Pages

3/27/2011

Powershell: Remove inactive accounts

For every machine account listed in a file, remove machine accounts from all groups and then remove the machine accounts.
$ds = new-object directoryServices.directorySearcher 
 
$names = get-content remove.txt
"------------------------------"
foreach ( $account in $names  ) {
    $account
    $ds.filter = "(&(objectCategory=computer)(objectClass=user)(name=$account))" 
    $dn = $ds.findOne() 
    if ($dn) {
           #remove computer from groups
           $user = [ADSI]$dn.path 
           "  Removed from groups:"
     foreach ($group in $user.memberof)
       {
       $groupDE = [ADSI]"LDAP://$group" 
       "    "+$groupDE
       $groupDE.remove("LDAP://$($user.distinguishedName)")  
       }

     #remove computer account
     $old = $user.distinguishedname -replace ',.*$',''
     $olduser = $old -replace 'CN=',''
     $usr = $($olduser).tolower()
     $usr + " removed from AD"             
     $location = $dn.path -replace "$old,",''
     $ou = [ADSI]$location
     $ou.delete("computer","cn=$usr")
 }#if
"------------------------------"
}#foreach

No comments: