none
Powershell Help - Moving disabled accounts RRS feed

  • Question

  • Came across this script posted a while back that is what I am looking for to remove disabled accounts.  However I am trying to tweak it so that I can move disabled accounts after 30 days of disabling/no activiity into it's own OU.  Here's the original link...

    https://gallery.technet.microsoft.com/scriptcenter/Disabled-AD-Account-8cc92a7d#content

    I'm stuck on moving the user object, ANY help would be appreciated.  Thanks!


    #load AD module 
    import-module activedirectory 
     
    $oldDate = [DateTime]::Today.AddDays(-30) 
    $warnDate = [DateTime]::Today.AddDays(-23) 
    $AMSearchBase = "OU=Users,OU=Accounts,DC=Corp,DC=Com" 
    $ShortRegion = "IT" 
    $Region = "Information Technology" 
    $disabledUsers = @() 
    $warnUsers = @() 
    $wlistUsers = @() 
    $30daysUsers = @() 
     
    ##AM Section## 
    ##Retrieves disabled user accounts and stores in an array 
    $disabledUsers = Get-ADUser -filter {(Enabled -eq $False)} -Searchbase $AMSearchBase -Searchscope 1 -Properties Name,SID,Enabled,LastLogonDate,Modified,info,description 
     
    foreach ($name in $disabledUsers) { 
        if ($name.info -ne "WHITELIST" -and $name.modified -le $oldDate) { 
            Get-ADUser -Filter $disabledUsers | Move-ADObject -targetpath "OU=Disabled Accounts,OU=Users,OU=Accounts,DC=Corp,DC=Com"
            $disabledUsers = $disabledUsers + $name 
            } 
        elseif ($name.info -eq "WHITELIST") { 
            #Write-Host $name.name " is Whitelisted" 
            $wlistUsers = $wlistUsers + $name 
            } 
            elseif ($name.info -ne "WHITELIST"-and $name.modified -le $warnDate) { 
            #Write-Host $name.name " is will be deleted in the next run" 
            $warnUsers = $warnUsers + $name 
            } 
        else {
            #Write-Host $name.name " was modified less than 30 days ago" 
            $30daysUsers = $30daysUsers + $name 
            } 

     
    $report = "c:\Scripts\Reports\DisabledAccounts30Days.htm"  
    ##Clears the report in case there is data in it 
    Clear-Content $report 
    ##Builds the headers and formatting for the report 
    Add-Content $report "<html>"  
    Add-Content $report "<head>"  
    Add-Content $report "<meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'>"  
    Add-Content $report '<title>COMPANY Terminated User Cleanup Script</title>'  
    add-content $report '<STYLE TYPE="text/css">'  
    add-content $report  "<!--"  
    add-content $report  "td {"  
    add-content $report  "font-family: Tahoma;"  
    add-content $report  "font-size: 11px;"  
    add-content $report  "border-top: 1px solid #999999;"  
    add-content $report  "border-right: 1px solid #999999;"  
    add-content $report  "border-bottom: 1px solid #999999;"  
    add-content $report  "border-left: 1px solid #999999;"  
    add-content $report  "padding-top: 0px;"  
    add-content $report  "padding-right: 0px;"  
    add-content $report  "padding-bottom: 0px;"  
    add-content $report  "padding-left: 0px;"  
    add-content $report  "}"  
    add-content $report  "body {"  
    add-content $report  "margin-left: 5px;"  
    add-content $report  "margin-top: 5px;"  
    add-content $report  "margin-right: 0px;"  
    add-content $report  "margin-bottom: 10px;"  
    add-content $report  ""  
    add-content $report  "table {"  
    add-content $report  "border: thin solid #000000;"  
    add-content $report  "}"  
    add-content $report  "-->"  
    add-content $report  "</style>"  
    Add-Content $report "</head>"  
    add-Content $report "<body>"  
     
