Here is another weenie script that I put together to clean up expired computer objects in our AD domain. Afer some experimantiation, I settled on using the "oldcmp.exe" tool from the excellent www.joeware.com site, rather than a combination of "dequery" "dsrm" and "dsmod" commands. The reason for going third-party here is that I could not find a particularly elegant way of handling error codes from dsmod and dsrm. If my "dsquery" returned no results, then "dsmod" gets upset and returns a non-zero error code. I then need so fancy "IF" statements to handle all possible error codes of interest. Oldcmp is just cleaner in this regard, and makes more useful output to boot.
Anyway, here is the code:
REM Inactive Computer Object Cleanup Script REM v1.0 REM JGM, 2006-06-05 :start @ECHO off ECHO Inactive Computer Object Cleanup Script Report > .logsinactive_cmp_cleanup.rpt ECHO= >> .logsinactive_cmp_cleanup.rpt REM Each of the next six IF commands will exit the script to a line-specific error report script section. The condition for determining that an error has occured is if the %errorlevel% variable returned by a command does not equal zero. REM Disables inactive computers using the following criteria: REM Default "Workstation" OU: Inactive for 26 weeks (1/2 year), "RIS-Workstations" OU: Inactive for 4 weeks (~1 months), all objects in "Resources" OU: Inactive for 26 weeks (3/4 year) oldcmp -disable -unsafe -forreal -age 183 -format csv -delim TAB -llts -nolc -b ou=workstations,dc=campus,dc=ad,dc=uvm,dc=edu -file .logswksDisRpt.tsv > .logsinactive_cmp_cleanup.log IF %ERRORLEVEL% NEQ 0 THEN goto wksDisEr oldcmp -disable -unsafe -forreal -age 30 -format csv -delim TAB -llts -nolc -b ou=ris-workstations,ou=cit,dc=campus,dc=ad,dc=uvm,dc=edu -file .logsrisDisRpt.tsv >> .logsinactive_cmp_cleanup.log IF %ERRORLEVEL% NEQ 0 THEN goto risDisEr oldcmp -disable -unsafe -forreal -age 183 -format csv -delim TAB -llts -nolc -b ou=resources,dc=campus,dc=ad,dc=uvm,dc=edu -file .logsresDisRpt.tsv >> .logsinactive_cmp_cleanup.log IF %ERRORLEVEL% NEQ 0 THEN goto resDisEr REM Removes inactive computers using the following criteria: REM Default "Workstation" OU: Inactive for 39 weeks (3/4 year), "RIS-Workstations" OU: Inactive for 13 weeks (~3 months), all objects in "Resources" OU: Inactive for 39 weeks (3/4 year) oldcmp -delete -unsafe -forreal -age 274 -format csv -delim TAB -llts -nolc -b ou=workstations,dc=campus,dc=ad,dc=uvm,dc=edu -file .logswksDelRpt.tsv >> .logsinactive_cmp_cleanup.log IF %ERRORLEVEL% NEQ 0 THEN goto wksDelEr oldcmp -delete -unsafe -forreal -age 90 -format csv -delim TAB -llts -nolc -b ou=ris-workstations,ou=cit,dc=campus,dc=ad,dc=uvm,dc=edu -file .logsrisDelRpt.tsv >> .logsinactive_cmp_cleanup.log IF %ERRORLEVEL% NEQ 0 THEN goto risDelEr oldcmp -delete -unsafe -forreal -age 274 -format csv -delim TAB -llts -nolc -b ou=resources,dc=campus,dc=ad,dc=uvm,dc=edu -file .logsresDelRpt.tsv >> .logsinactive_cmp_cleanup.log IF %ERRORLEVEL% NEQ 0 THEN goto resDelEr goto noErr REM Following six sections will append a section-specific error message to the report file, then exit to the "errRpt" section of the script. :wksDisEr ECHO Something went terribly wrong in the workstation OU disable process >> .logsinactive_cmp_cleanup.rpt goto errRpt :risDisEr ECHO Something went terribly wrong in the RIS-Workstations OU disable process >> .logsinactive_cmp_cleanup.rpt goto errRpt :resDisEr ECHO Something went terribly wrong in the Resources OU disable process >> .logsinactive_cmp_cleanup.rpt goto errRpt :wksDelEr ECHO Something went terribly wrong in the workstation OU deletion process >> .logsinactive_cmp_cleanup.rpt goto errRpt :risDelEr ECHO Something went terribly wrong in the RIS OU deletion process >> .logsinactive_cmp_cleanup.rpt goto errRpt :resDelEr ECHO Something went terribly wrong in the Resources OU deletion process >> .logsinactive_cmp_cleanup.rpt goto errRpt :errRpt REM Append the script log to the error report, set status of the script to "FAILED" ECHO Errors were reported. Analyze the logs below for clues. >> .logsinactive_cmp_cleanup.rpt SET ScriptStat=FAILED goto mailRpt :noErr REM Append a 'no error' message to the report file, set script status to "SUCCESS" ECHO No errors were reported in the process. Activity report follows: >> .logsinactive_cmp_cleanup.rpt SET ScriptStat=SUCCESS goto mailRpt :mailRpt REM Append the reports from each "oldcmp" run into the consolidated report: type .logsinactive_cmp_cleanup.log >> .logsinactive_cmp_cleanup.rpt REM use external "blat" tool to mail the generated report file to concerned parties: blat .logsinactive_cmp_cleanup.rpt -to jgm@uvm.edu,gcd@uvm.edu,pjp@uvm.edu -subject "%ScriptStat% - Inactive Computer Account Cleanup Script" :end ECHO All done!
J. Greg's Brain Corral 