Disable aged AD accounts and update description RRS feed

  • Question

  • Simple script to disable computer accounts older than n days

    get-adcomputer -searchbase $ou -properties Name,lastlogondate -filter {lastlogondate -lt $time} | set-adcomputer -enabled $false

    Works fine but what I would also like to do is to update the description with the lastlogondate so trying something like

    ... | set-adcomputer -enable $false -description {$_.lastlogondate}

    Without success - any advice?

    Ian Burnell, London (UK)

    Friday, May 18, 2018 8:17 AM

All replies

  • $time = (Get-Date).AddDays(-60)
    Get-ADComputer -Filter {lastlogondate -lt $time} -Properties name, lastlogondate | ForEach-Object {
        Set-ADComputer -Identity $_.name -Description $_.lastlogondate -Enabled $false

    Not sure if this will work, been out of the "PowerShell" game for a couple of weeks.

    Learn PowerShell                     Script Requests

    -Remember to mark the correct response as the answer-

    • Edited by I.T Delinquent Friday, May 18, 2018 8:51 AM Schooled by JRV :)
    Friday, May 18, 2018 8:25 AM
  • lastlogontimestamp is not a date it is a long number.  It cannot be compared to a datetime object

    Get-ADComputer -Filter {lastlogondate -lt $time} -Properties name, lastlogondate | 
    ForEach-Object{ Set-ADComputer $_.SamAccountName -Description $_.lastlogondate -Enabled $false }


    • Proposed as answer by jrv Tuesday, May 22, 2018 4:26 PM
    Friday, May 18, 2018 8:42 AM
  • I'm a bit busy at work, otherwise I would post a proper response with some code.

    For now, have a look at a script I created that disables accounts and updates the account description.


    I have the code in the description so you can see what I do to get accounts and update their descriptions if they are disabled.

    Hopefully this is helpful!

    This portion here from my script might help you out, simply adapt it to what you need:

    ForEach ($dc in $dcs) { 
    $OUs | ForEach {Get-ADUser -Filter * -SearchBase $_ -Properties lastLogonDate,whenCreated,samAccountName | Where-Object $LogonDateDays} |  
    Where-Object Enabled -EQ True | Where {$UserExclude -notcontains $_.SamAccountName} | 
    ForEach { 
        $OrigDesc=Get-ADUser $_.SamAccountName -Properties Description | Select-Object -ExpandProperty Description 
        $Desc="$OrigDesc - Account Disabled $DateDescript" 
        Set-ADUser -Identity $_.SamAccountName -Enabled $false -Description "$Desc" -Verbose 4>> $LogFile 

    • Proposed as answer by johnarms Tuesday, May 22, 2018 4:26 PM
    • Edited by johnarms Tuesday, May 22, 2018 4:29 PM
    Tuesday, May 22, 2018 4:25 PM