Author Posts

March 6, 2017 at 4:48 pm

I am pulling hairs right now. Im trying to disable user accounts that are inactive (haven't logged in last 180 days), but exclude users who have been created in the last 30 days who haven't logged in yet.

Currently I'm running:

Get-ADUser -SearchBase "OU=blah blah" -f * -properties SamAccountName,LastLogonDate,createTimeStamp | Where-Object {($_.lastlogondate -le $180days) -AND ($_.whencreated -le $30days) -AND ($_.enabled -eq $true)} | Export-CSV C:\blahblah\InactiveUsers.csv

My output shows a user who has a LastLogonDate of "2/8/2017" which is 27 days ago. He's the ONLY problem child in my list.

Obviously there are no syntax errors, but I assume there is a logic error that is preventing my list to be accurate. Any help is appreciated.

March 6, 2017 at 5:01 pm

You are using when_created in your comparison, but you are aren't retrieving it, assuming you didn't mix them up when posting.

March 6, 2017 at 5:20 pm

I think you'll need to change you -le operators (less than or equal) to -ge (greater than or equal) in the Where-Object filter. I'm assuming your $180days and $30days variables are set to a date 180 or 30 days ago.

March 6, 2017 at 6:14 pm

Try:

# Input
$LastLogon       = (Get-Date).AddDays(-180)
$WhenCreated     = (Get-Date).AddDays(-30)

# Initialize
$adsi            = [adsisearcher]"objectcategory=user"
$adsi.SearchRoot = "LDAP://dc=$($env:USERDNSDOMAIN.replace('.',',dc='))"
$adsi.filter     = "(!(UserAccountControl:1.2.840.113556.1.4.803:=2))" # enabled users
$adsi.PageSize   = 1000000 
$ADUsersRaw      = $adsi.FindAll()

# Process
$ADUsers = $ADUsersRaw | % { 
    if ($_.Properties.objectcategory -match 'CN=Person') {
        New-Object -TypeName PSObject -Property @{
            SamAccountName  = $_.Properties.samaccountname | select -First 1 
            LastLogonDate   = $(
                if ($_.Properties.lastlogontimestamp) {
                    [datetime]::FromFileTime(($_.Properties.lastlogontimestamp | select -First 1))
                }
            ) 
            createTimeStamp = $_.Properties.whencreated | select -First 1         
        }
    }
} 
$SelectADUsers = $ADUsers | where { $_.LastLogonDate -le $LastLogon -and $_.createTimeStamp -le $WhenCreated }

# Output
$SelectADUsers | select -First 20 | FT -a 
" Found $($SelectADUsers.Count) users created before $WhenCreated and have not logged on since $LastLogon"

March 6, 2017 at 6:16 pm

I tried prior replacing the -le with -ge, and Im still pulling the same account that was created on 2/8/2017. While the 2 lists are different (le shows 65 users, ge shows 157 users), it's not pulling the right accounts in either situation.

March 6, 2017 at 7:00 pm

As Ron mentioned, you haven't selected the whenCreated property but you're testing for it. Get-ADUser does not return whenCreated by default. Please see if changing the condition in your Where-Object filter to createTimestamp or correcting the properties list of Get-ADUser fixes things.

Get-ADUser -SearchBase "OU=blah blah" -f * -properties SamAccountName,LastLogonDate,createTimeStamp | Where-Object {($_.lastlogondate -ge $180days) -AND ($_.createTimeStamp -ge $30days) -AND ($_.enabled -eq $true)} | Export-CSV C:\blahblah\InactiveUsers.csv

March 9, 2017 at 9:45 am

This might help: http://www.adaxes.com/blog/cleanup-active-directory-with-powershell.html It's a script that can remove inactive users and take into account those who didn't log on in the last XX days, exclude service accounts, users that have never logged on and other useful stuff.