AD User account cleanup

Welcome Forums General PowerShell Q&A AD User account cleanup

This topic contains 0 replies, has 1 voice, and was last updated by  Forums Archives 7 years ago.

  • Author
  • #6184

    Points: 0
    Rank: Member

    by thedietz at 2012-10-02 07:22:05

    Let me start by saying thanks and that I am very very new to scripting/powershell/all of the above. I have been tasked with cleaning up our AD environment a little bit. My tasks are to 1. Find AD user accounts that have been inactive for 6 months or longer and pipe that info to a file. 2. Set those accounts to "disabled". 3. Move those "disabled: accounts to a "disabled accounts" OU in AD. I have came up with 3 seperate cmdlets to do each one as follows.

    1. search-adaccount -usersonly -accountinactive -timespan "180" -searchbase "ou=users,dc=test,dc=org" | export-csv e:\test\test.txt
    2. search-adaccount -usersonly -accountinactive -timespan "180" -searchbase "ou=users,dc=test,dc=org" | disable-adaccount
    3. Search-ADAccount –AccountDisabled –UsersOnly –SearchBase “OU=users,dc=test,dc=org” | Move-ADObject –TargetPath “OU=Disabled Users,dc=test,dc=org”

    Running each of these one at a time gives the correct results. I am confused with Piping though. I though I could run all 3 with one command such as this...

    search-adaccount -usersonly -accountinactive -timespan "180" -searchbase "ou=users,dc=test,dc=org" | export-csv e:\test\test.csv | disable-adaccount | Move-ADObject –TargetPath “OU=Disabled Users,dc=test,dc=org”

    this only performs the first pipe though and exports the data to CSV file. It does not disable or move accounts. I am wrong thinking I can run my first cmdlet and then pipe those results to do these 3 specfic tasks?

    Thanks for the help, and i hope i explained what i am attemping well enough.

    by jonhtyler at 2012-10-02 07:34:00

    The reason that you are having this problem is that the Export-CSV does not pass the objects through to the next statement. I think if you re-arrange your statement, it might work better for you. Try this:

    search-adaccount -usersonly -accountinactive -timespan "180" -searchbase "ou=users,dc=test,dc=org" | disable-adaccount -passthru | Move-ADObject –TargetPath “OU=Disabled Users,dc=test,dc=org” -passthru | export-csv e]

    Notice the use of the -Passthru parameter on the two AD cmdlets.

    by thedietz at 2012-10-02 08:44:55

    nice..worked perfectly. Should I always use the -passthru parameter if i want to send the results to the next cmdlet?

    by jonhtyler at 2012-10-02 08:52:17

    Usually, yes, but there is not always a -Passthru parameter available. You can find out what options there are for a cmdlet by using the Get-Help cmdlet with the -detailed or -full parameters. So, for instance, if you want to see what is available for Export-CSV, you would type:

    Get-Help Export-CSV -detailed

    and it will tell you how the cmdlet works and how to use the different parameters to get what you want out of it. You can even use Get-Help on the Get-Help cmdlet as there are some other helpful parameters you can use there as well. There is a lot you can learn just by interrogating the cmdlets with the online help system.

    by Steve at 2012-10-02 11:11:25

    Something else you can use is Tee-Object. That allows the object(s) to move in two paths.

    search-adaccount -usersonly -accountinactive -timespan "180" -searchbase "ou=users,dc=test,dc=org" | Tee-Object export-csv e:\test\test.txt | disable-adaccount

    by RichardSiddaway at 2012-10-06 01:58:48

    Tee-Object splits the pipeline but one path has to go to a file or variable. Unfortunately it isn't a complete split of the pipeline to make two new pipelines

    by thedietz at 2012-10-08 06:49:24

    one more question on this project. the way our AD is set up under our domain we have OU's representing different departments in the organization. Under each department OU is a USERS OU for that department. Is there a way I can use the "-searchbase "ou=users,ou=billing,dc=test,dc=org" " to point to several locations. For example to have it searchbase ou=users,ou=billing,dc=test,dc=org AND ALSO ou=users,ou=accounting,dc=test,dc=org ......and do this all in one command? Or will It need to be a seperate command for each department such as..

    search-adaccount -usersonly -accountinactive -timespan "180" -searchbase "ou=users,ou=billing,dc=test,dc=org" | disable-adaccount -passthru | Move-ADObject –TargetPath “OU=Disabled Users,dc=test,dc=org” -passthru | export-csv e:\test\test.csv

    and also run

    search-adaccount -usersonly -accountinactive -timespan "180" -searchbase "ou=users,ou=accounting,dc=test,dc=org" | disable-adaccount -passthru | Move-ADObject –TargetPath “OU=Disabled Users,dc=test,dc=org” -passthru | export-csv e:\test\test.csv

    there are about 7 different departments so that is why it would be easiest to get this all into one command rather than running it 7 times and exporting 7 CSV's.

    If i have to run a seperate command for each department then so be it...but I would rather run one command to target all the different departments with users in them if possible. Thanks guys.

The topic ‘AD User account cleanup’ is closed to new replies.