Active Directory Administrator should regularly clean up stale computers from Active Directory. This is a fact. If you haven’t automated the stale computer cleanup process, take 10 minutes to read this background article and to set it up. Doing so will make your life easier. After all, cleaning up your stale computers will help you by:
- Reducing complexity (and troubleshooting time) as you don’t have computer sharing near identical names
- Provide an accurate count if you are using an Active Directory based inventory.
- Allow you to assign specific users to a single primary machine for remote management.
When a computer is marked as stale, it can occasionally come back to life! I like to call these zombie computers. It makes my day sound more exciting…
Binnnnarrry….. (said in a creepy zombie voice)
How do these stale computers come back to life? Here is an example: a user might have a laptop off the domain for a year. This laptop would be marked as stale and disabled. When the user returns, a help desk technician might re-enable the laptop without moving it from your Stale Computers container.
Just this week, we had 9 computers that had this issue. That meant 9 computers were not being managed by Group Policy! That meant 9 computers that did not have AppLocker, UAC, or other security settings applied to them! That mean 9 computers with a craving for human brains! Fortunately for us, PowerShell can fix two out of these three problems automatically! A shotgun will fix the last one…
The Enabled Inactive Computers Script
The script below will monitor your stale OU for computers that re-enable themselves. Our Stale OU is located in the root of our domain and is named Computers_Stale. You will need to change the 3rd line ($Computer = ) to match your stale OU. You will also need to edit this line:
|
1 |
Where-Object {$_.ParentContainer -ne "TEST.local/Computers_Stale"} |
When a zombie computer comes back, you will receive an email alert. To enable this, you will need to configure the $emailFrom, $emailTo, and $smtpServer lines.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
Add-PSSnapin Quest.ActiveRoles.ADManagement $Computers = Get-QADComputer -SearchRoot "OU=Computers_Stale,DC=TEST,DC=local" -SizeLimit 0 | Where-Object {$_.AccountIsDisabled -match "False"} | Sort-Object Name $emailFrom = "" $emailto = "" $smtpServer = "" foreach ($Computer in $Computers){ $Prefix = $Computer.NAME $Prefix = $Prefix.substring(0,$prefix.Length-2) $OU = Get-QADComputer -Identity $Prefix | Select-Object ParentContainer | Where-Object {$_.ParentContainer -ne "TEST.local/Computers_Stale"} $OU = $OU.ParentContainer | Select-Object -Unique if ($OU -ne $Null){ #Move-QADObject -Identity (Get-QADComputer $Computer) -NewParentContainer $OU $body = $Computer.Name+" has been moved to $OU. Please put in correct groups." $subject = "Moved Computer" Send-MailMessage -to $emailto -from $emailFrom -Subject $subject -Body $body -SmtpServer $smtpServer } if ($OU -eq $Null){ $body = $Computer.Name+" is currently enabled but cannot be placed into an OU. Please move to an OU and put in correct groups or disable the computer." $subject = "Unmoved Computer" Send-MailMessage -to $emailto -from $emailFrom -Subject $subject -Body $body -SmtpServer $smtpServer } } |
Configuring the Script for your Organization
This script also has the ability to move computers to their previous OUs instead of just emailing you to do it! To enable this, remove the # symbol from this line:
|
1 |
#Move-QADObject -Identity (Get-QADComputer $Computer) -NewParentContainer $OU |
This script uses the same logic found in our Automatically Name Computer script. It looks at the computer prefix (computer name minus last two characters). It will then search AD for matching computers and select a unique (single) OU. Finally, it will move the stale computer from the stale OU to the matching OU. If your computer naming scheme uses more than 2 ending characters (ex: 001 , 113, etc), change the “Length-2” section to “Length-YOURNUMBER”
In the event that a computer is enabled but a matching computer isn’t found, you will receive an alert email letting you know about this. As I mentioned above, this script prevented 9 problems on our opening day of school. It took only 5 minutes to setup.
So what are you waiting on? Copy the script above and protect yourself from the dreaded “enabled inactive computer”!
Why not simply lock down permissions on the Stale Computers OU to prevent anyone with anything less than domain admin rights from enabling the objects in that OU. (I would hope that your helpdesk does not have domain admin rights.)
The setup we have allows a helpdesk user to enable a computer and not worry about where the account is stored. Makes me life easier! 🙂
Is this ran as a scheduled task or linked to an OU within a GPO?
It is ran as a scheduled task.