Ever find out that there’s employee’s insist on adding computer to your company’s domain? Hate having to manually check every once in a while for new machines? Fret no more! Here’s a simple script that will simply disable the computer accounts!
#
# disable unauthorized computers
#
## Create the AD object for looping through.
$root = New-Object DirectoryServices.DirectoryEntry "LDAP://CN=Computers,DC=domain,DC=com"
$selector = New-Object DirectoryServices.DirectorySearcher
$selector.SearchRoot = $root
@'
operatingsystemservicepack
iscriticalsystemobject
samaccountname
useraccountcontrol
primarygroupid
instancetype
displayname
pwdlastset
logoncount
samaccounttype
serviceprincipalname
dnshostname
usnchanged
lastlogon
accountexpires
adspath
distinguishedname
operatingsystem
codepage
name
whenchanged
lastlogontimestamp
operatingsystemversion
objectclass
countrycode
cn
whencreated
objectsid
objectguid
localpolicyflags
objectcategory
usncreated
ms-DS-CreatorSID
createTimeStamp
'@ | set-variable props
$selector.PropertiesToLoad.addrange($props.split([Environment]::NewLine));
##Find everything in the Computers OU
$finds = $selector.findall()
##Loop through and find Computers that were added by non-IT personel.
##Since IT usually has rights to add machines to the domain, ms-ds-creatorsid isn't populated.
foreach($c in $finds) {
if(([string[]]$c.Properties["ms-ds-creatorsid"]) -eq $Null) { continue; }
##alright, we've passed the test, now to disable it!
$a = [ADSI] $c.path;
$a.psbase.invokeset('accountdisabled', $True);
$a.psbase.CommitChanges();
}
