此PowerShell脚本适用于禁用计算机,但我无法将计算机帐户移动到OU“已禁用”。我的老板不希望使用任何第三方插件来运行脚本。这是在Server2008R2上运行,任何帮助将不胜感激。
# Specify log file.
$File = "c:\scripts\OldComputers.log"
# Specify the minimum number of days since the computer has been logged for
# the computer to considered inactive.
$intDays = 25
# Specify the DN of the OU into which inactive computer objects will be moved.
$TargetOU = "ou=Disabled,dc=helpdesktest,dc=local"
# Bind to target OU.
$OU = [ADSI]"LDAP://$TargetOU"
$D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Domain = [ADSI]"LDAP://$D"
$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.PageSize = 200
$Searcher.SearchScope = "subtree"
# Filter on all non-server computers.
$Searcher.Filter = "(&(objectCategory=computer)(!operatingSystem=*server*))"
$Searcher.PropertiesToLoad.Add("distinguishedName") > $Null
$Searcher.PropertiesToLoad.Add("pwdLastSet") > $Null
$Searcher.SearchRoot = "LDAP://" + $Domain.distinguishedName
# Write information to log file.
$Today = Get-Date
Add-Content -Path $File -Value "Search for inactive computer accounts"
Add-Content -Path $File -Value "Start: $Today"
Add-Content -Path $File -Value "Base of search: $Domain"
Add-Content -Path $File -Value "Log file: $File"
Add-Content -Path $File -Value "Inactive if not logged into in days: $intdays"
Add-Content -Path $File -Value "Inactive accounts moved to: $TargetOU"
Add-Content -Path $File -Value "-------------------------------------------"
# Initialize totals.
$Total = 0
$Inactive = 0
$NotMoved = 0
$NotDisabled = 0
$Results = $Searcher.FindAll()
ForEach ($Result In $Results)
{
$DN = $Result.Properties.Item("distinguishedName")
$PLS = $Result.Properties.Item("pwdLastSet")
$Total = $Total + 1
If ($PLS.Count -eq 0)
{
$Date = [DateTime]0
}
Else
{
# Interpret 64-bit integer as a date.
$Date = [DateTime]$PLS.Item(0)
}
# Convert from .NET ticks to Active Directory Integer8 ticks.
# Also, convert from UTC to local time.
$PwdLastSet = $Date.AddYears(1600).ToLocalTime()
If ($PwdLastSet.AddDays($intDays) -lt $Today)
{
# Computer inactive.
$Inactive = $Inactive + 1
$Computer= [ADSI]"LDAP://$DN"
Add-Content -Path $File -Value "Inactive: $DN - last login $PwdLastSet"
# Move computer to target OU.
Try
{
$Computer.psbase.Moveto($OU)
}
Catch
{
$NotMoved = $NotMoved + 1
Add-Content -Path $File -Value "Cannot move: $DN"
}
Try
{
$Computer.psbase.MoveTo($OU)
}
Catch
{
$Moved = $Moved + 1
Add-Content -Path $File -Value "Moved: $DN"
}
# Disable the computer account.
Try
{
$Flag = $Computer.userAccountControl.Value
$NewFlag = $Flag -bxor 2
$Computer.userAccountControl = $NewFlag
$Computer.SetInfo()
}
Catch
{
$NotDisabled = $NotDisabled + 1
Add-Content -Path $File -Value "Cannot disable: $DN"
}
}
}
Add-Content -Path $File -Value "Finished: $(Get-Date)"
Add-Content -Path $File -Value "Total computer objects found: $Total"
Add-Content -Path $File -Value "Inactive: $Inactive"
Add-Content -Path $File -Value "Inactice accounts not moved: $NotMoved"
Add-Content -Path $File -Value "Inactive accounts not disabled: $NotDisabled"
Add-Content -Path $File -Value "-------------------------------------------"
"Total computer objects found: $Total"
"Inactive: $Inactive"
"Inactice accounts not moved: $NotMoved"
"Inactive accounts not disabled: $NotDisabled"
```]"Done"