Viewing blog post - Greg's Tech blog
Clean up old computer accounts
| Posted by gmartin on Wed 06 of May, 2009 19:02 EDT |
We needed a way to delete aging computer accounts from AD. This script uses the DS* tools from MS (included in Win2k3, Win2k8 and Vista).
Notes:
Please leave a comment should you make use of this tool.
Notes:
- You need to specify the root OU and directories for the email tool.
- You need to specify the inactive timer (currently 12 weeks)
- You need to set the search limit (currently 100 accounts
- To make it take action, you must call it with a parameter of 'Prod' else it will run in test (no delete mode)
- Any computer account that has the string !!Do Not Delete!! in the description will not be deleted.
- Any computer account with child objects (e.g. virtual server hosts) will not be deleted.
- the script uses blat to send email with results. You can rip that out by commenting out the line 'goto :SendReport'
Please leave a comment should you make use of this tool.
@echo off
:: FindAgingCompAccts - GjM - 5/1/09
:: Uses MS tools (dsquery, dsget, dsmod) to locate inactive accounts and disable them
:: Computer accounts with !!Do Not Delete!! in the Description will not be disabled.
::
:: set blatbin, dsbin, SCRIPT_DIR, & Mode before running
::
::blatexe is directory containing blat
setlocal
Set blatexe=c:\netadmin\bin\blat.exe
:: dsbin is location of dsquery & other tools (leave blank if in path)
:: dsbin is location of dsquery & other tools (leave blank if in path)
set dsbin=
::SCRIPT_DIR is location of this script - created dynamically based on calling location
set SCRIPT_DRV=%~d0
set SCRIPT_DIR=%~p0
echo scriptdir: %SCRIPT_DIR%
set LogDir=%SCRIPT_DIR%logs
set TempDir=%SCRIPT_DIR%temp
set DataDir=%SCRIPT_DIR%data
set OldAcct=%datadir%\oldacct.txt
set logfile=%logdir%\Oldcomp.log
set actlog=%logdir%\action.log
set inactlog=%logdir%\inaction.log
set errlog=%logdir%\error.log
set resultfile=%TempDir%\results.log
set tempout=%TempDir%\temp.log
set RootOU="DC=corp,DC=com"
:: Call batch file with PROD as a parameter in order to disable accounts
set MODE=%1
if NOT DEFINED MODE (
set MODE=Test
echo The script must be called with a parameter of 'Prod' in order to_
change accounts (ex: 'FindAgingCompAccts Prod')
)
echo Mode is: %MODE%
set SKIP_FLAG=!!Do Not Delete!!
set INACTIVE_PERIOD=12
set ISFlagged=0
::for search_limit use 0 to find all inactive accounts
set Search_Limit=100
cd %LOGDIR%
::Cleanup previous session
copy action_history.log+action.log action.tmp
del action_history.log
ren action.tmp action_history.log
copy error_history.log+error.log error.tmp
del error_history.log
ren error.tmp error_history.log
del %actlog%
del %resultfile%
del %inactlog%
del %errlog%
set ActCount=0
set SkipCount=0
set PrevCount=0
set ErrCount=0
set count=0
::cd %WORK_DIR%
::query AD for inactive accounts
echo %Date% %Time% Starting automatic account maintenance to clean inactive computer accounts
echo %Date% %Time% Starting automatic account maintenance to clean inactive computer accounts >>%logfile%
echo Querying inactive accounts
echo %Date% %Time% >%OldAcct%
%dsbin%dsquery computer %RootOU% -inactive %INACTIVE_PERIOD% -limit %Search_Limit% 1>%OldAcct% 2>dsquery.err
