Script to find expired accounts but near "real-time"?

This topic contains 0 replies, has 1 voice, and was last updated by  Forums Archives 5 years, 10 months ago.

  • Author
    Posts
  • #6229

    by virtuallywarped at 2012-12-07 22:00:59

    Hello

    I am trying to get a script that I can run as a scheduled task and have the script find any account that is set to expire in a specific time frame. I'm using Quest ActiveRoles server and I can set a "virtual attribute" so that helpdesk staff can enter a date/times for the account to expire.

    Then this script would be setup as a scheduled task and when it runs I need it to find any accounts that expire "at the time the script runs and any that expired prior to the script running". If I run this every couple of hours then that will satisfy the auditors we are doing this for. Expiring the accounts doesn't close off all access, so this script will trigger a deprovision action that does that process which is already setup for each account that is returned in the query.

    by DonJ at 2012-12-08 08:46:38

    I don't know of any pre-existing script, so you'd probably need to write this from scratch yourself. If you're not sure how to accomplish some pieces, let's tackle them one at a time. I don't know much about Quest ARS, so I'm probably not going to be a lot of help there, but we can try and get Kirk, who used to work for Quest, help out if your questions are with that piece.

    by RichardSiddaway at 2012-12-09 02:36:01

    Get-QADuser has the -AccountExpiresBefore and -AccountExpiresAfter attributes – you should be able to use them. Not sure that you a virtual attribute when AD already has an attribute for account expiry date

    by virtuallywarped at 2012-12-12 21:02:50

    Thank you both, really appreciate it. So here's what I need and what I've found so far.

    I need to:

    1. Get-Date – it can be the exact time

    2. Query an OU & All Sub-OUs for accounts that have a date/time set in the attribute that is either "now – the time the script is running" and any date/time prior to the time the script is running.

    This would let me set the scheduled task to run every 1 hours, then when it runs after the 1st time, it should only show accounts that have essentially expired in the past hour.

    I came up with this and it finds accounts that will expire 'today', but I am not sure how to do the time piece I need.

    $expiredusers = get-qaduser -proxy -LdapFilter "(expirationtime=*)" | where-object {$_.expirationtime -lt (Get-Date)}

    by virtuallywarped at 2012-12-17 16:27:24

    Hello

    I am still stuck on this, can someone help me out with getting the query running?

    I am not sure how to do the "date/time as of now – which is when the script runs" and anything prior to that date/time.

    Once this runs the 1st time it won't matter about "prior" because it can go back as far as any prior time. The issue I have is I'm not sure how to search for accounts that expire for example on 12/17/2012 at 5:00pm and anything before that date and time, then perform the action on them.

    I can't use just get-date as I don't want to run the process until the specific time comes up.

You must be logged in to reply to this topic.