    ##This section adds tables to the report with individual content 
    ##Table 1 for deleted users 
    add-content $report  "<table width='100%'>"  
    add-content $report  "<tr bgcolor='#CCCCCC'>"  
    add-content $report  "<td colspan='7' height='25' align='center'>"  
    add-content $report  "<font face='tahoma' color='#003399' size='4'><strong>The following users have been moved to the Disabled OU (Report Only)</strong></font>"  
    add-content $report  "</td>"  
    add-content $report  "</tr>"  
    add-content $report  "</table>"  
    add-content $report  "<table width='100%'>"  
    Add-Content $report "<tr bgcolor=#CCCCCC>"  
    Add-Content $report  "<td width='20%' align='center'>Account Name</td>"  
    Add-Content $report "<td width='10%' align='center'>Modified Date</td>"   
    Add-Content $report "<td width='50%' align='center'>Description</td>"   
    Add-Content $report "</tr>"  
    if ($disabledUsers -ne $null){ 
        foreach ($name in $disabledUsers) { 
            $AccountName = $name.name 
            $LastChgd = $name.modified 
            $UserDesc = $name.Description 
            Add-Content $report "<tr>"  
            Add-Content $report "<td>$AccountName</td>"  
            Add-Content $report "<td>$LastChgd</td>"  
            add-Content $report "<td>$UserDesc</td>" 
        } 

    else { 
        Add-Content $report "<tr>"  
        Add-Content $report "<td>No Accounts match</td>"  

    Add-content $report  "</table>"  
     
    ##Table 2 for warning users 
    add-content $report  "<table width='100%'>"  
    add-content $report  "<tr bgcolor='#CCCCCC'>"  
    add-content $report  "<td colspan='7' height='25' align='center'>"  
    add-content $report  "<font face='tahoma' color='#003399' size='4'><strong>The following users will be moved to the Disabled OU next week</strong></font>"  
    add-content $report  "</td>"  
    add-content $report  "</tr>"  
    add-content $report  "</table>"  
    add-content $report  "<table width='100%'>"  
    Add-Content $report "<tr bgcolor=#CCCCCC>"  
    Add-Content $report  "<td width='20%' align='left'>Account Name</td>"  
    Add-Content $report "<td width='10%' align='center'>Modified Date</td>"   
    Add-Content $report "<td width='50%' align='center'>Description</td>"   
    Add-Content $report "</tr>" 
    if ($warnUsers -ne $null){ 
        foreach ($name in $warnUsers) { 
            $AccountName = $name.name 
            $LastChgd = $name.modified 
            $UserDesc = $name.Description 
            Add-Content $report "<tr>"  
            Add-Content $report "<td>$AccountName</td>"  
            Add-Content $report "<td>$LastChgd</td>"  
            add-Content $report "<td>$UserDesc</td>" 
        } 

    else { 
        Add-Content $report "<tr>"  
        Add-Content $report "<td>No Accounts match</td>"  

    Add-content $report  "</table>"  
     
    ##Table 3 for whitelisted users 
    add-content $report  "<table width='100%'>"  
    add-content $report  "<tr bgcolor='#CCCCCC'>"  
    add-content $report  "<td colspan='7' height='25' align='center'>"  
    add-content $report  "<font face='tahoma' color='#003399' size='4'><strong>The following users are whitelisted</strong></font>"  
    add-content $report  "</td>"  
    add-content $report  "</tr>"  
    add-content $report  "</table>"  
    add-content $report  "<table width='100%'>"  
    Add-Content $report "<tr bgcolor=#CCCCCC>"  
    Add-Content $report  "<td width='20%' align='left'>Account Name</td>"  
    Add-Content $report "<td width='10%' align='center'>Modified Date</td>"   
    Add-Content $report "<td width='50%' align='center'>Description</td>"   
    Add-Content $report "</tr>" 
    if ($wlistUsers -ne $null){ 
        foreach ($name in $wlistUsers) { 
            $AccountName = $name.name 
            $LastChgd = $name.modified 
            $UserDesc = $name.Description 
            Add-Content $report "<tr>"  
            Add-Content $report "<td>$AccountName</td>"  
            Add-Content $report "<td>$LastChgd</td>"  
            add-Content $report "<td>$UserDesc</td>" 
        } 

    else { 
        Add-Content $report "<tr>"  
        Add-Content $report "<td>No Accounts match</td>"  

    Add-content $report  "</table>"  
     
    ##Table 4 for recently modified users 
    add-content $report  "<table width='100%'>"  
    add-content $report  "<tr bgcolor='#CCCCCC'>"  
    add-content $report  "<td colspan='7' height='25' align='center'>"  
    add-content $report  "<font face='tahoma' color='#003399' size='4'><strong>The following disabled users were modified in the last 30 days</strong></font>"  
    add-content $report  "</td>"  
    add-content $report  "</tr>"  
    add-content $report  "</table>"  
    add-content $report  "<table width='100%'>"  
    Add-Content $report "<tr bgcolor=#CCCCCC>"  
    Add-Content $report  "<td width='20%' align='left'>Account Name</td>"  
    Add-Content $report "<td width='10%' align='center'>Modified Date</td>"   
    Add-Content $report "<td width='50%' align='center'>Description</td>"   
    Add-Content $report "</tr>"  
    if ($30daysUsers -ne $null){ 
        foreach ($name in $30daysUsers) { 
            $AccountName = $name.name 
            $LastChgd = $name.modified 
            $UserDesc = $name.Description 
            Add-Content $report "<tr>"  
            Add-Content $report "<td>$AccountName</td>"  
            Add-Content $report "<td>$LastChgd</td>"  
            add-Content $report "<td>$UserDesc</td>" 
        } 

    else { 
        Add-Content $report "<tr>"  
        Add-Content $report "<td>No Accounts match</td>"  

