Domain Administration

More with Quest AD Powershell CMDLETS

I am continuing work on the script that I am converting from VBScript to Powershell and I must say that it is going quite well with the help of the Quest cmdlets. In the script I want to go through a particular OU and delete any accounts that are currntly disabled, and were created a minimum of 180 days ago, and have not been used in a minimum of 180 days. I can do this with the following block of code.

$deletedays = - 180
$deletedate = [datetime]::Now.AddDays($deletedays)

Get-QADUser -SearchRoot “pni.us.ad.gannett.com/PNI/Users/Disabled” | where{(($_.lastlogontimestamp.value -lt $deletedate) -and ($_.creationdate -lt $deletedate) -and ($_.AccountIsDisabled -eq “True”))}  | Tee-Object -filepath “c:\removedaccounts.txt” | Remove-QADObject -Force

So you will also notice that I am using the Tee-Object cmdlet. This is not a quest cmdlet but it is nice as I can log what accounts I am deleting with the Remove-QADObject cmdlet that is provided by Quest. Be careful when doing things like removing accounts in scripts and be sure to test completly. A good way to test is to use the -whatif clause. This will show you what would happen if you did run it.

Get List of all DC’s in your Domain

I am working on converting a vbscript that I wrote a couple of years ago into a powershell script. This script requires that I query all of the Domain Controllers in my domain to get the most up to date data that is possible. I used the Quest AD Commanlets and they made it easy. I have discussed these in the past and if you have not gotten them yet then go get them. They are at the following link:

 http://www.quest.com/powershell/activero…

to get a listing of your DC’s just do the following.

$dcs = Get-QADComputer -ComputerRole DomainController

now you have a listing of them in the $dcs variable and you can scan them all.