Active Directory Cleanup Runbook Automation
6 runbooks – 5 are functional workbooks and 1st runbook calls the rest in sequence.
Download the Powershell Scripts – ad cleanup runbook ps
Runbook 1 – AD Cleanup
The Master Runbook – which triggers every 7 days 16 hours – call the 5 runbooks and they a ‘wait for completion’ before starting the next runbook.
Runbook 2 – Scan and Dump List
Powershell script which scans Active Directory [admin rights not required], check machines which are inactive for 180 days and machine should not be disabled – Operating System = WinXP, Win7 or Win10.
C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe {import-module activedirectory
$DaysInactive = 180
$time = (Get-Date).Adddays(-($DaysInactive))
$result=@()
$result2=@()
#————————————————————————————————————————–
Get-ADComputer -Filter {(Modified -lt $time) -and (useraccountcontrol -ne “4098”)} -Properties * |
select Name,OperatingSystem | foreach {if (($_.OperatingSystem -like “Windows 7*”) -or($_.OperatingSystem -like “Windows 10*”) -or ($_.OperatingSystem -like “Windows 8*”) -or ($_.OperatingSystem -like “Windows xp*”)) {$result+=$_.Name}}
$result | set-content C:\SourceSoftware\runbook-output\adcleaner\output\ad-cleaner.csv}
Runbook 3 – Scan and Disable Scheduled Task
Powershell script to Disable machines in AD [requires Admin rights] found in earlier Runbook
#Setting search parameters and creating array
import-module activedirectory
$DaysInactive = 180
$time = (Get-Date).Adddays(-($DaysInactive))
$result=@()
#————————————————————————————————————————–
#Searching for computers that fit the parameters
Get-ADComputer -Filter {(LastLogonDate -lt $time) -and (Enabled -eq “True”)} -Properties * -ErrorAction SilentlyContinue |
select Name,OperatingSystem,comment,CN,LastLogonDate,DistinguishedName | foreach {if (($_.OperatingSystem -like “Windows 7*”) -or($_.OperatingSystem -like “Windows 10*”) -or ($_.OperatingSystem -like “Windows 8*”) -or ($_.OperatingSystem -like “Windows xp*”)) {$result+=$_}}
#Disabling computers
#$result|Foreach-Object {Disable-ADAccount -Identity $_.DistinguishedName -recursive -ErrorAction SilentlyContinue}
foreach ($_ in $result)
{If ($_ -ne $Null)
{Disable-AdAccount -Identity $_.DistinguishedName}}
#————————————————————————————————-
Runbook 4 – Scan Disabled and Delete Scheduled Task + Log
Powershell Script to scan for machines inactive for 360 days and disabled, then delete them [required AD Admin rights]
#Setting search parameters and creating array
import-module activedirectory
$DaysInactive = 360
$time = (Get-Date).Adddays(-($DaysInactive))
$result=@()
#Searching for computers that fit the parameters
#————————————————————————————————————————–
Get-ADComputer -Filter {(LastLogonDate -lt $time) -and (Enabled -eq “False”)} -Properties * -ErrorAction SilentlyContinue |
select Name,OperatingSystem,comment,DistinguishedName | foreach {if (($_.OperatingSystem -like “Windows 7*”) -or($_.OperatingSystem -like “Windows 10*”) -or ($_.OperatingSystem -like “Windows 8*”) -or ($_.OperatingSystem -like “Windows xp*”)) {$result+=$_}}
#Write Output to Log
#————————————————————————————————————————–
$result | set-content \\SERVER01\runbook-output\adcleaner\output\ad-disable.csv
#————————————————————————————————————————–
#Delete Function
#————————————————————————————————————————–
foreach ($_ in $result)
{If ($_ -ne $Null)
{Remove-ADObject -Identity $_.DistinguishedName -recursive -Confirm:$false}}
#————————————————————————————————————————–
Runbook 5 – Mail Routine
Send mail with output files to recipients, with subject of today’s date
The Subject of the mail would be appended with current date and time
Runbook 6 – Logging Routine
Moving current logs to history folders and appending with date of file transfer in name.
sample automated email
