For each to disable, move to specific OU, append AD discription with text

This topic contains 4 replies, has 3 voices, and was last updated by Profile photo of Edmond Yee Edmond Yee 3 weeks, 3 days ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #52973
    Profile photo of Joel Daigle
    Joel Daigle
    Participant

    Hi,

    I'm trying to write a script that will allow me to search for user accts based on last login time stamp that is X days in the past. I have that working but want to also have it disable / move / append the description field with text that includes "Disabled" then use the current date. Below is what I have so far which works to provide the list in a CSV. If anyone could help, I would greatly appreciate it.

    import-module activedirectory
    $domain = "mydomain.com"
    $DaysInactive = 90
    $time = (Get-Date).Adddays(-($DaysInactive))
    # Get all AD User with lastLogonTimestamp less than our time and set to enable
    Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp -SearchBase "DC=mydomain,DC=com" |
    ? {$_.DistinguishedName -notmatch 'OU=Users,DC=mydomain,DC=COM' `
    -and $_.DistinguishedName -notmatch 'OU=IT,DC=mydomain,DC=COM' `
    -and $_.SamAccountName -notlike "*IWAM*" `
    -and $_.SamAccountName -notlike "*IUSR*" `
    -and $_.SamAccountName -notlike "*WMUS*" `
    -and $_.SamAccountName -notlike "*Mailbox*" ` } |

    # Output SamAccountName and lastLogonTimestamp into CSV
    select-object SamAccountName,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd_hh:mm:ss')}} | export-csv OLD_User.csv -notypeinformation

    #52989
    Profile photo of Edmond Yee
    Edmond Yee
    Participant

    For moving the users, you should be able to save your Get-ADUser command as a variable, and then pipe it to Move-ADObject

    https://technet.microsoft.com/en-us/library/ee617248.aspx

    The same holds true for Disable-ADAccount

    https://technet.microsoft.com/en-us/library/ee617197.aspx

    Similarly to the first two, you can pipe your Get-ADUser command to Set-ADUser specifying the description with a Get-Date variable for today's date IF you don't care what was previously in the description field for the account before you run the script (or if you know there is no description on any of the accounts). However, if you want to keep the original descriptions and then append your new one, you should pull the descriptions with Get-ADUser as well and save them to a variable and then concatenate them together in your set command

    $Today = Get-Date -format d
    $Query = Get-ADUser -properties Description
    $oldDescription = $Query.Description
    $addDescription = "User disabled on $Today"
    $newDescription = "$addDescription; oldDescription"
    $Query | Set-ADUser -Description $newDescription
    #53059
    Profile photo of Rob Simmers
    Rob Simmers
    Participant

    Another note, try to do as much filtering as far left as possible. Distinguished name is a caveat as it's a constructed value, so it must either be filtered with a WHERE clause or use SearchScope and\or SearchBase to only search the required OU(s). Understand you're returning more records than you need, so your AD search is slower, so move the filterable items directly into your AD filter:

    $filter = @"
        LastLogonTimeStamp -lt $((Get-Date).Adddays(-90))
        -and 
        Enabled -eq $true
        -and 
        SamAccountName -notlike '*IWAM*'
        -and 
        SamAccountName -notlike '*IUSR*'
        -and 
        SamAccountName -notlike '*WMUS*'
        -and 
        SamAccountName -notlike '*Mailbox*'
    "@
    
    
    $users = Get-ADUser -Filter $filter -Properties LastLogonTimeStamp -SearchBase "DC=mydomain,DC=com" |
    Where {$_.DistinguishedName -notmatch 'OU=Users,DC=mydomain,DC=COM' -and $_.DistinguishedName -notmatch 'OU=IT,DC=mydomain,DC=COM'} 
    
    #53067
    Profile photo of Joel Daigle
    Joel Daigle
    Participant

    thank you both very much. I have it working now.

    #53542
    Profile photo of Edmond Yee
    Edmond Yee
    Participant

    Line 5 should be

    $newDescription = "$addDescription; $oldDescription"
Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.