Search This Blog

29 October, 2024

The Art of (Digital) Decluttering: Managing Inactive Computer Accounts in AD Without Losing Your Sanity

The Art of (Digital) Decluttering: Managing Inactive Computer Accounts in AD Without Losing Your Sanity

Introduction

In the vast and often bewildering digital universe of Active Directory (AD), computer accounts sometimes cling to existence like a stubborn piece of gum on the sole of your shoe. They linger long after their physical counterparts have departed, cluttering your environment and turning your tidy digital world into a chaotic mess reminiscent of a Vogon poetry recital.

Fear not! This guide will arm you with a simple PowerShell solution that finds these inactive computer accounts, disables them, and files them away neatly in an “Inactive Computers” Organizational Unit (OU)—because who doesn’t love a good cleanup? And by enlisting the help of a Managed Service Account (MSA), you can automate the entire process, ensuring your digital landscape stays as pristine as a pan-galactic gargle blaster hangover. Ready to restore order without losing your sanity? Let’s dive in!


Step 1: The PowerShell Script – Your Trusty Tool for Computer Account Decluttering

Behold! The script that will rescue you from the clutches of digital clutter. Designed to find computer accounts that have been inactive for a set number of days (default: 90), this PowerShell masterpiece disables them and files them away in the designated “Inactive Computers” OU. It even has some error handling to catch any unexpected hiccups, and of course, a sprinkling of comments that might just tickle your funny bone.

Here’s the “Digital Decluttering” script in all its computer-account-clearing glory:

<# .SYNOPSIS The Art of (Digital) Decluttering Script: Cleaning Up Inactive Computer Accounts in Active Directory .DESCRIPTION This script identifies computer accounts in Active Directory (AD) that have been inactive for a set number of days (default: 90), disables them, and moves them to a designated "Inactive Computers" Organizational Unit (OU). It’s like spring cleaning, but for computer accounts in AD – clearing out accounts that have gone quiet and aren’t checking in with the domain. .AUTHOR Edward L Thomas, 2024 .LAST UPDATED October 26, 2024 .NOTES Requires AD module and permissions to disable and move AD computer accounts. Tested on Windows Server 2016 and above. .WARNING Run this in a test environment before deploying to production. Really. Inactive computer accounts may include important, old devices! #> # Define inactivity period (default is 90 days). Adjust as needed. $inactiveDays = 90 $dateLimit = (Get-Date).AddDays(-$inactiveDays) # Specify the "Inactive Computers" OU – the resting place for these dormant computer accounts. $inactiveOU = "OU=Inactive Computers,DC=YourDomain,DC=com" try { # Retrieve all computer accounts that haven’t logged on since $dateLimit. $computersToDisable = Get-ADComputer -Filter {LastLogonDate -lt $dateLimit} -ErrorAction Stop if ($computersToDisable.Count -eq 0) { Write-Output "No inactive computer accounts found. The decluttering crusade will have to wait. Time to go find some space dolphins!" } else { # Loop through each inactive computer account foreach ($computer in $computersToDisable) { try { # Disable the computer account Disable-ADAccount -Identity $computer.DistinguishedName -ErrorAction Stop # Move the disabled computer account to the "Inactive Computers" OU Move-ADObject -Identity $computer.DistinguishedName -TargetPath $inactiveOU -ErrorAction Stop # Confirmation message Write-Output "Successfully disabled and moved computer account: $($computer.Name). They were such a good computer... until they weren't." } catch { # Handling issues with individual accounts, for example if permissions or OU paths are problematic. Write-Output "Warning: Could not disable/move computer account: $($computer.Name). Error details: $_. Clearly, they’ve developed a rebellious streak." } } } } catch { # General error handling for issues retrieving AD accounts (e.g., module missing or AD unavailable). Write-Output "Error: Could not retrieve computer accounts. Ensure the AD module is installed and you have network connectivity. Error details: $_. Did someone forget to plug in the hyperdrive?" } # Completion message Write-Output "Inactive computer account management completed – your AD is now slightly less cluttered. Have a nice cup of tea; you deserve it."

