Monday, September 12, 2016

Updated AD Cleanup Script supporting ConfigMgr

Previously I wrote about how we manage to keep Active Directory clean, which in turn helps keep ConfigMgr clean by deprecating old machine objects. Instead of rehashing, you can just read the original post to understand its full purpose.

A major change in this new version is that it adds support for SCCM. If you do not use SCCM then do not move to this one as there is no SCCM=True switch to enable/disable that functionality.

By pulling from ConfigMgr the emails are more useful.

 Disabled computer account ABC12345. Last SCCM Inventory:9/5/2016 9:35 PM. Primary User:kfason. Account was moved on 8/8/2016 1:44:43 PM. Description: ::Account Automatically Moved - [8/8/2016 1:44:43 PM]  
      ABC12345 was moved to ou=Disabled,ou=ADCleanup,DC=mydomain,DC=local.  
      Updated the description for account ABC12345.  

The flow was changed to be more streamlined as well with this order:
  • Delete machine objects that are at that date
  • Disable any Active machine objects (that were already moved) that are past its date
  • Move any machine objects into ADCleanup that have not touched the domain since its date
  • Move any machine objects (out of ADCleanup) that have touched the domain back to where the script found them
  • Move any enabled machine objects out of the Disabled OU back to where it found them 
Additionally if there are any formatting errors it will put those in the email so you can deal with them manually if it could not figure it out. Can be useful if you have staff making changes to these objects. Im sure these could be adapted to the older version if you wanted to try.

 Disabled computer account ABC12345 does not have correct disabled time stamp.  
 Cleaned up description field for CBA54321.  


The time frames and paths can be modified so review lines 1 through 34 and 740. Line 19 lets you choose specific OS versions to work with to include Servers for example. There are two optional support files available. One for Excluded Computers and one for Excluded OU's. They are used to exclude objects manually created for non Windows devices such as SAN or Linux systems as well as special purpose OUs that need excluding.

This script is provided as-is, no warranty is provided or implied.The author is NOT responsible for any damages or data loss that may occur through the use of this script.  Always test, test, test before rolling anything into a production environment.

You can get the updated script here.


No comments:

Post a Comment