Vista Forums - View Single Post

10-13-2008

On Oct 13, 2:19*am, tojo2000 <tojo2...@xxxxxx> wrote:

Quote:

> On Oct 13, 1:48*am, "IT Staff" <jkk...@xxxxxx> wrote:

Quote:

> There's also an attribute called pwdLastSet for the date that the
> password was last set. *All computers are users, so the same
> attributes apply when it comes to passwords.

Here's a script I just wrote for this using pwdLastSet. Needs Quest AD
Management shell cmdlets. This will get computer accounts that haven't
changed their passwords in x days and move them to a pending delete
OU. Also, you can make a goodlist so if some machines should not be
deleted you don't have to skip them every time.

#Where to look
$searchroot = 'yourdomain.com/Computers'

#get the good list into an array
import-csv "move-over90days_goodlist.txt"|%{[array]$good += $_.name}
$pendingdelete = "OU=PendingDelete,DC=yourdomain,DC=com"

$old = (Get-Date).AddDays(-90)
$logfile = "PendingDeleteLog.csv"
$date = Get-Date

# get the list of computers with the date earlier than this date
$computers = Get-QADComputer -SearchRoot $searchroot -
IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le
$old }

$computers |ft name, description, pwdLastSet
write-host Found: $computers.count

$computers| % {
if ($good -notcontains $_.name) {
if ((Read-Host Name: $_.name Description: $_.description LastChange:
$_.pwdLastSet) -eq "y") {
$ou = $_.ou
$lastLogon = $_.pwdlastset
$name = $_.name
$out = "$name, $ou, $lastlogon, $date"
Out-File -FilePath $logfile -Append -NoClobber -InputObject $out

$a = Get-QADComputer $_.name|set-qadobject -ObjectAttributes
@{userAccountControl=514}|Move-QADObject -to $pendingdelete
Write-Host Disabled and moved $_.name
Write-Host " "
}
}
}

10-13-2008	#3 (permalink)
adrian n/a posts	Re: Determine computer objects password days On Oct 13, 2:19am, tojo2000 <tojo2...@xxxxxx> wrote: Quote: > On Oct 13, 1:48am, "IT Staff" <jkk...@xxxxxx> wrote: Quote: > There's also an attribute called pwdLastSet for the date that the > password was last set. *All computers are users, so the same > attributes apply when it comes to passwords. Here's a script I just wrote for this using pwdLastSet. Needs Quest AD Management shell cmdlets. This will get computer accounts that haven't changed their passwords in x days and move them to a pending delete OU. Also, you can make a goodlist so if some machines should not be deleted you don't have to skip them every time. #Where to look $searchroot = 'yourdomain.com/Computers' #get the good list into an array import-csv "move-over90days_goodlist.txt"\|%{[array]$good += $_.name} $pendingdelete = "OU=PendingDelete,DC=yourdomain,DC=com" $old = (Get-Date).AddDays(-90) $logfile = "PendingDeleteLog.csv" $date = Get-Date # get the list of computers with the date earlier than this date $computers = Get-QADComputer -SearchRoot $searchroot - IncludedProperties pwdLastSet -SizeLimit 0 \| where { $_.pwdLastSet -le $old } $computers \|ft name, description, pwdLastSet write-host Found: $computers.count $computers\| % { if ($good -notcontains $_.name) { if ((Read-Host Name: $_.name Description: $_.description LastChange: $_.pwdLastSet) -eq "y") { $ou = $_.ou $lastLogon = $_.pwdlastset $name = $_.name $out = "$name, $ou, $lastlogon, $date" Out-File -FilePath $logfile -Append -NoClobber -InputObject $out $a = Get-QADComputer $_.name\|set-qadobject -ObjectAttributes @{userAccountControl=514}\|Move-QADObject -to $pendingdelete Write-Host Disabled and moved $_.name Write-Host " " } } }
My System Specs