if %errorlevel% NEQ 0 goto :ERR
::Count inactive accounts
for /f "delims=?" %%a in (%OldAcct%) do set /a count+=1 >nul
echo Inactive accounts to process: %count%
:ProcessInactiveAccounts
::This is the main script loop
::Loop through the list of inactive accounts and check their status
for /f "delims=?" %%a in (%OldAcct%) do call :ChkUserStatus %%a
goto :SendReport
cd %SCRIPT_DIR%
goto :EOF
:ChkUserStatus
:: Check description for flag that tells us not to disable
:: Disable account if not flagged
::echo on
set CN=%1
echo %CN%
if %CN%=="" goto :EOF
for /f "delims=: tokens=2" %%b in ('%dsbin%dsget computer -desc -q -L ^"%CN%^"') do (
:: %%b contains the description from AD. This line uses findstr to look for the FLAG in the description
echo "%%b" |findstr /i /c:"%SKIP_FLAG%" >nul
:: findstr returns errorlevel 1 if no match is found
if ERRORLEVEL 1 (
call :DeleteAcct %CN%
) ELSE (
call :SkipAcct %CN%
)
)
goto :EOF
:DeleteAcct
::Delete the account
if %MODE%==Prod (
echo Trying to delete computer account: %CN% >> %actlog%
echo Trying to delete computer account: %CN%
set /a ActCount+=1
for /f "tokens=2 delims=: " %%c in ('dsrm ^"%CN%^" -noprompt -subtree 2^>^&1 ^|findstr "failed" ') do (
if /i %%c EQU failed (
echo Error deleting %CN%
echo Error deleting %CN% >>%errlog%
set /a ErrCount+=1
set /a ActCount-=1
) else (
echo Computer account deleted: %CN% >> %actlog%
echo Computer account deleted: %CN%
set /a ActCount+=1
)
)
) else (
echo Mode is %MODE% - not deleting, %CN% >>%inactlog%
echo Mode is %MODE% - not deleting, %CN%
set /a TestCount+=1
)
goto :EOF
:SkipAcct
::Log accounts not being disabled
echo Account flagged, skipping computer, %1 >>%inactlog%
echo Account flagged, skipping computer, %1
set /a SkipCount+=1
goto :EOF
:SendReport
echo Mode is: %MODE%
echo DeletedAccounts: %ActCount%
echo FlaggedAccounts: %SkipCount%
echo ErrorAccounts: %ErrCount%
echo Test Accounts: %TestCount%
echo Mode is: %MODE% >>%resultfile%
echo Deleted Accounts: %ActCount% >>%resultfile%
echo Flagged Accounts: %SkipCount% >>%resultfile%
echo Error Accounts: %ErrCount% >>%resultfile%
echo Test Count: %TestCount% >>%resultfile%
echo See inaction.log at \exchmonitor\c$%SCRIPT_DIR% >>%resultfile%
type %SCRIPT_DIR%\usagenote.txt >> %resultfile%
if %Mode%==Prod %blatexe% %resultfile% -tf %SCRIPT_DIR%\recips.txt -subject_
"Computer account maintenance" -attacht %WORK_DIR%\results.txt -attacht_
%actlog% -attacht %errlog% -server smtpint.corp.com -f _
AccountManagers@corp.com
goto :EOF
:IsDisabled
:: Checks user disable flag and sets ISDIS to 1 if disabled
for /f "delims=: tokens=2" %%c in ('dsget user -disabled -q -L %1') do (
for %%e in (%%c) do (
if %%e==yes (
set ISDIS=1
) else (
set ISDIS=0
)
)
)
goto :EOF
:ERR
echo Error retrieving inactive computer accounts >>%resultfile%
echo %errorlevel% >>%resultfile%
echo Error retrieving inactive computer accounts
type %SCRIPT_DIR%\usagenote.txt >>%resultfile%
%blatexe% %resultfile% -tf %SCRIPT_DIR%\recips.txt -subject "Error with _
computer account maintenance" -attacht %resultfile% -attacht %errlog% -server _
smtpint.corp.com -f AccountManagers@corp.com _
goto :EOF
{/CODE}| Permalink |
|
![[toggle]](javascript:icntoggle('mod-Image_1r1','module.png');){kind=small}
