Marketplace PowerShell Scripts

The Delinea Marketplace provides downloadable applications, scripts, utilities, and other software. With scripts, you can automate administrative tasks. For more information about the Marketplace, see Marketplace.

AD Orphan Object Cleanup Script

This topic describes the AD Orphan Object Cleanup script. This script runs on Windows computers and can be used to automate removal of obsolete items in Active Directory (AD). The script finds and deletes all user, group, and computer profiles that no longer have a corresponding Active Directory account on all managed computers in each zone.

Installing the PowerShell Access Module

This section explains how to download and install the Windows PowerShell Access Module, which you will need to run the AD Orphan Object Cleanup script. The script is included as part of the PowerShell Access Module.

You can download the access module for PowerShell as a separate package from the Delinea Download Center under Software Development Kits.

After you have downloaded the compressed file to your computer, extract the files and run the setup program to install the access module for PowerShell files.

To use the authentication and privilege elevation module for Windows PowerShell on a Windows Server server-core computer, you must first install Windows PowerShell, version 2.0 or later. Also, install the authentication and privilege elevation module for Windows PowerShell on a Windows Server Core environment in silent mode, due to a user interface limitation. Check the process exit code to see whether the installation succeeded or failed.

Server core is a minimal installation option that is available when you are deploying Windows Server. Server core includes most but not all server roles.

To run the setup program:

  1. Download the access module for PowerShell as a separate package from the Delinea Download Center under Software Development Kits..

  2. In the Windows File Explorer, right-click the downloaded file and select Extract All.

  3. In the folder that contains the extracted files, double-click the setup program. For example, for the 64-bit version of the file, double click the CentrifyDC_PowerShell‑5.2.0-win64.exe file.

    Alternatively, you can install from the Microsoft Installer (.msi) file. For example, you might run the following command: msiexec.exe /i "CentrifyDC_PowerShell-5.2.0-win64.msi" /norestart.

    The Welcome page appears.

  4. Click Next. The License Agreement page appears.

  5. Select I accept the terms in the License Agreement.

  6. Click Next. The Location page appears.

  7. Accept the default location.

  8. Click Next.

  9. Click Install.

  10. Click Finish.

Creating and Using a Connection

Because the Delinea access module for PowerShell cmdlets manipulate objects in Active Directory, you must establish a connection with Active Directory before using the AD Orphan Object Cleanup script. To do that, you must specify a target domain or domain controller and the credentials to use when connecting to that domain or domain controller.

Once the credentials are set, all subsequent calls share that information—you do not have to provide the credential or the domain controller for any subsequent calls.

The following example illustrates how to use the administrator account to connect to the finance.acme domain, then add the user joe.doe to the Engineering zone:

Copy 
PS C:\> Set-CdmCredential "finance.acme" "administrator"
PS C:\> Get-CdmCredential
Target         Type   User
------         ----   ----
finance.acme   Forest administrator@finance.acme
PS C:\> $zone = Get-CdmZone -Name "Engineering"
PS C:\> New-CdmUserProfile -Zone $zone -User "joe.doe@finance.acme" -Login "jdoe"

In this example, the cmdlets that get the zone and create the user profile use the credential that is cached by the Set-CdmCredential command. The Get-CdmCredential cmdlet shows what credentials are currently cached.

Confirming Licenses

The AD Orphan Object Cleanup script checks for a valid license before it runs. The license check succeeds only if there is at least one evaluation, workstation, or server license that has not expired.

If the license check fails, the script displays an error and stops running. Otherwise, the result is cached. The next time the script tries to access the same forest, it uses the cached result rather than performing the license check again.

The cache is only effective in one PowerShell console. If another PowerShell console runs the script accessing the same forest, the cmdlet in that console must perform a separate license check.

Running the Script

To run the AD Orphan Object Cleanup script:

  1. Open the Delinea access module for PowerShell.

  2. Verify you have permission to execute scripts by running Get-ExecutionPolicy. In most cases, the permission to execute scripts is restricted.

  3. If necessary, use Set‑ExecutionPolicy to allow execution. For example:

    Set-ExecutionPolicy Unrestricted

    For more about execution policies and the options available, run the get‑help command.

  4. Verify you are in the directory where the script is located.

  5. Run the script:

    .\RemoveAllOrphans

Using the Default Windows PowerShell Console

Alternatively, you can use the default Windows PowerShell console. If you choose to use that console, run import-module with the path to the access module for PowerShell libraries before performing the above procedure. For example, if you installed the module in the default location, run the following command to import the Delinea access module for PowerShell:

import-module “C:\Program Files\Centrify\PowerShell\Centrify.DirectControl.PowerShell.dll”

Enabling Logging

For performance, logging for cmdlets is disabled by default, which means logging for the AD Orphan Object Cleanup Script is disabled. To enable logging, you must modify the registry on the computer where you are running the access module for Windows PowerShell.

To enable logging:

  1. Run regedit to open the Registry Editor

  2. Select the registry key HKEY_CURRENT_USER > Software > Delinea.

  3. Right-click, then select New > Key and type CIMS.

  4. Select the new CIMS key, right-click, then select New > String Value and give it the name LogPath.

  5. Specify the path to the log file. For example, set the value to C: \Temp\Log.

  6. Select the new CIMS key, right-click, then select New > DWORD (32-bit) Value and give it the name TraceLevel.

  7. Specify the level of detail to write to the log file. The valid settings are:

    • 0 - disable logging

    • 1 - log only error messages

    • 2 - log errors and warning messages

    • 3 - log errors, warnings, and informational messages

    • 4 - log all debugging and tracing messages