For each to disable, move to specific OU, append AD discription with text

Welcome Forums General PowerShell Q&A For each to disable, move to specific OU, append AD discription with text

This topic contains 4 replies, has 3 voices, and was last updated by

2 years, 4 months ago.

  • Author
  • #52973

    Points: 0
    Rank: Member


    I'm trying to write a script that will allow me to search for user accts based on last login time stamp that is X days in the past. I have that working but want to also have it disable / move / append the description field with text that includes "Disabled" then use the current date. Below is what I have so far which works to provide the list in a CSV. If anyone could help, I would greatly appreciate it.

    import-module activedirectory
    $domain = ""
    $DaysInactive = 90
    $time = (Get-Date).Adddays(-($DaysInactive))
    # Get all AD User with lastLogonTimestamp less than our time and set to enable
    Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp -SearchBase "DC=mydomain,DC=com" |
    ? {$_.DistinguishedName -notmatch 'OU=Users,DC=mydomain,DC=COM' `
    -and $_.DistinguishedName -notmatch 'OU=IT,DC=mydomain,DC=COM' `
    -and $_.SamAccountName -notlike "*IWAM*" `
    -and $_.SamAccountName -notlike "*IUSR*" `
    -and $_.SamAccountName -notlike "*WMUS*" `
    -and $_.SamAccountName -notlike "*Mailbox*" ` } |

    # Output SamAccountName and lastLogonTimestamp into CSV
    select-object SamAccountName,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd_hh:mm:ss')}} | export-csv OLD_User.csv -notypeinformation

  • #52989

    Points: 0
    Rank: Member

    For moving the users, you should be able to save your Get-ADUser command as a variable, and then pipe it to Move-ADObject

    The same holds true for Disable-ADAccount

    Similarly to the first two, you can pipe your Get-ADUser command to Set-ADUser specifying the description with a Get-Date variable for today's date IF you don't care what was previously in the description field for the account before you run the script (or if you know there is no description on any of the accounts). However, if you want to keep the original descriptions and then append your new one, you should pull the descriptions with Get-ADUser as well and save them to a variable and then concatenate them together in your set command

    $Today = Get-Date -format d
    $Query = Get-ADUser -properties Description
    $oldDescription = $Query.Description
    $addDescription = "User disabled on $Today"
    $newDescription = "$addDescription; oldDescription"
    $Query | Set-ADUser -Description $newDescription
  • #53059

    Points: 428
    Helping Hand
    Rank: Contributor

    Another note, try to do as much filtering as far left as possible. Distinguished name is a caveat as it's a constructed value, so it must either be filtered with a WHERE clause or use SearchScope and\or SearchBase to only search the required OU(s). Understand you're returning more records than you need, so your AD search is slower, so move the filterable items directly into your AD filter:

    $filter = @"
        LastLogonTimeStamp -lt $((Get-Date).Adddays(-90))
        Enabled -eq $true
        SamAccountName -notlike '*IWAM*'
        SamAccountName -notlike '*IUSR*'
        SamAccountName -notlike '*WMUS*'
        SamAccountName -notlike '*Mailbox*'
    $users = Get-ADUser -Filter $filter -Properties LastLogonTimeStamp -SearchBase "DC=mydomain,DC=com" |
    Where {$_.DistinguishedName -notmatch 'OU=Users,DC=mydomain,DC=COM' -and $_.DistinguishedName -notmatch 'OU=IT,DC=mydomain,DC=COM'} 
  • #53067

    Points: 0
    Rank: Member

    thank you both very much. I have it working now.

  • #53542

    Points: 0
    Rank: Member

    Line 5 should be

    $newDescription = "$addDescription; $oldDescription"

The topic ‘For each to disable, move to specific OU, append AD discription with text’ is closed to new replies.