PowerShell Cmdlets

Quest PowerShell for Active Directory provides a simple way to list and delete unused user and computer objects. The two relevant commands for listing user and computer objects are:

Get-QADUser
Get-QADComputer

These commands will list all user or computer objects in AD. To limit the search to within your OU, use the SearchRoot and SearchScope parameters. For example:

Get-QADUser `
–SearchRoot "cornell.edu/DelegatedObjects/MyOU/IDs" `
   -SearchScope OneLevel
 

To list only inactive computer accounts, use the NotLoggedOnFor parameter. Example:

Get-QADComputer `
–SearchRoot "cornell.edu/DelegatedObjects/MyOU/UnitObjects" `
-NotLoggedOnFor 365

This lists computers that have been logged on to AD for 365 days or more. Reference Additional Notes below.

Once you have a list of user or computer objects that meet your threshold in number of days, use the Remove-QADObject cmdlet.

Get-QADUser `
–SearchRoot "cornell.edu/DelegatedObjects/MyOU/IDs" `
-NotLoggedOnFor 120 | Remove-QADObject

This removes all users within your IDs OU who have not logged in for 120 days.

Additional Notes

1. Be sure to authenticate to Quest ARS server using your DOCID via the Connect-QADService cmdlet for proper access to remove accounts.
2. The command-line parameters are the same for Get-QADUser and Get-QADComputer cmdlets.
3. The ` character at the end of the lines in the above examples indicates a line continuation in PowerShell and is added for ease of reading. You don't have to use it during normal operations.
4. If you want to fine-tune the search, two additional parameters are PasswordNotChangedFor and ExpiredFor.
5. Do not use InactiveFor parameter. This uses an "or" operation on the values for NotLoggedOnFor, PasswordNotChangedFor and ExpiredFor. It will list active accounts that haven't changed password for the given number of days.