0

此 PowerShell 脚本适用于禁用计算机,但我无法将计算机帐户移动到 OU“已禁用”。我的老板不希望使用任何 3rd 方插件来运行脚本。这是在 Server2008R2 上运行的,任何帮助将不胜感激。

# Specify log file.

    $File = "c:\scripts\OldComputers.log"

# Specify the minimum number of days since the computer has been logged for
# the computer to considered inactive.

    $intDays = 25

# Specify the DN of the OU into which inactive computer objects will be moved.




$TargetOU = "ou=Disabled,dc=helpdesktest,dc=local"

# Bind to target OU.

    $OU = [ADSI]"LDAP://$TargetOU"

    $D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
    $Domain = [ADSI]"LDAP://$D"
    $Searcher = New-Object System.DirectoryServices.DirectorySearcher
    $Searcher.PageSize = 200
    $Searcher.SearchScope = "subtree"

# Filter on all non-server computers.

$Searcher.Filter = "(&(objectCategory=computer)(!operatingSystem=*server*))"
$Searcher.PropertiesToLoad.Add("distinguishedName") > $Null
$Searcher.PropertiesToLoad.Add("pwdLastSet") > $Null
$Searcher.SearchRoot = "LDAP://" + $Domain.distinguishedName


# Write information to log file.


     $Today = Get-Date
        Add-Content -Path $File -Value "Search for inactive computer accounts"
        Add-Content -Path $File -Value "Start: $Today"
        Add-Content -Path $File -Value "Base of search: $Domain"
        Add-Content -Path $File -Value "Log file: $File"
        Add-Content -Path $File -Value "Inactive if not logged into in days: $intdays"
        Add-Content -Path $File -Value "Inactive accounts moved to: $TargetOU"
        Add-Content -Path $File -Value "-------------------------------------------"

    # Initialize totals.


     $Total = 0
        $Inactive = 0
        $NotMoved = 0
        $NotDisabled = 0

        $Results = $Searcher.FindAll()
        ForEach ($Result In $Results)
        {
          $DN = $Result.Properties.Item("distinguishedName")
          $PLS = $Result.Properties.Item("pwdLastSet")
          $Total = $Total + 1
       If ($PLS.Count -eq 0)
       {
         $Date = [DateTime]0
       }
      Else
      {

# Interpret 64-bit integer as a date.


      $Date = [DateTime]$PLS.Item(0)
      }

# Convert from .NET ticks to Active Directory Integer8 ticks.
# Also, convert from UTC to local time.


    $PwdLastSet = $Date.AddYears(1600).ToLocalTime()
      If ($PwdLastSet.AddDays($intDays) -lt $Today)
      {

# Computer inactive.

$Inactive = $Inactive + 1
$Computer= [ADSI]"LDAP://$DN"
Add-Content -Path $File -Value "Inactive: $DN - last login $PwdLastSet"
# Move computer to target OU.
Try
{
  $Computer.psbase.Moveto($OU)
}

Catch
{
  $NotMoved = $NotMoved + 1
  Add-Content -Path $File -Value "Cannot move: $DN"
}
 Try
{

  $Computer.psbase.MoveTo($OU)
}
Catch
{
  $Moved = $Moved + 1
  Add-Content -Path $File -Value "Moved: $DN"
}

# Disable the computer account.

        Try
        {
          $Flag = $Computer.userAccountControl.Value
          $NewFlag = $Flag -bxor 2
          $Computer.userAccountControl = $NewFlag
          $Computer.SetInfo()
        }
        Catch
        {
          $NotDisabled = $NotDisabled + 1
          Add-Content -Path $File -Value "Cannot disable: $DN"
        }
      }
    }

    Add-Content -Path $File -Value "Finished: $(Get-Date)"
    Add-Content -Path $File -Value "Total computer objects found:  $Total"
    Add-Content -Path $File -Value "Inactive:            $Inactive"
    Add-Content -Path $File -Value "Inactice accounts not moved:  $NotMoved"
    Add-Content -Path $File -Value "Inactive accounts not disabled: $NotDisabled"
    Add-Content -Path $File -Value "-------------------------------------------"

    "Total computer objects found:  $Total"
    "Inactive:                     $Inactive"
    "Inactice accounts not moved:  $NotMoved"
    "Inactive accounts not disabled: $NotDisabled"
    ```]"Done"
4

0 回答 0