Disable inactive computer accounts script

I did a webcast today about automating management of the datacenter with group policies and scripts. It was in Swedish, but I’ll make a blog series in English and share that information with all of you.

One of the attendees asked for the quick-and-dirty script I’ve scheduled to disable inactive computer-accounts. Here it is.

I’ve scheduled it to run with a Scheduled Task deployed in a GPO that only applies to the PDC Emulator, so all DC’s doesn’t run the script.


2 thoughts on “Disable inactive computer accounts script”

  1. Hi Les,
    By using just this query, you can find out which machines it would detect and set to disabled if the rest of the script would run;
    Search-ADAccount -ComputersOnly -AccountInactive -TimeSpan 0.00:00:00 | where Enabled -eq $true

    Microsoft has some documentation here around that command and the Switches;

    In our environment, we want to remove all inactive accounts that does not follow our naming standard CL**** at once, while we let computers that follow the naming standard stay longer.
    But just play around with the -TimeSpan value to find your sweetspot.

  2. Thank you Markus,

    I have been looking for just such a script for a while now, and almost all others I have been able to decipher what they are supposed to be doing, however none have worked correctly in my environment. (the last one disabled ALL computer accounts!!!)

    My PowerShell knowledge is new and very basic. Can you explain what each search query is doing?

    Search-ADAccount -ComputersOnly -AccountInactive -TimeSpan 0.00:00:00

    Is this searching for accounts that have NOT been inactive?
    If they have been inactive for a timespan of 0.00:00:00 would you want to disable them?

    The second Search-ADAccount seems to search for accounts that have been inactive for 30 days, which makes sense to me.

    Please point out what I must be misunderstanding.

    Thank you,

Leave a Reply