通过利用 lastLogonTimestamp 属性移动不活动的 AD 计算机
[英]Moving inactive AD computers by leveraging the lastLogonTimestamp attribute
问题描述
I am working on a Powershell script to automate AD maintenance, and move inactive AD computers by leveraging the lastLogonTimestamp attribute from one specific OU to another in windows 2008 R2.
我正在编写一个 Powershell 脚本来自动化 AD 维护,并通过利用 lastLogonTimestamp 属性从 Windows 2008 R2 中的一个特定 OU 移动不活动的 AD 计算机。
However, while running the script, i keep getting the following error.但是,在运行脚本时,我不断收到以下错误。 I am stumped, and would appreciate any input on why this script is complaining about this.我被难住了,希望能就这个脚本为什么抱怨这个问题提供任何意见。
Move-ADObject : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try the command again.
Below is the part of the script that throwing the above error:以下是引发上述错误的脚本部分:
### Find and all inactive computer objects
import-module activedirectory
$domain = "XXXXX.XXXXX.XXXXX"
$DaysInactive = 120
$time = (Get-Date).Adddays(-($DaysInactive))
$pwdset = (Get-Date).AddDays(-($DaysInactive))
### Get all AD computers with lastLogonTimestamp less than our time
$OldComputers = Get-ADComputer -Filter {LastLogonTimeStamp -le $time} -Properties lastlogontimestamp |
Where-Object {
$_.DistinguishedName -like "OU=Source OU,DC=XXXX,DC=XXXX,DC=XXXX"
}
## Output computer accounts to be disabled to HTML table
$OldComputersLog = $OldComputers | ConvertTo-HTML lastlogontimestamp `
-title "Computer Accounts that will be deleted" `
-head $head `
-body "<H2><center>Moved and disabled computers for more than 120 days</center></H2>"| `
out-file C:\AD\move\OldComputers.html
### Move inactive computers to disabled OU
$OldComputers | Disable-ADAccount |Move-ADObject -TargetPath "OU=Destination OU,DC=XXXX,DC=XXXX,DC=XXXX"
3 个解决方案
解决方案1
1 2016-05-29 20:37:35
Looks like Disable-ADAccount doesn't output an ADobject.看起来Disable-ADAccount不输出 ADobject。 Try adding -PassThru尝试添加-PassThru
$OldComputers |
Disable-ADAccount -PassThru |
Move-ADObject -TargetPath "OU=Destination OU,DC=XXXX,DC=XXXX,DC=XXXX"
解决方案2
0 2016-05-31 09:35:51
Here's an earlier thread to get Inactive computers in a specific domain's OU based on Last Logon Time Stamp.这是根据上次登录时间戳在特定域的 OU 中获取非活动计算机的早期线程。
Import AD Module导入 AD 模块
Import-Module ActiveDirectory
define the time window --- we specify 90 days plus the official windows lag of 14 days
$time = (Get-Date).Adddays(-104)
Check for existence of OU and create if not present检查 OU 是否存在,如果不存在则创建
[string] $Path = 'OU=OUName,DC=domain,DC=com'
try
{
if (!([adsi]::Exists("LDAP://$Path")))
{
#Create OU since it does not yet exist
NEW-ADOrganizationalUnit “StaleComputers” –path “OU=SomeOU, DC=domain, DC=com”
}
else { Write-Debug "OU Already Exists: $Path" }
}
catch [Exception] {
return $_.Exception.Message
}
now we proceed to check for computers现在我们继续检查计算机
Get-ADComputer -Filter { LastLogonTimeStamp -lt $time } | Move-ADObject -TargetPath $Path -WhatIf
Now we check for inactive computers that are inactive现在我们检查非活动的非活动计算机
Search-ADAccount -accountinactive -ComputersOnly | ? { $_.lastlogondate -lt $time } | Move-ADObject -TargetPath $Path -WhatIf
There are some attributes that help you decide if an AD user account or computer account is active or inactive.有一些属性可帮助您确定 AD 用户帐户或计算机帐户是处于活动状态还是非活动状态。 These attributes are LastLogon and LastLogonTimeStamp.这些属性是 LastLogon 和 LastLogonTimeStamp。
On the other-hand, In order to suspect potential accounts that are inactive, you can perform the following steps -:另一方面,为了怀疑处于非活动状态的潜在帐户,您可以执行以下步骤 -:
-Check for those user accounts where the computer account password has not been reset for over a considerable period of time, say for 30 days, 60 days or 90 days. - 检查计算机帐户密码在相当长一段时间内(例如 30 天、60 天或 90 天)未重置的用户帐户。 -Obtain a list of all machines in a table that have not had a password reset in over 90 days including the Name, Distinguished Name and Password Last Set Date and Time. - 获取表中超过 90 天未重置密码的所有机器的列表,包括名称、专有名称和密码上次设置日期和时间。 -You can also use the following 'dsquery' commands to detect inactive user and computers accounts in your AD. - 您还可以使用以下“dsquery”命令来检测 AD 中的非活动用户和计算机帐户。
To find out users who haven't logged in into their accounts from past few weeks, you can run the following dsquery command.要找出过去几周未登录其帐户的用户,您可以运行以下 dsquery 命令。
dsquery user –inactive dsquery 用户 – 不活动
To get in detailed refer to this link: https://www.linkedin.com/pulse/cleaning-up-obsolete-user-computer-accounts-from-active-ajit-singh要获得详细信息,请参阅此链接: https : //www.linkedin.com/pulse/cleaning-up-obsolete-user-computer-accounts-from-active-ajit-singh
Hope this helps!希望这有帮助!
解决方案3
0 2020-12-07 12:08:22
Import-Module ActiveDirectory导入模块 ActiveDirectory
$SourceOU= "OU=Destination OU,DC=XXXX,DC=XXXX,DC=XXXX" $SourceOU= "OU=目标 OU,DC=XXXX,DC=XXXX,DC=XXXX"
$DestinationOU= "OU=Destination OU,DC=XXXX,DC=XXXX,DC=XXXX" $DestinationOU= "OU=目标 OU,DC=XXXX,DC=XXXX,DC=XXXX"
$lldate = [DateTime]::Today.AddDays(-90); $lldate = [DateTime]::Today.AddDays(-90);
$computers=Get-ADComputer -Filter 'PasswordLastSet -le $lldate' -Searchbase $SourceOU $computers=Get-ADComputer -Filter 'PasswordLastSet -le $lldate' -Searchbase $SourceOU
foreach ($computer in $computers){ $desc="Contact Support, disabled on $(Get-Date) - $($computer.Description)" Set-ADComputer $Computer -Description $desc -Enabled $false foreach ($computers in $computers){ $desc="Contact Support, 在 $(Get-Date) - $($computer.Description)" Set-ADComputer $Computer -Description $desc -Enabled $false 上禁用
Move-ADObject $computer -TargetPath $destinationOU Add-Content C:\\PShell\\computers.txt -Value "Found $computer, Moved and disabled" } Move-ADObject $computer -TargetPath $destinationOU Add-Content C:\\PShell\\computers.txt -Value "Found $computer, Moved and disabled" }
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.