by morpheus83uk at 2012-10-24 01:28:26
Is it possible to get the date a user was disabled? The reason I am asking is were looking at ho to remove disabled users after 2 months so if a person has been disabled which is 2 or more months in the disabled state then this woould remove the user.
Does anyone have any ideas on how this can be achieved.
by mikefrobbins at 2012-10-24 06:41:30
There's no way that I'm aware of to see the disabled date, but there is a "WhenChanged" and "Modified" property. If the disable was the last action on the account, either of those should work, although that is making some assumptions.
Get-ADUser jdoe -Properties whenchanged, modified
by Klaas at 2012-10-24 06:59:51
I haven't found the perfect solution either. Since we have an average of 1 disabled user per month, it's easy now to write "disabled on april 1 2011" in the 'description' field. I think the best way would be to do a daily export of AD objects and compare this with yesterdays export. You can save the changes to a database or a text file.
I don't know what actions update the 'whenchanged' property, but I can imagine there are some unexpected reasons. I can see a lot of users in my AD with 'whenChanged' today or yesterday, but I have no idea what was changed. Perhaps some script that changes 'city' or mailbox settings or any field that would be changed for all users because of a changed company policy? Maybe 'PasswordLastSet' is more reliable than 'whenchanged'. If you would make a habit of changing a users password at the time of disabling, there's not much chance it changes again while the user remains disabled.
by mikefrobbins at 2012-10-24 10:02:11
Klaas's idea would work. Choose a field that's track-able and set it along with disabling accounts moving forward. I would probably chose the "AccountExpirationDate" property since it's null by default and nothing else should cause it to be updated.
by coderaven at 2012-10-24 14:41:43
I have taken a few different approaches. It looks like you just want to track the day the account was disabled.
For little things like this you can use one of the extensionAttribute1, 2, 3 etc. Just have the script filter for disabled=True and extensionAttribute1=Null (or which ever you use you use). When you find them have it set the date of in the extension attribute. After that part runs, you can check for enabled accounts that have the extension attribute not Null and clear it since the account has been enabled.
These days my check will look at more than one value: Enabled, PasswordLastSet, whenChanged, LastLogonDate and AccountExperationDate. Processing these values correctly can tell you if the account should be removed or disabled moving forward. If you do this, you may want to make sure that you flag your service or important accounts ProtectedFromAccidentialDeletion to True.
by morpheus83uk at 2012-10-25 01:30:50
Thank you for your replies they are very much appreciated.
I have had a look at the pwdlastSet which is something we do as part of the process when someone leaves and it is a good indicator of when someone left.
Many Thanks for all your replies and help with that I greatly appreciate it