Help with Active Directory User Disable Script

Welcome Forums General PowerShell Q&A Help with Active Directory User Disable Script

This topic contains 6 replies, has 5 voices, and was last updated by

 
Participant
1 year, 8 months ago.

  • Author
    Posts
  • #65872

    Participant
    Points: 0
    Rank: Member

    I am pulling hairs right now. Im trying to disable user accounts that are inactive (haven't logged in last 180 days), but exclude users who have been created in the last 30 days who haven't logged in yet.

    Currently I'm running:

    Get-ADUser -SearchBase "OU=blah blah" -f * -properties SamAccountName,LastLogonDate,createTimeStamp | Where-Object {($_.lastlogondate -le $180days) -AND ($_.whencreated -le $30days) -AND ($_.enabled -eq $true)} | Export-CSV C:\blahblah\InactiveUsers.csv

    My output shows a user who has a LastLogonDate of "2/8/2017" which is 27 days ago. He's the ONLY problem child in my list.

    Obviously there are no syntax errors, but I assume there is a logic error that is preventing my list to be accurate. Any help is appreciated.

  • #65875
    Ron

    Participant
    Points: 0
    Rank: Member

    You are using when_created in your comparison, but you are aren't retrieving it, assuming you didn't mix them up when posting.

  • #65881

    Moderator
    Points: 24
    Team Member
    Rank: Member

    I think you'll need to change you -le operators (less than or equal) to -ge (greater than or equal) in the Where-Object filter. I'm assuming your $180days and $30days variables are set to a date 180 or 30 days ago.

  • #65893

    Participant
    Points: 60
    Rank: Member

    Try:

    # Input
    $LastLogon       = (Get-Date).AddDays(-180)
    $WhenCreated     = (Get-Date).AddDays(-30)
    
    # Initialize
    $adsi            = [adsisearcher]"objectcategory=user"
    $adsi.SearchRoot = "LDAP://dc=$($env:USERDNSDOMAIN.replace('.',',dc='))"
    $adsi.filter     = "(!(UserAccountControl:1.2.840.113556.1.4.803:=2))" # enabled users
    $adsi.PageSize   = 1000000 
    $ADUsersRaw      = $adsi.FindAll()
    
    # Process
    $ADUsers = $ADUsersRaw | % { 
        if ($_.Properties.objectcategory -match 'CN=Person') {
            New-Object -TypeName PSObject -Property @{
                SamAccountName  = $_.Properties.samaccountname | select -First 1 
                LastLogonDate   = $(
                    if ($_.Properties.lastlogontimestamp) {
                        [datetime]::FromFileTime(($_.Properties.lastlogontimestamp | select -First 1))
                    }
                ) 
                createTimeStamp = $_.Properties.whencreated | select -First 1         
            }
        }
    } 
    $SelectADUsers = $ADUsers | where { $_.LastLogonDate -le $LastLogon -and $_.createTimeStamp -le $WhenCreated }
    
    # Output
    $SelectADUsers | select -First 20 | FT -a 
    " Found $($SelectADUsers.Count) users created before $WhenCreated and have not logged on since $LastLogon"
    
  • #65896

    Participant
    Points: 0
    Rank: Member

    I tried prior replacing the -le with -ge, and Im still pulling the same account that was created on 2/8/2017. While the 2 lists are different (le shows 65 users, ge shows 157 users), it's not pulling the right accounts in either situation.

  • #65901

    Moderator
    Points: 24
    Team Member
    Rank: Member

    As Ron mentioned, you haven't selected the whenCreated property but you're testing for it. Get-ADUser does not return whenCreated by default. Please see if changing the condition in your Where-Object filter to createTimestamp or correcting the properties list of Get-ADUser fixes things.

    Get-ADUser -SearchBase "OU=blah blah" -f * -properties SamAccountName,LastLogonDate,createTimeStamp | Where-Object {($_.lastlogondate -ge $180days) -AND ($_.createTimeStamp -ge $30days) -AND ($_.enabled -eq $true)} | Export-CSV C:\blahblah\InactiveUsers.csv
    
  • #65976

    Participant
    Points: 0
    Rank: Member

    This might help: http://www.adaxes.com/blog/cleanup-active-directory-with-powershell.html It's a script that can remove inactive users and take into account those who didn't log on in the last XX days, exclude service accounts, users that have never logged on and other useful stuff.

The topic ‘Help with Active Directory User Disable Script’ is closed to new replies.