领导今天让Disable所有域中超过60天没登录的计算机和账号,我先搜索出一篇文章,是查询 计算机的,稍后再操作AD账号的。下面是原贴,是英文,我加上了我自己的翻译。
使用PowerShell命令查询Active Directory中长时间没有登录计算机帐户。本文章以60天为例,大家可以根据需要修改。
下面给出脚本:
# This PowerShell Command will query Active Directory and return the computer accounts which have not logged for the past
#这个PowerShell命令将会查询 并返回AD域中过去一段时间没有登录的电脑账号
# 60 days. You can easily change the number of days from 60 to any number of your choosing. lastLogonDate is a Human
#你可以改变下面的那个60的参数来查询是多少天未登录的
# Readable conversion of the lastLogonTimeStamp (as far as I am able to discern. More details about the timestamp can
$then = (Get-Date).AddDays(-60) # The 60 is the number of days from today since the last logon.
#这个60就是从上次登录到今天60天,你可以改变这个参数
Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | FT Name,lastLogonDate
#这一行就是关键命令了,可以直接复制,查询出列表
# If you would like to Disable these computer accounts, uncomment the following line:
#如果你想禁用那些电脑账号,可以把下面这行命令的"#"删除即可
# Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | Set-ADComputer -Enabled $false
# If you would like to Remove these computer accounts, uncomment the following line:
#如果你想删除这些电脑账号,直接去年下面命令的"#"
# Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | Remove-ADComputer
我还想补充的一点是,上面的命令要在PowerShell里面运行,PowerShell还要用管理员的模式打开,下面是我运行的截图。
