How To Clean Up Active Directory With Outdated Roles

Earlier a user can log into a computer and access network and domain-based resources, that reckoner must be a member of the Agile Directory environment. In this guide, you'll observe out how to automate daily tasks related to figurer accounts, such how to easily create, rename and remove accounts.

In all, yous'll acquire how to use PowerShell to perform the post-obit reckoner account direction tasks:

Join a Computer to a Domain
- Join Multiple Computers to a Domain
Remove a Calculator from a Domain with PowerShell
Create a Computer Object in Advertisement
- Create Computer Accounts from a CSV File
Delete a Calculator from Advert
- Delete Computer Accounts Using a Listing
- Remove Stale Computer Accounts in Active Directory with PowerShell
Rename a Computer
- Rename a Calculator and Join It to a Domain
Disable an Advert Computer Business relationship
- Disable Reckoner Accounts using a List
Reset an AD Computer Account

PowerShell ISE is the all-time tool for working with PowerShell scripts. First the PowerShell ISE tool with administrator privileges past pressing "Windows+R" and entering "runas /profile /user:Administrator PowerShell_ISE" in the Run window. (Alternatively, you can correct-click on the PowerShell ISE icon and choose the "Run as administrator" option.) Blazon in the administrator's password when prompted.

Before you tin work with AD and its objects, you lot need to import the Active Directory module for Windows PowerShell. In Microsoft Windows Server 2008 R2, y'all demand to enable this module by running the following command:

Import-Module ActiveDirectory

In Microsoft Windows Server 2022 and later on, this module is enabled by default.

Join a Computer to a Domain

The about common chore is joining a computer to a domain controller. To join a PC to an Active Directory domain, run the post-obit PowerShell script locally:

$dc = "ENTERPRISE" # Specify the domain to join. $prisoner of war = "Password123" | ConvertTo-SecureString -asPlainText –Force # Specify the password for the domain admin. $usr = "$dc\T.Simpson" # Specify the domain admin account. $creds = New-Object System.Management.Automation.PSCredential($usr,$pw) Add-Computer -DomainName $dc -Credential $creds -restart -force -verbose # Annotation that the calculator will be restarted automatically.

The computer will restart and and so join the domain; information technology will be added to the default container.

To join a computer to a DC remotely, yous demand to enhance this script this fashion:

$dc = "ENTERPRISE" $pw = "Password123" | ConvertTo-SecureString -asPlainText -Strength $usr = "$dc\T.Simpson" $pc = "R07GF" # Specify the computer that should be joined to the domain. $creds = New-Object Organisation.Management.Automation.PSCredential($usr,$pw) Add together-Computer -ComputerName $pc -LocalCredential $pc\admin -DomainName $dc -Credential $creds -Verbose -Restart -Force

The $pc variable and –LocalCredential parameter are used to authenticate the calculator to the domain. Annotation that in guild to apply this method, you lot must disable the firewall on the local computer.

Join Multiple Computers to a Domain

You can add more than ane computer to the domain by either specifying them in the command line as a comma-delimited list or importing their names from a text file.

Hither's how to specify the computers in a comma-delimited list:

$dc = "ENTERPRISE" $pw = "Password123" | ConvertTo-SecureString -asPlainText -Forcefulness $usr = "$dc\T.Simpson" $pc = "WKS034, WKS052, WKS057" # Specify the computers that should be joined to the domain. $creds = New-Object System.Management.Automation.PSCredential($usr$pw) Add-Calculator -ComputerName $pc -LocalCredential $pc\admin -DomainName $dc -Credential $creds -Restart -Force

And here's how to utilise a text file with the listing of computers that should be joined:

$dc = "ENTERPRISE" $pw = "Password123" | ConvertTo-SecureString -asPlainText -Force $usr = "$dc\T.Simpson" $pc = Get-Content -Path C:\Computers.txt # Specify the path to the computers list. $creds = New-Object System.Management.Automation.PSCredential($usr,$pw) Add-Computer -ComputerName $pc -LocalCredential $pc\admin -DomainName $dc -Credential $creds -Restart -Force

Remove a Reckoner from a Domain with PowerShell

To remove a figurer from a domain remotely, apply the Remove-Calculator cmdlet. Hither, we're removing a estimator from a domain, so no local credentials are needed and nosotros can skip the ?LocalCredential parameter:

$dc = "ENTERPRISE" $pw = "Password123" | ConvertTo-SecureString -asPlainText -Force $usr = "$dc\T.Simpson" $pc = "R07GF" $creds = New-Object System.Management.Automation.PSCredential($usr,$pw) Remove-Computer -ComputerName $pc -Credential $creds –Verbose –Restart –Force

Remove Computers from an Active Directory Domain using PowerShell

To remove multiple computers using a list in a TXT file, use the script above for joining computers to a DC, replacing the Add-Reckoner cmdlet with Remove-Computer. Note that you will still need domain admin credentials to complete this unjoin functioning.

