locked
Need a PS script to disable, move, and delete stale users. RRS feed

  • Question

  • Fairly new to PS, and have been testing these on a test environment, but some assistance would be great. I've been messing around with a few different methods, each with their own methods (and flaws). This will be a scheduled task to run weekly. What I need is a script to pull stale users (90 days) from 2 specific OUs, disable them, and move them to our "Disabled" OU. I've been able to compile these scripts, but they do not run in conjunction; they will either pull and disable, or pull and move, but not both. 

    The scripts that I came up with for this process (1 for each OU): 

    Search-ADAccount -AccountInactive -SearchBase "OU=OU1,DC=contoso,DC=com" -TimeSpan ([timespan]90d) -UsersOnly | Move-ADObject -TargetPath 'OU=Disabled,DC=contoso,DC=com' | Set-ADUser -Enabled $False

    After these users have remained inactive for an additional 180 days in this OU, they will need to be deleted by a separate script or in conjunction with the first one if possible. The script below also should outright delete anyone who falls under our new user retention policy. These users contain child objects in the form of Exchange ActiveSync devices, so I found that I needed the -Recursive parameter to completely remove them. The issue that I ran into was receiving an access denied error when attempting to process it, despite being a domain admin with no conflicting permission sets.

    Here's the script I came up with for this process:

    Search-ADAccount -AccountInactive -SearchBase "OU=Disabled,DC=contoso,DC=com" -TimeSpan ([timespan]270d) -UsersOnly | remove-adobject -Recursive -Confirm:$False

    Again, I'm still fairly new to PS, so any helpful advice is greatly appreciated. Thanks in advance.


    • Edited by Justin Garner Thursday, April 23, 2015 3:02 PM clarification
    Thursday, April 23, 2015 3:01 PM

Answers

  • Not enough information to know.  What is the exact error message?

    \_(ツ)_/

    Disregard that part. We actually found the problem causing this. Turns out there were a few individual accounts that had turned off Full Control permissions for domain admins. Is there a particular way that these scripts need to be compiled to run in a .ps1 format? Or is it simply copy-paste each part per 1 line?
    • Marked as answer by Bill_Stewart Tuesday, June 2, 2015 8:54 PM
    Thursday, April 23, 2015 6:32 PM

All replies

  • Not enough information to know.  What is the exact error message?

    \_(ツ)_/

    Thursday, April 23, 2015 5:33 PM
  • Not enough information to know.  What is the exact error message?

    \_(ツ)_/

    Disregard that part. We actually found the problem causing this. Turns out there were a few individual accounts that had turned off Full Control permissions for domain admins. Is there a particular way that these scripts need to be compiled to run in a .ps1 format? Or is it simply copy-paste each part per 1 line?
    • Marked as answer by Bill_Stewart Tuesday, June 2, 2015 8:54 PM
    Thursday, April 23, 2015 6:32 PM
  • If you have a new question, please start a new thread.

    -- Bill Stewart [Bill_Stewart]

    Thursday, April 23, 2015 6:36 PM
  • Note that accounts and objects can be set to "protected" too prevent accidental deletion. You can toggle the state of the account if you are sure that you want to delete it.


    \_(ツ)_/

    Thursday, April 23, 2015 6:46 PM