |
Remove-ADComputer –WhatIf
My advice is ALWAYS, ALWAYS run your command with the –WhatIF switch first so you are sure that the command will do what you expect it to. You wouldn’t want to run this and find out that half of your AD has been unintentionally obliterated by the command.
This same command can be changed slightly to look for AD Users as well.
Search-ADAccount –AccountDisabled –UsersOnly | Format-Table –AutoSize Name, LastLogonDate, DistinguishedName
Filed under: Active Directory, PowerShell Tagged: Active Directory, Powershell
