Step one is to put in the CleanupMonster module
Set up-Module CleanupMonster -Drive -Verbose
Then, it is a matter of operating a single perform, Invoke-ADSIDHistoryCleanup. Beneath is an instance of how one can schedule a gradual, managed cleanup over time. Please discover using particular SIDHistoryDomains, RemoveLimits, and different settings.
# Put together splat
$invokeADSIDHistoryCleanupSplat = @{
Verbose = $true
WhatIf = $true
IncludeSIDHistoryDomain = @(
# 'S-1-5-21-3661168273-3802070955-2987026695'
'S-1-5-21-853615985-2870445339-3163598659'
)
RemoveLimitSID = 1
RemoveLimitObject = 2
SafetyADLimit = 1
ShowHTML = $true
On-line = $true
LogPath = "$PSScriptRootProcessedSIDHistory.log"
ReportPath = "$PSScriptRootProcessedSIDHistory.html"
DataStorePath = "$PSScriptRootProcessedSIDHistory.xml"
}
# Run the script
$Output = Invoke-ADSIDHistoryCleanup @invokeADSIDHistoryCleanupSplat
$Output | Format-Desk -AutoSize
# Lets ship an e mail
$EmailBody = $Output.EmailBody
# Ship e mail with Microsoft Graph and utilizing Mailozaurr module
Join-MgGraph -Scopes 'Mail.Ship' -NoWelcome
Ship-EmailMessage -To 'przemyslaw.klys@check.pl' -From 'przemyslaw.klys@check.pl' -MgGraphRequest -Topic "Automated SID Cleanup Report" -Physique $EmailBody -Precedence Low -Verbose
When you run the script, an HTML report is generated, and you can even ship an e mail with pre-prepared content material. Keep in mind that the perform has a number of different parameters that assist delete solely what you need. Please DO NOT RUN the script with out first testing it out on TEST ENVIRONMENT and understanding what occurs and the way it impacts the setting! This perform is DANGEROUS! Here is a assist file for the perform that cleans up SID Historical past on a worldwide degree.
NAME
Invoke-ADSIDHistoryCleanup
SYNOPSIS
Cleans up SID historical past entries in Lively Listing primarily based on varied filtering standards.
SYNTAX
Invoke-ADSIDHistoryCleanup [[-Forest] <String>] [[-IncludeDomains] <String[]>] [[-ExcludeDomains] <String[]>] [[-IncludeOrganizationalUnit]
<String[]>] [[-ExcludeOrganizationalUnit] <String[]>] [[-IncludeSIDHistoryDomain] <String[]>] [[-ExcludeSIDHistoryDomain] <String[]>]
[[-RemoveLimitSID] <Nullable`1>] [[-RemoveLimitObject] <Nullable`1>] [[-IncludeType] <String[]>] [[-ExcludeType] <String[]>] [[-ReportPath] <String>]
[[-DataStorePath] <String>] [-ReportOnly] [[-LogPath] <String>] [[-LogMaximum] <Int32>] [-LogShowTime] [[-LogTimeFormat] <String>] [-Suppress]
[-ShowHTML] [-Online] [-DisabledOnly] [[-SafetyADLimit] <Nullable`1>] [-DontWriteToEventLog] [-WhatIf] [-Confirm] [<CommonParameters>]
DESCRIPTION
This perform identifies and removes SID historical past entries from AD objects primarily based on specified filters.
It might goal inner domains (identical forest), exterior domains (trusted), or unknown domains.
The perform permits for detailed reporting earlier than making any adjustments.
PARAMETERS
-Forest <String>
The identify of the forest to course of. If not specified, makes use of the present forest.
-IncludeDomains <String[]>
An array of domains to incorporate within the cleanup course of.
-ExcludeDomains <String[]>
An array of domains to exclude from the cleanup course of.
-IncludeOrganizationalUnit <String[]>
An array of organizational models to incorporate within the cleanup course of.
-ExcludeOrganizationalUnit <String[]>
An array of organizational models to exclude from the cleanup course of.
-IncludeSIDHistoryDomain <String[]>
An array of area SIDs to incorporate when cleansing up SID historical past.
-ExcludeSIDHistoryDomain <String[]>
An array of area SIDs to exclude when cleansing up SID historical past.
-RemoveLimitSID <Nullable`1>
Limits the full variety of SID historical past entries to take away.
-RemoveLimitObject <Nullable`1>
Limits the full variety of objects to course of for SID historical past elimination. Defaults to 1 to forestall unintended mass deletions.
