locked
whenchanged attribute in ad using powershell RRS feed

  • Question

  • Hello,

    I have two users in a specific OU in AD , I need to use powershell script to write "first when those users come to this OU, then if those users have been more than 6 monthes in this OU remove them"

    It seems an easy senario but I've searched more than a weeks and still no tips to solv it......

    finally i came in to use :

    "Whenchanged attribute" to compair with Get-Date . but problem is it works untill i have one user in OU, If I have more than one users powershell tell me i cant compair the output with Get-Date. This is my script : 

    (((plz help me if there is another way to solv the problem)))

                              

    Get-ADUser -Filter * -SearchBase 'OU=testOU,DC=fire,DC=cloud' -Properties whenChanged | ForEach {
         $userinfo = Get-ADUser -filter {Enabled -eq $True} -SearchBase 'OU=testOU,DC=fire,DC=cloud' -properties whenChanged | Sort-Object DisplayName | Select-Object DisplayName, whenChanged 
         $today = Get-Date -Format "yyyy-MM-dd"
         $userData = $userinfo.Whenchanged
         $convert = ([string]$userData.ToshortDatestring()).Split()


         $result = (New-TimeSpan -Start $convert -End $today).Days 


            If ($result -ge 180) {
                #Get-ADUser -Filter * -SearchBase "OU=testOU,DC=fire,DC=cloud" | Disable-ADAccount
                #Get-ADUser -filter * -searchbase "OU=testOU,DC=fire,DC=cloud" | where-object { $_.Enabled -eq $false } | remove-ADobject -Confirm:$false


                "Hello"
                }


    }

    Thursday, September 19, 2019 1:02 PM

All replies

  • I should point out that the whenChanged attribute is updated whenever any change is made to the object. If someone updates a phone number for the user object, for example, the whenChanged attribute will reflect when that change was made.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, September 19, 2019 1:25 PM
  • Yeah i know that , thats why I've tested with Get-AdGroupmemberDate

    but still same problem

    I can do minus/plus with get-date untill I have one user in OU, If i have 2 or more users in OU gonna get more than one output date and powershell cant does minus/plus it with get-date 

    Friday, September 20, 2019 9:10 AM
  • Get-ADGroupMemberDate is not an AD cmdlet. It is a PowerShell script posted in the Script Gallery here:

    https://gallery.technet.microsoft.com/scriptcenter/Find-the-time-a-user-was-a0bfc0cf

    The script uses the repadmin command line tool to retrieve the group metadata, and parses the output for the dates when members are added or removed. From the comments, it appears that something in Active Directory may have recently changed that prevents the script from parsing the dates correctly. You might add a comment to the Gallery entry, but I fear that the author is no longer active.

    Cany you confirm that the repadmin tool retrieves the dates you want? If so, in what format do the dates appear? Possibly the format has changed. But modifing the script might be beyond the usual scope of this forum. Still, if you report the date format, someone can advise how to convert into a datetime, or compare to the output of Get-Date.

    Edit: From my experience, the dates returned by repadmin are in the form:

    YYYY-MM-DD hh:mm:ss.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Friday, September 20, 2019 2:04 PM
  • thank you , I solved it in other way....

    $refDate = (Get-Date).AddMonths(-6)    # test for users that have been in this OU for more than 6 months
    Get-ADUser -Filter * -SearchBase 'OU=testOU,DC=fire,DC=cloud' -Properties DisplayName, Modified | ForEach-Object {
        # iterating over this user collection means that in each run, the $_ automatic variable contains a single user
        if ($_.Modified -lt $refDate) {
            if ($_.Enabled) {
                Write-Host "Disabling user $($_.DisplayName)" -ForegroundColor Yellow
                $_ | Disable-ADAccount
            }
            else {
                Write-Host "Deleting user $($_.DisplayName)" -ForegroundColor Magenta
                $_ | Remove-ADUser
            }
        }
    }

    this is works if someone need to use....

    Monday, September 23, 2019 6:31 AM
  • For others who may stumble on this. The method does not do what is claimed because AAD changes that date frequently even if the account is never used or modified. 


    \_(ツ)_/

    Monday, September 23, 2019 6:37 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Thursday, October 3, 2019 2:49 AM