Create a Figurer Object in Advertisement

To create a computer object, use the New-ADComputer cmdlet. For example, execute the post-obit cmdlet parameters to create a calculator object with "WKS932" as its proper noun and the default LDAP path value:

New-ADComputer –Proper name "WKS932" –SamAccountName "WKS932"

Create Computer Accounts from a CSV File

If you have a list of computers that should be imported into Agile Directory, salve the listing to a CSV file with the heading "computer" and the list of computer names in the column beneath it. Run the following PowerShell script on your domain controller to add computers from the CSV file, making sure you have the "Path" and "File" variables prepare correctly:

$File="C:\scripts\Computers.csv" # Specify the import CSV position. $Path="OU=Devices,DC=enterprise,DC=com" # Specify the path to the OU. Import-Csv -Path $File | ForEach-Object { New-ADComputer -Name $_.Computer -Path $Path -Enabled $True}

Delete a Computer from AD

To delete a computer business relationship from Advertizement, use the Remove-ADObject cmdlet. The -Identity parameter specifies which Active Directory calculator to remove. You can specify a computer past its distinguished name, GUID, security identifier (SID) or Security Accounts Manager (SAM) business relationship name.

Remove-ADObject -Identity "WKS932"

You volition be prompted to confirm the deletion.

Delete Computer Accounts Using a List

If you lot have a text file with a listing of old computers, you can streamline the job of removing them using PowerShell. The following script volition read the estimator names from a TXT file and delete the corresponding accounts via a chain of commands, or pipeline:

Get-Content C:\scripts\computersfordeletion.txt | % { Get-ADComputer -Filter { Name -eq $_ } } | Remove-ADObject -Recursive

Remove Stale Computer Accounts from Active Directory with PowerShell

Stale accounts in Agile Directory tin can be compromised, leading to security incidents, so it is critical to go along an center on them. This PowerShell script volition query Active Directory and return all computers that have not been logged in to for the past 30 days; you can hands change this default value in the script. It also volition remove those accounts to keep your Advertisement clean.

$stale = (Get-Date).AddDays(-thirty) # ways xxx days since final logon, can be changed to any number.  Get-ADComputer -Property Proper noun,lastLogonDate -Filter {lastLogonDate -lt $stale} | FT Name,lastLogonDate  Become-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $stale} | Remove-ADComputer

Remove Stale Computer Accounts from Active Directory with PowerShell

There is one computer, FS1, that has been not been logged on to for more 30 days. The system will prompt for confirmation before deleting it from the domain:

Remove Stale Computer Accounts from Active Directory with PowerShell Confirmation before deleting

If you want to disable, rather than delete, the inactive computer accounts, replace the Remove-ADComputer cmdlet with Set-ADComputer and -Enabled $false parameter and value.

Rename a Computer

To change a computer name, employ the Rename-Computer cmdlet. Note that the reckoner must be online and connected to Agile Directory.

Rename-Computer –ComputerName "FS1" -NewName "FS2"

If you want to run this script locally, it volition look like this:

Rename-Figurer -NewName "newname" -DomainCredential "Domain\Administrator"

Rename a Computer and Join It to a Domain

You lot can improve the renaming script by joining the computer to the domain and putting it into the specified OU simultaneously. The script should be run on the target machine, not on the domain controller.

$NewComputerName = "Server3" # Specify the new figurer proper name.  $DC = "contoso.com" # Specify the domain to join.  $Path = "OU=TestOU,DC=contoso,DC=com" # Specify the path to the OU where to put the estimator business relationship in the domain.

Add-Computer -DomainName $DC -OUPath $Path -NewName $NewComputerName –Restart –Strength

The script volition prompt for the credentials of an business relationship that has permissions to bring together computers to the domain, and and then the computer volition be renamed, restarted and joined to the domain.

Disable an Advertizing Reckoner Business relationship

Use theDisable-ADAccount cmdlet to disable Active Directory user, computer and service accounts. If y'all specify a calculator account name, remember to append a dollar sign ($) at the terminate of the proper noun; otherwise, you'll get an fault later script execution.

Disable-ADAccount -Identity fs1$

Disable Estimator Accounts using a List

You can besides disable calculator accounts in majority using a list in a text file:

$Pclist = Get-Content C:\scripts\Estimator.txt # Specify the path to the computers listing. Foreach($pc in $Pclist) { Disable-ADAccount -Identity "$pc" Become-ADComputer -Identity "$pc" | Move-ADObject -TargetPath "OU=Disabled Computers,DC=enterprise,DC=com" }

Reset an Advertizing Figurer Account

Like a user account, a computer business relationship interacts with Active Directory using a password. But for reckoner accounts, a password modify is initiated every xxx days past default and the password is exempted from the domain'due south countersign policy. Password changes are driven past the customer (calculator), not AD.

Estimator credentials normally unknown to the user because they are randomly set by the computer. But you can set up your ain password; hither is a PowerShell script for doing so:

$pc = read-host –Prompt "Input computer name to reset" # Specify the computer proper name. $prisoner of war = read-host –Prompt "Input random characters for temp password" –AsSecureString # Specify the password. Become-ADComputer $pc | Prepare-ADAccountPassword –NewPassword:$pw -Reset:$true

Determination

At present you have learned how to manage Active Directory computer accounts with PowerShell. You can enhance all these scripts on your own to make them fit to your purposes.

Think that information technology's critical to closely track all changes to figurer accounts, and then you can quickly spot any unwanted modifications and respond appropriately.

Jeff is a former Director of Global Solutions Applied science at Netwrix. He is a long-time Netwrix blogger, speaker, and presenter. In the Netwrix weblog, Jeff shares lifehacks, tips and tricks that can dramatically improve your organisation administration feel.