locked
Search AD for inactive and then move and disable RRS feed

  • Question

  • I have the start of the script, it searches for inactive users with exceptions but I cannot get it to do anything with them, Ive tried the below with little results.

    I want it to move, disable, and then send a report to me about what happened (eventually by email).

    $DateFormat = Get-Date -Format yyyyMMdd
    $SupportOU = "OU=SomeSupport,DC=somecompany,DC=com"
    $NoLogOn120Days = "OU=NoLogOn120Days,DC=somecompany,DC=com"
    
    
    Search-ADAccount -AccountInactive -UsersOnly -SearchBase $SupportOU -TimeSpan "135" | Get-ADUser -Properties Description, Name, DistinguishedName | Where-Object { ($_.Name -notlike "*student*") -and ($_.Name -notlike "*user*") -and ($_.Name -notlike "*train*" ) -and ($_.Name -notlike "*production*") -and ($_.Name -notlike "*special*" ) -and ($_.Description -notLike "*LOA*")} | foreach-object{
        select-object DistinguishedName,Description | export-csv -append Report_DisableUsers.csv -notypeinformation;
        Set-ADObject $_.Distinguishedname -Description ($DateFormat + "-" + $_.Description);
        Move-ADObject $_.DistinguishedName -TargetPath $NoLogOn120Days;
    }

    any help?

    Monday, July 23, 2018 4:11 PM

Answers

  • This would be easier to use and would work better.

    $DateFormat = Get-Date -Format yyyyMMdd
    $SupportOU = "OU=SomeSupport,DC=somecompany,DC=com"
    $NoLogOn120Days = "OU=NoLogOn120Days,DC=somecompany,DC=com"
    
    Search-ADAccount -AccountInactive -UsersOnly -SearchBase $SupportOU -TimeSpan '135' | 
        Get-ADUser -Properties Description | 
        Where-Object { 
            $_.Name -notmatch 'student|user|train|production|special' -and 
            $_.Description -notmatch 'LOA'
        } | 
        ForEach-Object{
            Set-ADObject $_.Distinguishedname -Description ($DateFormat + '-' + $_.Description)
            Move-ADObject $_.DistinguishedName -TargetPath $NoLogOn120Days
    $_ # pass original object } | select-object DistinguishedName,Description | export-csv Report_DisableUsers.csv -notypeinformation

    Formatting the code for readability would make it more understandable.


    \_(ツ)_/

    • Marked as answer by AEnnis Tuesday, July 24, 2018 4:04 PM
    Monday, July 23, 2018 8:14 PM

All replies

  • The Select is in the wrong place. It should go after the Where clause, before piping to the ForEach. Also, I don't see where you disable the user accounts. And rather than a Set-ADObject to assign the description, I would use Set-ADUser.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Monday, July 23, 2018 5:17 PM
  • This would be easier to use and would work better.

    $DateFormat = Get-Date -Format yyyyMMdd
    $SupportOU = "OU=SomeSupport,DC=somecompany,DC=com"
    $NoLogOn120Days = "OU=NoLogOn120Days,DC=somecompany,DC=com"
    
    Search-ADAccount -AccountInactive -UsersOnly -SearchBase $SupportOU -TimeSpan '135' | 
        Get-ADUser -Properties Description | 
        Where-Object { 
            $_.Name -notmatch 'student|user|train|production|special' -and 
            $_.Description -notmatch 'LOA'
        } | 
        ForEach-Object{
            Set-ADObject $_.Distinguishedname -Description ($DateFormat + '-' + $_.Description)
            Move-ADObject $_.DistinguishedName -TargetPath $NoLogOn120Days
    $_ # pass original object } | select-object DistinguishedName,Description | export-csv Report_DisableUsers.csv -notypeinformation

    Formatting the code for readability would make it more understandable.


    \_(ツ)_/

    • Marked as answer by AEnnis Tuesday, July 24, 2018 4:04 PM
    Monday, July 23, 2018 8:14 PM
  • This would be easier to use and would work better.

    $DateFormat = Get-Date -Format yyyyMMdd
    $SupportOU = "OU=SomeSupport,DC=somecompany,DC=com"
    $NoLogOn120Days = "OU=NoLogOn120Days,DC=somecompany,DC=com"
    
    Search-ADAccount -AccountInactive -UsersOnly -SearchBase $SupportOU -TimeSpan '135' | 
        Get-ADUser -Properties Description | 
        Where-Object { 
            $_.Name -notmatch 'student|user|train|production|special' -and 
            $_.Description -notmatch 'LOA'
        } | 
        ForEach-Object{
            Set-ADObject $_.Distinguishedname -Description ($DateFormat + '-' + $_.Description)
            Move-ADObject $_.DistinguishedName -TargetPath $NoLogOn120Days
    $_ # pass original object } | select-object DistinguishedName,Description | export-csv Report_DisableUsers.csv -notypeinformation

    Formatting the code for readability would make it more understandable.


    \_(ツ)_/

    This worked, however, it also moves new hires that have not logged in...
    Tuesday, July 24, 2018 5:22 PM
  • This worked, however, it also moves new hires that have not logged in...
    Then filter them out in the "Where" part.

    \_(ツ)_/

    Tuesday, July 24, 2018 5:48 PM
  • How would I filter out new hires

    Tuesday, July 24, 2018 6:47 PM
  • I don't know.  What is a new hire?  There is no such attribute in AD.


    \_(ツ)_/

    Tuesday, July 24, 2018 6:52 PM
  • A new account that has not been logged into...

    Sometimes we create accounts and they sit for a while, but this script seems to disable this, something about the inactive user commandlet

    Tuesday, July 24, 2018 7:11 PM
  • What is your criteria for a "new account".  Does it have a custom flag or other attribute?  How do you know an account has not been logged into?


    \_(ツ)_/

    Tuesday, July 24, 2018 7:19 PM
  • The lastLogonTimestamp attribute will be empty if the account has never been used to log on.

    -- Bill Stewart [Bill_Stewart]


    Tuesday, July 24, 2018 8:09 PM
  • The lastLogonTimestamp attribute will be empty if the account has never been used to log on.

    -- Bill Stewart [Bill_Stewart]



    Shhh!

    \_(ツ)_/

    Tuesday, July 24, 2018 8:16 PM
  • @Bill_Stewart: Can't you see that jrv is trying to teach OP how to fish? :P

    Other attributes of interest could be pwdLastSet and whenCreated.



    Tuesday, July 24, 2018 8:24 PM
  • Just add $_.LastLogonDate to the "where" statement and "LastLogonDate" to the Get-AdUser properties.

    Or use Bill's favorite "lastlogontimestamp".


    \_(ツ)_/

    Tuesday, July 24, 2018 9:36 PM
  • Here is an example of how technology works.

    Paste the following line into Google and Bing or any other advanced search engine:

    what day of the week is the last day of May 2032.

    Google can understand full natural language queries.  Bing and others cannot.

    Learning how to state a question is 90% of finding the answer.


    \_(ツ)_/

    Tuesday, July 24, 2018 9:49 PM
  • How dare you speak ill of Bing on a Microsoft forum! ;)

    WolframAlpha says it's a Monday.

    Wednesday, July 25, 2018 7:48 AM