    Add-content $report  "</table>"  
     
    ##This section closes the report formatting 
    Add-Content $report "</body>"  
    Add-Content $report "</html>"  
     
    ##Assembles and sends completion email with DL information## 
    $emailFrom = "ADManagement@corp.com" 
    $emailTo = "test@corp.com" 
    $subject = "Corp $Region Disabled User Cleanup Script Complete" 
    $smtpServer = "ismtp.corp.com" 
    $body = Get-Content $report | Out-String 
     
    Send-MailMessage -To $emailTo -From $emailFrom -Subject $subject -BodyAsHtml -Body $body -SmtpServer $smtpServer 

    Friday, August 28, 2015 10:07 PM

Answers

  • Thanks for the help , i was able to get the following working... Please close this thread.

    #load AD module
    import-module activedirectory
    
    $oldDate = [DateTime]::Today.AddDays(-90)
    $warnDate = [DateTime]::Today.AddDays(-83)
    $moveDate = [DateTime]::Today.AddDays(-31)
    $MoveSearchBase = "OU=Test,OU=Users,OU=Accounts,DC=Corp"
    $DelSearchBase = "OU=Disabled Accounts,OU=Users,OU=Accounts,DC=Corp" 
    $delUsers = @()
    $warnUsers = @()
    $moveUsers = @()
    
    ##Move Users Section##
    ##Moves disabled accounts after 31 days into disabled account OU
    $moveUsers = Get-ADUser -SearchBase $MoveSearchBase -filter {(lastlogondate -le $moveDate) -AND (enabled -eq $false) -AND (passwordlastset -le $oldDate)} -Properties Name,SID,Enabled,LastLogonDate,Modified,info,description
    Get-ADUser -SearchBase $MoveSearchBase -filter {(lastlogondate -le $moveDate) -AND (enabled -eq $false) -AND (passwordlastset -le $oldDate)}| Move-ADObject -targetpath "OU=Disabled Accounts,OU=Users,OU=Accounts,DC=corp" 
    
    ##Delete Users Section##
    ##Retrieves disabled user accounts and stores in an array
    $disabledUsers = Get-ADUser -filter {(Enabled -eq $False)} -Searchbase $DelSearchBase -Searchscope 1 -Properties Name,SID,Enabled,LastLogonDate,Modified,info,description
    
    foreach ($name in $disabledUsers) {
    	if ($name.modified -le $oldDate) {
    		Remove-ADUser -id $name.SID -confirm:$false
    		$delUsers = $delUsers + $name
    		}
    elseif ($name.modified -le $warnDate) {
    		#Write-Host $name.name " is will be deleted in the next run"
    		$warnUsers = $warnUsers + $name
    		}
    }

    Tuesday, September 8, 2015 2:23 PM

All replies

  • Either ask the author of the script for help or ask a specific question.  We do not fix scripts that you havefound on the Internet.

    The script has a support page here: https://gallery.technet.microsoft.com/scriptcenter/Disabled-AD-Account-8cc92a7d/view/Discussions#content

    If you have a specific error or issue then ask that.  Don't just post 100+ lines of spaghetti code and ask someone to fix an arbitrary problem.


    \_(ツ)_/

    Friday, August 28, 2015 10:51 PM
  • Here I through out all of the non usable code and simplified your code.  Start with this and debug it until you have what you are looking for.  YOu have a number of logic and syntax errors and only you know what you are trying to do.

    import-module activedirectory 
     
    $oldDate = [DateTime]::Today.AddDays(-30) 
    $warnDate = [DateTime]::Today.AddDays(-23) 
    $AMSearchBase = "OU=Users,OU=Accounts,DC=Corp,DC=Com" 
    $warnUsers = @() 
    $wlistUsers = @() 
    $30daysUsers = @() 
     
