Solved

Output stale user accounts into log file with only username variables

Posted on 2013-06-11
12
555 Views
Last Modified: 2013-06-12
Hey Experts.  I have a script that I use to dump out stale computer accounts from the domain.  The script dumps these computer names into a format in the log file that can be used by another script to then move these computer accounts.  I want to do the same thing but with user accounts.  Here is what I am trying to use in my batch script:
dsquery user OU=Depts,OU=x,DC=x,DC=x,DC=x,DC=x -o rdn -limit 0 -inactive 8 -limit 300 > %logfile%
(for /f "tokens=2,3* delims=,=" %%i in (%logfile%) do @echo %%~i) > c:\tools\staleADPc1-N.log

Open in new window


I'm not getting any useable data so I'm not using the right syntax.  I'm fine using Powershell or a batch script but please provide the code as I'm learning as I go here.  Any suggestions from the real experts?  Thank you!
0
Comment
Question by:samiam41
  • 7
  • 4
12 Comments
 
LVL 4

Expert Comment

by:bepsoccer1
ID: 39239238
something like this should work.

$now=get-date
$daysSinceLastLogon=60(whatever your time farme for being stale is)

Get-QADUser | where {
  $_.lastlogontimestamp -and
    (($now-$_.lastlogontimestamp).days -gt $daysSinceLastLogon)
} | export-csv c:\StaleUsers.csv
0
 
LVL 83

Expert Comment

by:oBdA
ID: 39239288
The problem with your script is that your tokens are designed to parse the default output (cn=SomeUser,OU=SomOU...), but at the same time, you're using "-o RDN", which already echos only the names.
It can be a one-liner in batch:
(for /f "delims=" %%a in ('dsquery.exe user OU=Depts,OU=x,DC=x,DC=x,DC=x,DC=x -o rdn -limit 0 -inactive 8') do echo %%~a)>C:\tools\staleADPc1-N.log

Open in new window

It's easier to understand like this:
@echo off
setlocal
set LogFile=C:\tools\staleADPc1-N.log
if exist "%LogFile%" del "%LogFile%"
for /f "delims=" %%a in ('dsquery.exe user OU=Depts,OU=x,DC=x,DC=x,DC=x,DC=x -o rdn -limit 0 -inactive 8') do (
	echo %%~a
	>>"%LogFile%" echo %%~a
)

Open in new window

0
 
LVL 9

Author Comment

by:samiam41
ID: 39241017
@oBdA, thanks for the explanation as I understand what I was doing wrong now (and great to see you again).  When I run the script mentioned in your reply, the data that populates the log file is correct but contains quotation marks:

"CSV8"
"CSV7"
"CSV1"
"CSV17"
"CSV13"

How do I get rid of the quotation marks?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 9

Author Comment

by:samiam41
ID: 39241046
@bepsoccer1, thanks for the reply.  I had to make a couple of changes to the script you suggested and I am including the message window that appears.

Import-Module ActiveDirectory
$now=get-date
$daysSinceLastLogon=60 

Get-ADUser | where {
  $_.lastlogontimestamp -and 
    (($now-$_.lastlogontimestamp).days -gt $daysSinceLastLogon)
} | export-csv c:\Tools\StaleUsers.csv

Open in new window


I'm not sure if you meant GET-QADUser or GET-ADUser but I used the later as I figured that is what you meant.  Let me know what you think about the window that popped up when I ran the script.

**Edit:  I'm not sure why it won't let me attach or insert a pic.  I'm working on that now.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 39241060
Shouldn't be the case and doesn't here (I thought that was the point of the "for /f", otherwise you could just redirect the "dsquery -o rdn" output directly).
Make sure the tilde ("~") is there when addressing the loop variable, it strips away surrounding quotes: echo %%~a
0
 
LVL 9

Author Comment

by:samiam41
ID: 39241098
oBdA, my apologies.  I was looking at an older log file I was testing with previously.  

When I run this code (please verify I have the values correct), I get this message:

C:\Tools>staleaduser
dsquery failed:'Depts' is an unknown parameter.
type dsquery /? for help.

When I run the command dsquery user from the command prompt, no problem.  The same when I run the entire "dsquery user ou=x,dc=x -inactive 8" command.  I do have the OU and DC fields populated correctly as I took them from another script that works.  Thoughts?

@echo off
setlocal
set LogFile=C:\tools\staleADUser1-N.log
if exist "%LogFile%" del "%LogFile%"
for /f "delims=" %%a in ('dsquery.exe user OU=x,OU=x,DC=x,DC=x,DC=x,DC=x -o rdn -limit 0 -inactive 8') do (
	echo %%~a
	>>"%LogFile%" echo %%~a
)

Open in new window

No log or output file is being created when this script runs, for what its worth.
0
 
LVL 83

Assisted Solution

by:oBdA
oBdA earned 500 total points
ID: 39241118
Sorry, tested this without specifying the search root and then just pasted your DN in. Put double quotes around the DN:
@echo off
setlocal
set LogFile=C:\tools\staleADPc1-N.log
if exist "%LogFile%" del "%LogFile%"
for /f "delims=" %%a in ('dsquery.exe user "OU=Depts,OU=x,DC=x,DC=x,DC=x,DC=x" -o rdn -limit 0 -inactive 8') do (
	echo %%~a
	>>"%LogFile%" echo %%~a
)

Open in new window

0
 
LVL 9

Author Comment

by:samiam41
ID: 39241139
Progress!!

The output file is in the right format however I'm getting the "display name" not the user's "logon name" (jjones)

Output > Jones, JJ  (xx)
Logon name > JJones
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 39241174
That's actually not the display name, but the AD object's name (or RDN, Relative Distinguished Name).
Just replace "-o rdn" with "-o samid" in your dsquery command.
0
 
LVL 9

Author Comment

by:samiam41
ID: 39241176
Wait, I think I figured it out.  I use -o samid instead of -o rdn

Yes?
0
 
LVL 9

Author Comment

by:samiam41
ID: 39241182
Hahahaha!!  That's funny.  How many milliseconds in-between those two posts were there?

Thanks oBdA!
0
 
LVL 9

Author Closing Comment

by:samiam41
ID: 39241194
Great working with you again!  I really appreciate you explaining the answer instead of just posting the code.  That really helps me (and I'm sure others) learn so much quicker.  Take care and I look forward to working with you again.

-Aaron
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Create and license users in Office 365 in bulk based on a CSV file. A step-by-step guide with PowerShell script examples.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question