Step 2: Managed Service Account Setup – A Behind-the-Scenes Ally for Computer Account Management

For this script to work on a schedule without a hitch, it needs an account with the right permissions—and that’s where our Managed Service Account (MSA) comes in. Using an MSA is like hiring a professional declutterer who also has a knack for managing passwords and doesn’t judge you for that pile of old computer accounts you’ve been avoiding.

Here’s how to set up the MSA to run the decluttering script:

  1. Create the MSA:
    On a domain controller, create the MSA with:

    New-ADServiceAccount -Name "InactiveAccountCleaner" -DNSHostName "YourDomain.com"
  2. Install the MSA:
    On the machine where the script will run, install the MSA:

    Install-ADServiceAccount -Identity "InactiveAccountCleaner"
  3. Verify Installation:
    Test the MSA setup with:

    Test-ADServiceAccount -Identity "InactiveAccountCleaner"

    If it returns “True,” the MSA is ready to be your script’s trusty sidekick, able to navigate the depths of your Active Directory without losing its mind.

  4. Limit Permissions:
    In Active Directory Users and Computers (ADUC), go to the OU containing your computer accounts. Right-click, select Delegate Control, and assign only the required permissions—Disable Account and Move Account—to keep the MSA focused on its one job, like a dog that only fetches its own stick.


Updated Step 3: Scheduling the Script with the MSA in Task Scheduler

After setting up and installing the MSA, you’ll need to schedule your PowerShell script to run with this MSA, allowing it to manage inactive computer accounts without needing manual password handling (because who has the time for that?).

  1. Open Task Scheduler and create a new task.

    • Name it “AD Inactive Computer Account Declutter.”
    • Choose Run whether user is logged on or not.
    • Configure for: Windows Server (select the version you’re using).
  2. Set Up the MSA Account for Task Run:

    • Under Security options, click Change User or Group… and enter the MSA in the format YourDomain\InactiveAccountCleaner$.
    • Note: The trailing $ character is essential for Managed Service Accounts; it differentiates MSAs from standard user accounts, much like how your favorite restaurant knows not to confuse your order with that of the guy who orders pineapple on pizza.
    • Do not enter a password for the MSA. Task Scheduler will handle authentication using the MSA's automatic password management (like magic but with fewer rabbits).
  3. Configure the Trigger:

    • Set a schedule to run the script on a weekly or monthly basis, depending on how much clutter you can tolerate in your life.
  4. Add the PowerShell Script as the Action:

    • Action: Start a Program.

    • Program/script: powershell.exe

    • Add Arguments:
      Use the path to your script, like so:

      -File "C:\Path\To\YourScript.ps1"
  5. Testing and Verifying the Task Execution:

    • Run the task manually once to ensure it executes without errors (it’s always good to double-check; you wouldn’t want to accidentally disable the CEO’s laptop).
    • Check the Task History or Event Viewer logs to confirm successful execution.

Confirming MSA Password Management

MSAs automatically rotate passwords and maintain security independently, without requiring manual intervention. However, if you need to validate the functionality:

  1. Run the MSA Test:
    Use PowerShell to verify that the MSA is correctly installed and has an active password:

    Test-ADServiceAccount -Identity "InactiveAccountCleaner"

    If this returns True, the MSA is active and its password is managed automatically by AD (like a well-trained pet that knows how to fetch its own treats).

  2. Monitor and Review Task Scheduler Logs:
    Task Scheduler will log any issues, including those related to authentication. If you encounter errors related to the MSA password, it could indicate issues with the MSA installation or permissions, which can be rechecked in Active Directory.


Wrapping Up

Congratulations! With this setup, you’ve mastered the art of decluttering inactive computer accounts in AD. The combination of PowerShell and an MSA keeps everything running smoothly, like a well-oiled machine (assuming the machine hasn’t been inactive for 90 days, of course).

In the end, your AD stays organized and free from forgotten computer accounts, allowing you to focus on the active ones without any digital cobwebs lurking in the corners. So go on, pat yourself on the back—your environment is now a model of organized efficiency (and maybe just a little more fun).

Remember, managing inactive computer accounts is not just a task; it’s an adventure in digital tidiness!