    $disabledUsers = Get-ADUser -filter {Enabled -eq $False} -Searchbase $AMSearchBase -Properties Name,SID,Enabled,LastLogonDate,Modified,info,description 
    foreach ($name in $disabledUsers) {
    
        if ($name.info -ne "WHITELIST" -and $name.modified -le $oldDate) { 
            Get-ADUser -Filter $disabledUsers | Move-ADObject -targetpath "OU=Disabled Accounts,OU=Users,OU=Accounts,DC=Corp,DC=Com"
            $disabledUsers = $disabledUsers + $name 
         }elseif($name.info -eq "WHITELIST"){
             #Write-Host $name.name " is Whitelisted" 
             $wlistUsers = $wlistUsers + $name 
         }elseif($name.info -ne "WHITELIST"-and $name.modified -le $warnDate){
             #Write-Host $name.name " is will be deleted in the next run" 
             $warnUsers = $warnUsers + $name
         }else{
             #Write-Host $name.name " was modified less than 30 days ago" 
             $30daysUsers = $30daysUsers + $name 
         } 
    }
     
    $warnUsers
    pause
    $wlistUsers
    Pause
    $30daysUsers
    
     
    
     


    \_(ツ)_/


    • Edited by jrv Friday, August 28, 2015 11:01 PM
    Friday, August 28, 2015 11:00 PM
  • I have created a script to accomplish this with a little more detail on the account side. Check it out on my siite.

    http://www.wsit.ca/how-tos/powershell/active-directory-user-account-cleanup-automation-with-powershell/

    Will.

    Monday, August 31, 2015 1:13 PM
  • My bad, I'll be sure to use code blocks and post my error next time.
    Tuesday, September 1, 2015 10:37 PM
  • Thanks for the help, I keep getting the following error when the script tries to move the user...

    Get-ADUser : Cannot convert 'System.Object[]' to the type 'System.String' required by parameter 'Filter'. Specified method is not supported.
    At W:\Powershell\MoveDisabledAccounts90DaysV2.ps1:23 char:28
    +         Get-ADUser -Filter $disabledUsers | Move-ADObject -targetpath "OU=Test,O ...
    +                            ~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [Get-ADUser], ParameterBindingException
        + FullyQualifiedErrorId : CannotConvertArgument,Microsoft.ActiveDirectory.Management.Commands.GetADUser

    Tuesday, September 1, 2015 10:40 PM
  • $disabledUsers is an array. You cannot copy an array to a filter.

    Look at help for how to use the filter syntax.


    \_(ツ)_/

    Tuesday, September 1, 2015 10:59 PM
  • Thanks for the help , i was able to get the following working... Please close this thread.

    #load AD module
    import-module activedirectory
    
    $oldDate = [DateTime]::Today.AddDays(-90)
    $warnDate = [DateTime]::Today.AddDays(-83)
    $moveDate = [DateTime]::Today.AddDays(-31)
    $MoveSearchBase = "OU=Test,OU=Users,OU=Accounts,DC=Corp"
    $DelSearchBase = "OU=Disabled Accounts,OU=Users,OU=Accounts,DC=Corp" 
    $delUsers = @()
    $warnUsers = @()
    $moveUsers = @()
    
    ##Move Users Section##
    ##Moves disabled accounts after 31 days into disabled account OU
    $moveUsers = Get-ADUser -SearchBase $MoveSearchBase -filter {(lastlogondate -le $moveDate) -AND (enabled -eq $false) -AND (passwordlastset -le $oldDate)} -Properties Name,SID,Enabled,LastLogonDate,Modified,info,description
    Get-ADUser -SearchBase $MoveSearchBase -filter {(lastlogondate -le $moveDate) -AND (enabled -eq $false) -AND (passwordlastset -le $oldDate)}| Move-ADObject -targetpath "OU=Disabled Accounts,OU=Users,OU=Accounts,DC=corp" 
    
    ##Delete Users Section##
    ##Retrieves disabled user accounts and stores in an array
    $disabledUsers = Get-ADUser -filter {(Enabled -eq $False)} -Searchbase $DelSearchBase -Searchscope 1 -Properties Name,SID,Enabled,LastLogonDate,Modified,info,description
    
    foreach ($name in $disabledUsers) {
    	if ($name.modified -le $oldDate) {
    		Remove-ADUser -id $name.SID -confirm:$false
    		$delUsers = $delUsers + $name
    		}
    elseif ($name.modified -le $warnDate) {
    		#Write-Host $name.name " is will be deleted in the next run"
    		$warnUsers = $warnUsers + $name
    		}
    }

    Tuesday, September 8, 2015 2:23 PM