Help with Active Directory User Disable Script

This topic contains 6 replies, has 5 voices, and was last updated by  Anton Pozdnyakov 7 months, 1 week ago.

  • Author
    Posts
  • #65872

    Michael
    Participant

    I am pulling hairs right now. Im trying to disable user accounts that are inactive (haven't logged in last 180 days), but exclude users who have been created in the last 30 days who haven't logged in yet.

    Currently I'm running:

    Get-ADUser -SearchBase "OU=blah blah" -f * -properties SamAccountName,LastLogonDate,createTimeStamp | Where-Object {($_.lastlogondate -le $180days) -AND ($_.whencreated -le $30days) -AND ($_.enabled -eq $true)} | Export-CSV C:\blahblah\InactiveUsers.csv

    My output shows a user who has a LastLogonDate of "2/8/2017" which is 27 days ago. He's the ONLY problem child in my list.

    Obviously there are no syntax errors, but I assume there is a logic error that is preventing my list to be accurate. Any help is appreciated.

  • #65875

    Ron
    Participant

    You are using when_created in your comparison, but you are aren't retrieving it, assuming you didn't mix them up when posting.

  • #65881

    Daniel Krebs
    Moderator

    I think you'll need to change you -le operators (less than or equal) to -ge (greater than or equal) in the Where-Object filter. I'm assuming your $180days and $30days variables are set to a date 180 or 30 days ago.

  • #65893

    Sam Boutros
    Participant

    Try:

    # Input
    $LastLogon       = (Get-Date).AddDays(-180)
    $WhenCreated     = (Get-Date).AddDays(-30)
    
    # Initialize
    $adsi            = [adsisearcher]"objectcategory=user"
    $adsi.SearchRoot = "LDAP://dc=$($env:USERDNSDOMAIN.replace('.',',dc='))"
    $adsi.filter     = "(!(UserAccountControl:1.2.840.113556.1.4.803:=2))" # enabled users
    $adsi.PageSize   = 1000000 
    $ADUsersRaw      = $adsi.FindAll()
    
    # Process
    $ADUsers = $ADUsersRaw | % { 
        if ($_.Properties.objectcategory -match 'CN=Person') {
            New-Object -TypeName PSObject -Property @{
                SamAccountName  = $_.Properties.samaccountname | select -First 1 
                LastLogonDate   = $(
                    if ($_.Properties.lastlogontimestamp) {
                        [datetime]::FromFileTime(($_.Properties.lastlogontimestamp | select -First 1))
                    }
                ) 
                createTimeStamp = $_.Properties.whencreated | select -First 1         
            }
        }
    } 
    $SelectADUsers = $ADUsers | where { $_.LastLogonDate -le $LastLogon -and $_.createTimeStamp -le $WhenCreated }
    
    # Output
    $SelectADUsers | select -First 20 | FT -a 
    " Found $($SelectADUsers.Count) users created before $WhenCreated and have not logged on since $LastLogon"
    
  • #65896

    Michael
    Participant

    I tried prior replacing the -le with -ge, and Im still pulling the same account that was created on 2/8/2017. While the 2 lists are different (le shows 65 users, ge shows 157 users), it's not pulling the right accounts in either situation.

  • #65901

    Daniel Krebs
    Moderator

    As Ron mentioned, you haven't selected the whenCreated property but you're testing for it. Get-ADUser does not return whenCreated by default. Please see if changing the condition in your Where-Object filter to createTimestamp or correcting the properties list of Get-ADUser fixes things.

    Get-ADUser -SearchBase "OU=blah blah" -f * -properties SamAccountName,LastLogonDate,createTimeStamp | Where-Object {($_.lastlogondate -ge $180days) -AND ($_.createTimeStamp -ge $30days) -AND ($_.enabled -eq $true)} | Export-CSV C:\blahblah\InactiveUsers.csv
    
  • #65976

    Anton Pozdnyakov
    Participant

    This might help: http://www.adaxes.com/blog/cleanup-active-directory-with-powershell.html It's a script that can remove inactive users and take into account those who didn't log on in the last XX days, exclude service accounts, users that have never logged on and other useful stuff.

You must be logged in to reply to this topic.