locked
Getting AD users with expired accounts RRS feed

  • Question

  • Hello looking for help with this script. It appears to work as expected, gets the expired users, disables the account and moves them to the correct OU. What I can't figure out is why I keep getting the same results each time it runs. I've verified the activity from a previous run, however, after running the script again it still gives me the same list of users that are no longer in the OU, as they have been moved to "disabled".

    $today = Get-Date -UFormat "%m-%d-%Y"

    # Setting date interval to 14 days.
    $expire = (Get-Date).AddDays(-14)

    # Outfile and append date string to name.
    $ITout = "C:\ExiredITUsers_$today.txt"
    $Userout = "C:\ExpiredEndUsers_$today.txt"

    $ITsearch = "OU=Users,OU=IT,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xx,DC=xx"
    $usersearch = "OU=Users,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xx,DC=xx"

    # Get IT expired users and move to the disabled OU.
    $ExpiredIT = Get-ADUser -SearchBase $itsearch -Filter * -Properties AccountExpirationDate, Name, DisplayName | where {$_.AccountExpirationDate -le $expire} | where{$_.AccountExpirationDate -ne $null} | select Name, DisplayName, AccountExpirationDate | sort AccountExpirationDate | fl Name, DisplayName, AccountExpirationDate
    $ExpiredIT | Out-File -FilePath $ITout
    $ITtotal = $ExpiredIT.Count
        if ($ExpiredIT -eq $null){
        
        $body = "No IT accounts have been expired within the last 14 days.`n`nOutput file for IT users is: `n$ITout"
        }
            
        else{
        
        $body = "The following IT accounts have expired. They have been disabled and moved to the IT disabled users OU.`nTotal accounts expired is: $ITtotal `n`nOutput file for IT users is: `n$ITout"
        #$out = $ExpiredIT #| Out-String
        #$body += $out      
            }

    $body += "`n`nAdditionally...`n`n"

    # Get expired end users and move to the disabled OU.
    $ExpiredUser = Get-ADUser -SearchBase $usersearch -Filter * -Properties AccountExpirationDate, Name, DisplayName | where {$_.AccountExpirationDate -le $expire} | where{$_.AccountExpirationDate -ne $null} | select Name, DisplayName, AccountExpirationDate | sort AccountExpirationDate | fl Name, DisplayName, AccountExpirationDate
    $ExpiredUser | Out-File -FilePath $Userout
    $totals = $ExpiredUser.Count
        if ($ExpiredUser -eq $null){
        
        $body += "No end user accounts have been expired within the last 14 days. `n`nScript location is xxx.ps1 `nOutput file for end users: `n$Userout"
        }
            
        else{
        
        $body += "The following end user accounts have expired. They have been disabled and moved to the disabled users OU.`nTotal accounts expired is: $totals `n `nOutput file is: `n$Userout `n`nScript location is: `nServer: MailServer`nC:\xxx.ps1"
        #$out = $ExpiredUser #| Out-String
        #$body += $out      
            }

        
    Send-MailMessage -To "xxx@xxx" -From "xxx@xxx" -Subject "Expired Accounts" -SmtpServer "xxx" -Body $body -Attachments $ITout, $Userout

    # Disable and move expired IT staff.
    $ExpiredITS = Get-ADUser -SearchBase $ITsearch -Filter * -Properties AccountExpirationDate, Name, DisplayName | where {$_.AccountExpirationDate -le $expire} | where{$_.AccountExpirationDate -ne $null} | select Name
    foreach ($account in $ExpiredITS){

    $account = $account.Name
    Disable-ADAccount -Identity $account
    Get-ADUser $account | Move-ADObject -TargetPath "OU=Users,OU=IT,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xx,DC=xx"
    }

    # Disable and move expired end user staff.
    $ExpiredUsers = Get-ADUser -SearchBase $usersearch -Filter * -Properties AccountExpirationDate, Name, DisplayName | where {$_.AccountExpirationDate -le $expire} | where{$_.AccountExpirationDate -ne $null} | select Name
    foreach ($account in $ExpiredUsers){

    $account = $account.Name
    Disable-ADAccount -Identity $account
    Get-ADUser $account | Move-ADObject -TargetPath "OU=Users,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xx,DC=xx"
    }
    Monday, April 22, 2019 6:11 PM

Answers

  • Resolved: I needed to add -SearchScope OneLevel as an argument for Get-ADuser.
    Monday, April 22, 2019 7:14 PM

All replies

  • What do you mean keep getting the same results?  Is that wrong? Can you describe what results you are getting?  Are you getting the same list of names and shouldn't be?
    Monday, April 22, 2019 6:22 PM
  • Yes exactly! I am expecting that once the expired users are disabled and moved to the disabled users OU, the same users should not be in the results the next time the script runs.
    Monday, April 22, 2019 6:27 PM
  • I even tried clearing the variable like this, which does clear it. But, still getting the same results. How can the variable get populated with users that are no longer in the searchbase when running Get-ADuser?

    Clear-Item Variable:ExpiredUsers, ExpiredUser

    Set-Location Variable:
    Clear-Item ExpiredUsers, ExpiredUser


    Monday, April 22, 2019 6:44 PM
  • I do not see where any users are moved to a disabled OU in your code. Users are moved to "OU=Users,OU=IT,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xx,DC=xx" or "OU=Users,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xx,DC=xx"

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Monday, April 22, 2019 6:45 PM
  • Yeah sorry, when removing private data it's hard to read. There are two lines at the end of the script (Move-ADObject)

    $account = $account.Name
    Disable-ADAccount -Identity $account
    Get-ADUser $account | Move-ADObject -TargetPath "OU=Disabled,OU=Users,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xx,DC=xx"

    Monday, April 22, 2019 6:50 PM
  • You might want to exclude disabled users from your results. I'd also lose that "fl" at the end of the selection/sort and replace it with "ft". Something like this:

    $ExpiredIT = Get-ADUser -SearchBase $itsearch -Filter {(Enabled -eq $true) -and (AccountExpirationDate -ne $NULL) -and (AccountExpirationDate -le $EXPIRE)} -Properties AccountExpirationDate, Name, DisplayName |
        select Name, DisplayName, AccountExpirationDate | sort AccountExpirationDate
    $ExpiredIT | ft -AutoSize
    Also, if you have multiple DCs in your domain you may be using one to disable and another to get the users. You can be specific with the "-Server" parameter and eliminate the possibility that your using multiple DCs (and that you may have a replication problem or just an unexpected delay).


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Monday, April 22, 2019 7:14 PM
  • Resolved: I needed to add -SearchScope OneLevel as an argument for Get-ADuser.
    Monday, April 22, 2019 7:14 PM
  • Maybe, but unless you've changed somethin in the interim, you're disabling the users but "moving" them to the same OU in which you found them (except for the IT users).

    $ITsearch =   "OU=Users,OU=IT,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xx,DC=xx"
    $usersearch = "OU=Users,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xx,DC=xx"
    -TargetPath   "OU=Users,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xx,DC=xx"

    The $usersearch and -TargetPath look the same.


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Monday, April 22, 2019 7:54 PM