Resetting a Computer Account

Like a user account, a computer account interacts with Active Directory using a password. But for computer

accounts, a password change is initiated every $30$ days by default and the password is exempted from the

domain$$s password policy. Password changes are driven by the client $($computer$),$ not AD$.$

Computer credentials usually unknown to the user because they are randomly set by the computer. But you can

set your own password; here is a PowerShell script for doing so:

$pc $=$ read$-$host $$Prompt $$Input computer name to reset$$ # Specify the computer name. $pw $=$ read$-$

host $$Prompt $$Input random characters for temp password$$AsSecureString # Specify the

password.

Get$-$ADComputer $pc $|$ Set$-$ADAccountPassword $$NewPassword:$pw $-$Reset:$true

Disabling User and Computer Accounts

To disable user, computer or service accounts, use the Disable$-$ADAccount cmdlet. The $-$Identity parameter

specifies which account to disable. You can specify an account by its distinguished name, security identifier $($SIDs$),$

globally unique identifier $($GUID$)$ or Security Account Manager $($SAM$)$ account name.

Disable$-$AdAccount $-$Identity RussellS

If you specify a computer account name, remember to append a dollar sign $($$$)$ at the end of the name; otherwise,

you$$ll get an error after script execution.

Disable$-$ADAccount $-$Identity fs$1$$

You can also disable accounts in bulk using a list in a text file:

$Pclist $=$ Get$-$Content C:$\backslash$scripts$\backslash$Computer$.$txt # Specify the path to the computer list. Foreach$($$pc in

$Pclist$)$

$\{$

Disable$-$ADAccount $-$Identity $"$$pc$"$

Get$-$ADComputer $-$Identity $"$$pc$"|$ Move$-$ADObject $-$TargetPath $$OU$=$Disabled

Computers,DC$=$enterprise,DC$=$com$$

$\}$

Deleting a Computer from Active Directory

To delete a computer account from AD$,$ use the Remove$-$ADObject cmdlet:

Remove$-$ADObject $-$Identity $"$WKS$932"$

You will be prompted to confirm the deletion.

If you have a text file with a list of old computers, you can streamline the task of removing them using

PowerShell. The following script will read the computer names from a TXT file and delete the corresponding

accounts via a pipeline:

Get$-$Content C:$\backslash$scripts$\backslash$computersfordeletion$.$txt $|\%\{$ Get$-$ADComputer $-$Filter $\{$ Name

$-$eq $$\_\}\}|$ Remove$-$ADObject $-$Recursive

Stale accounts in Active Directory can be compromised, leading to security incidents, so it is critical to keep an

eye on them. This PowerShell script will query Active Directory and return all computers that have not been

logged in to for the past $30$ days. It also will remove those accounts to keep your AD clean.

There is one computer, FS$1,$ that has been not been logged on to for more than $30$ days. The system will prompt

for confirmation before deleting it from the domain:

If you want to disable, rather than delete, the inactive computer accounts, replace the Remove$-$ADComputer

cmdlet with Set$-$ADComputer and $-$Enabled $false parameter and value.

Remove$-$

ADComputer

Get$-$ADComputer $-$Property Name,lastLogonDate $-$Filter $\{$lastLogonDate $-$lt

$stale$\}|$

FT

Name,lastLogonDate

Get$-$ADComputer $-$Property Name,lastLogonDate $-$Filter $\{$lastLogonDate $-$lt

$stale$\}|$

$stale $=($Get$-$Date$).$AddDays$(-30)$ # means $30$ days since last logon; can be changed to any

number.

Remember that it is critical to closely track all changes to computer accounts, so you can quickly spot any

unwanted modifications and respond appropriately. Here$$s how to monitor computer account deletions.

Creating and Deleting an Active Directory Group

In Active Directory, access to network resources is granted to security principals, such as user accounts and

computer accounts, and those permissions can change over time. To simplify access management and improve

security, medium and large companies often use Active Directory security groups, which can contain user and

computer accounts as well as other groups. They also often use distribution groups to manage email distribution

lists. Both security and distribution groups have unique SIDs and GUIDs.

If you$$re not already familiar with AD groups and group management, please read the Active Directory Group

Management Best Practice guide.

To create an AD group, use the New$-$ADGroup cmdlet. You can get its syntax by running the following command:

The easiest way to create a group is to run this short script:

New$-$ADGroup "Group Name"

The system will ask you to specify the GroupScope parameter and then it will create a new group. However, this

group will have default values, such as:

It will be created in the default LDAP container called $$Users$.$

It will have the $$Security$$ group type.

The Members, Member of$,$ Description, Email and Notes fields will all be blank.

Let$$s create a security group called $$Quality$$ in the $$Production$$ OU $(-$Path$)$; it should be a security group $(-$

GroupCategory$)$ and it should be global $(-$GroupScope$)$:

Get$-$Command New$-$ADGroup $$Syntax