Solved

User account maintenance PowerShell for Window 2003

Posted on 2014-01-16
4
707 Views
Last Modified: 2014-01-18
What's the powershell to run on Window 2003

1. to list all users that have been disabled over 1 months
2. remove the user accounts that have been disabled over 2 months.

Tks
0
Comment
Question by:AXISHK
  • 2
  • 2
4 Comments
 
LVL 5

Expert Comment

by:Recept
ID: 39787531
Unfortunately there is no AD attributed for when an account was disabled so all we can do is check for disabled accounts which have not been modified in the last X days.


1. List all users that have been disabled over 1 month (30 days)

The Native AD Powershell way (a Windows 2008 Domain Controller required);

Get-ADUser -LDAPFilter {(useraccountcontrol:1.2.840.113556.1.4.803:=2)} -Properties whenChanged | Where-Object {$_.whenChanged -gt (Get-Date).AddDays(-30)} | Select-Object Name, whenChanged

Open in new window


The Quest AD Cmdlets way (Quest AD Cmdlets required but works on 2003);

Get-QADUser -Disabled | Where-Object {$_.whenChanged -gt (get-date).AddDays(-30)} | Select-Object Name, whenChanged

Open in new window



2. Remove the user accounts that have been disabled over 2 months (60 days)

The Native AD Powershell way;
Get-ADUser -LDAPFilter {(useraccountcontrol:1.2.840.113556.1.4.803:=2)} -Properties whenChanged | Where-Object {$_.whenChanged -gt (Get-Date).AddDays(-60)} | Remove-ADUser

Open in new window


The Quest AD Cmdlets way;
Get-QADUser -Disabled | Where-Object {$_.whenChanged -gt (get-date).AddDays(-60)} | Remove-QADObject

Open in new window



Please test the above before running on a Production environment. You can do this by adding the -WhatIf command after the Remove-ADUser and Remove-QADObject commands.

For example
Get-QADUser -Disabled | Where-Object {$_.whenChanged -gt (get-date).AddDays(-60)} | Remove-QADObject -WhatIf

Open in new window

0
 

Author Comment

by:AXISHK
ID: 39790235
Get-ADUser -LDAPFilter {(useraccountcontrol:1.2.840.113556.1.4.803:=2)} -Properties whenChanged | Where-Object {$_.whenChanged -gt (Get-Date).AddDays(-30)} | Select-Object Name, whenChanged

Can I add a criteria to filter out the account that has been disabled?
Can I redirect the result into a CSV file ?
Can I include the location (OU) in the result ?

Tks
0
 
LVL 5

Accepted Solution

by:
Recept earned 500 total points
ID: 39790556
Can I add a criteria to filter out the account that has been disabled?
This is already happening, this part of the command performs an LDAP filter to only return disabled accounts.
-LDAPFilter {(useraccountcontrol:1.2.840.113556.1.4.803:=2)}

Open in new window


Can I redirect the result into a CSV file ?
Absolutely, we just need to pipe the results into the Export-Csv command

Can I include the location (OU) in the result?
We sure can, we just need to include a cleaned up version of the DistinguishedName field


With the amendments the updated command is
Get-ADUser -LDAPFilter {(useraccountcontrol:1.2.840.113556.1.4.803:=2)} -Properties whenChanged | Where-Object {$_.whenChanged -gt (Get-Date).AddDays(-30)} | Select-Object Name, whenChanged, @{name="OU";expression={($_.DistinguishedName -split ",",2)[1]}} | Export-Csv C:\blah.csv

Open in new window

0
 

Author Closing Comment

by:AXISHK
ID: 39790683
Tks
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
Windows 10 came with  a lot of built in applications, Some organisations leave them there, some will control them using GPO's. This Article is useful for those who do not want to have any applications in their image (example:me).
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question