Answered step by step
Verified Expert Solution
Question
1 Approved Answer
Resetting a Computer Account Like a user account, a computer account interacts with Active Directory using a password. But for computer accounts, a password change
Resetting a Computer Account
Like a user account, a computer account interacts with Active Directory using a password. But for computer
accounts, a password change is initiated every days by default and the password is exempted from the
domains password policy. Password changes are driven by the client computer not AD
Computer credentials usually unknown to the user because they are randomly set by the computer. But you can
set your own password; here is a PowerShell script for doing so:
$pc readhost Prompt Input computer name to reset # Specify the computer name. $pw read
host Prompt Input random characters for temp passwordAsSecureString # Specify the
password.
GetADComputer $pc SetADAccountPassword NewPassword:$pw Reset:$true
Disabling User and Computer Accounts
To disable user, computer or service accounts, use the DisableADAccount cmdlet. The Identity parameter
specifies which account to disable. You can specify an account by its distinguished name, security identifier SIDs
globally unique identifier GUID or Security Account Manager SAM account name.
DisableAdAccount Identity RussellS
If you specify a computer account name, remember to append a dollar sign $ at the end of the name; otherwise,
youll get an error after script execution.
DisableADAccount Identity fs$
You can also disable accounts in bulk using a list in a text file:
$Pclist GetContent C:scriptsComputertxt # Specify the path to the computer list. Foreach$pc in
$Pclist
DisableADAccount Identity $pc
GetADComputer Identity $pc MoveADObject TargetPath OUDisabled
Computers,DCenterprise,DCcom
Deleting a Computer from Active Directory
To delete a computer account from AD use the RemoveADObject cmdlet:
RemoveADObject Identity WKS
You will be prompted to confirm the deletion.
If you have a text file with a list of old computers, you can streamline the task of removing them using
PowerShell. The following script will read the computer names from a TXT file and delete the corresponding
accounts via a pipeline:
GetContent C:scriptscomputersfordeletiontxt GetADComputer Filter Name
eq $ RemoveADObject Recursive
Stale accounts in Active Directory can be compromised, leading to security incidents, so it is critical to keep an
eye on them. This PowerShell script will query Active Directory and return all computers that have not been
logged in to for the past days. It also will remove those accounts to keep your AD clean.
There is one computer, FS that has been not been logged on to for more than days. The system will prompt
for confirmation before deleting it from the domain:
If you want to disable, rather than delete, the inactive computer accounts, replace the RemoveADComputer
cmdlet with SetADComputer and Enabled $false parameter and value.
Remove
ADComputer
GetADComputer Property Name,lastLogonDate Filter lastLogonDate lt
$stale
FT
Name,lastLogonDate
GetADComputer Property Name,lastLogonDate Filter lastLogonDate lt
$stale
$stale GetDateAddDays # means days since last logon; can be changed to any
number.
Remember that it is critical to closely track all changes to computer accounts, so you can quickly spot any
unwanted modifications and respond appropriately. Heres how to monitor computer account deletions.
Creating and Deleting an Active Directory Group
In Active Directory, access to network resources is granted to security principals, such as user accounts and
computer accounts, and those permissions can change over time. To simplify access management and improve
security, medium and large companies often use Active Directory security groups, which can contain user and
computer accounts as well as other groups. They also often use distribution groups to manage email distribution
lists. Both security and distribution groups have unique SIDs and GUIDs.
If youre not already familiar with AD groups and group management, please read the Active Directory Group
Management Best Practice guide.
To create an AD group, use the NewADGroup cmdlet. You can get its syntax by running the following command:
The easiest way to create a group is to run this short script:
NewADGroup "Group Name"
The system will ask you to specify the GroupScope parameter and then it will create a new group. However, this
group will have default values, such as:
It will be created in the default LDAP container called Users
It will have the Security group type.
The Members, Member of Description, Email and Notes fields will all be blank.
Lets create a security group called Quality in the Production OU Path; it should be a security group
GroupCategory and it should be global GroupScope:
GetCommand NewADGroup Syntax
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started