-IncludeType <String[]>
Specifies which sorts of SID historical past to incorporate: 'Inside', 'Exterior', or 'Unknown'.
Defaults to all three sorts if not specified.
-ExcludeType <String[]>
Specifies which sorts of SID historical past to exclude: 'Inside', 'Exterior', or 'Unknown'.
-ReportPath <String>
The trail the place the HTML report needs to be saved. Used with the -Report parameter.
-DataStorePath <String>
Path to the XML file used to retailer processed SID historical past entries.
-ReportOnly [<SwitchParameter>]
If specified, solely generates a report with out making any adjustments.
-LogPath <String>
The trail to the log file to write down.
-LogMaximum <Int32>
The utmost variety of log information to maintain.
-LogShowTime [<SwitchParameter>]
If specified, contains the time within the log entries.
-LogTimeFormat <String>
The format to make use of for the time within the log entries.
-Suppress [<SwitchParameter>]
Suppresses the output of the perform and solely returns the abstract info.
-ShowHTML [<SwitchParameter>]
If specified, exhibits the HTML report within the default browser.
-On-line [<SwitchParameter>]
If specified, makes use of on-line sources in HTML report (CSS/JS is loaded from CDN). In any other case native sources are used (greater HTML file).
-DisabledOnly [<SwitchParameter>]
Solely processes objects which can be disabled.
-SafetyADLimit <Nullable`1>
Stops processing if the variety of objects with SID historical past in AD is lower than the desired restrict.
-DontWriteToEventLog [<SwitchParameter>]
-WhatIf [<SwitchParameter>]
Exhibits what would occur if the perform runs. The SID historical past entries aren't really eliminated.
-Affirm [<SwitchParameter>]
<CommonParameters>
This cmdlet helps the frequent parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For extra info, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
-------------------------- EXAMPLE 1 --------------------------
PS C:>Invoke-ADSIDHistoryCleanup -Forest "contoso.com" -IncludeType "Exterior" -ReportOnly -ReportPath "C:TempSIDHistoryReport.html" -WhatIf
Generates a report of exterior SID historical past entries within the contoso.com forest with out making any adjustments.
-------------------------- EXAMPLE 2 --------------------------
PS C:>Invoke-ADSIDHistoryCleanup -IncludeDomains "domain1.native" -IncludeType "Inside" -RemoveLimitSID 2 -WhatIf
Removes as much as 2 inner SID historical past entries from objects in domain1.native.
-------------------------- EXAMPLE 3 --------------------------
PS C:>Invoke-ADSIDHistoryCleanup -ExcludeSIDHistoryDomain "S-1-5-21-1234567890-1234567890-1234567890" -WhatIf -RemoveLimitObject 2
Exhibits what SID historical past entries can be eliminated whereas excluding entries from the desired area SID. Limits the variety of objects to course of to 2.
-------------------------- EXAMPLE 4 --------------------------
PS C:># Put together splat
$invokeADSIDHistoryCleanupSplat = @{
Verbose = $true
WhatIf = $true
IncludeSIDHistoryDomain = @(
'S-1-5-21-3661168273-3802070955-2987026695'
'S-1-5-21-853615985-2870445339-3163598659'
)
IncludeType="Exterior"
RemoveLimitSID = 1
RemoveLimitObject = 2
SafetyADLimit = 1
ShowHTML = $true
On-line = $true
DisabledOnly = $true
#ReportOnly = $true
LogPath = "C:TempProcessedSIDHistory.log"
ReportPath = "$PSScriptRootProcessedSIDHistory.html"
DataStorePath = "$PSScriptRootProcessedSIDHistory.xml"
}
# Run the script
$Output = Invoke-ADSIDHistoryCleanup @invokeADSIDHistoryCleanupSplat
$Output | Format-Desk -AutoSize
# Lets ship an e mail
$EmailBody = $Output.EmailBody
Join-MgGraph -Scopes 'Mail.Ship' -NoWelcome
Ship-EmailMessage -To 'przemyslaw.klys@check.pl' -From 'przemyslaw.klys@check.pl' -MgGraphRequest -Topic "Automated SID Cleanup Report" -Physique
$EmailBody -Precedence Low -Verbose
REMARKS
To see the examples, sort: "get-help Invoke-ADSIDHistoryCleanup -examples".
For extra info, sort: "get-help Invoke-ADSIDHistoryCleanup -detailed".
For technical info, sort: "get-help Invoke-ADSIDHistoryCleanup -full".
