Active Directory / Powershell / disable accounts

cmatchett
cmatchett used Ask the Experts™
on
Hi,

I would like to disable Active Directory accounts that haven't been used in 30 days and who reside in a specific OU.

thanks in advance
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Raheman M. AbdulMessaging and Directory Services

Commented:
$searchOU=“OU=Accounts,OU=RootOU,DC=ChildDomain,DC=RootDomain,DC=com"

get-aduser -SearchBase $searchOU -filter * -properties lastlogondate | Where-Object {$_.enabled -eq "true"-and $_.lastlogondate -lt (get-date).adddays(-30)} | Set-Aduser -enabled $false

Author

Commented:
If i would like to write which accounts were disabled to a file?
Top Expert 2013

Commented:
Ken wrote an excellent blog on this on the scripting guys blog

http://blogs.technet.com/b/heyscriptingguy/archive/2011/11/30/use-powershell-to-find-and-remove-inactive-active-directory-users.aspx

note he is using lastlogontimestamp which as he said is accurate between 9-14 days.  I really like that he set the description so you can easily query for that field.

thanks

Mike
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Raheman M. AbdulMessaging and Directory Services

Commented:
check this first to test if you are fine with the list:
get-aduser -SearchBase $searchOU -filter * -properties lastlogondate | Where-Object {$_.enabled -eq "true"-and $_.lastlogondate -lt (get-date).adddays(-30)} | out-file c:\disabledaccounts.txt
Raheman M. AbdulMessaging and Directory Services

Commented:
$searchOU=“OU=Accounts,OU=RootOU,DC=ChildDomain,DC=RootDomain,DC=com"

$results = get-aduser -SearchBase $searchOU -filter * -properties lastlogondate | Where-Object {$_.enabled -eq "true"-and $_.lastlogondate -lt (get-date).adddays(-30)} | Set-Aduser -enabled $false

$results | out-file c:\disabledaccounts.txt

Author

Commented:
then if i would like to append a date to the end of the text file?  

i.e. disableduaccounts-01-04-2014.txt

That will allow me to keep an archive
Raheman M. AbdulMessaging and Directory Services

Commented:
$date=get-date -Format "dd-mm-yyyy"

$results | out-file "C:\temp\rahmdel-$date.txt"

Author

Commented:
It disables the users, creates the text file but doesn't append the users who were disabled
Raheman M. AbdulMessaging and Directory Services

Commented:
what does $results show?

Author

Commented:
Blank.  i removed '| out-file "C:\temp\rahmdel-$date.txt"' from the powershell
Raheman M. AbdulMessaging and Directory Services
Commented:
add -passthru at the end as in:

$results = get-aduser -SearchBase $searchOU -filter * -properties lastlogondate | Where-Object {$_.enabled -eq "true"-and $_.lastlogondate -lt (get-date).adddays(-30)} | Set-Aduser -enabled $false -passthru

Then try
Justin YeungSenior Systems Engineer

Commented:
 get-aduser -SearchBase $searchOU -filter * -properties lastlogondate | Where-Object {$_.enabled -eq "true"-and $_.lastlogondate -lt (get-date).adddays(-30)} 

Open in new window


if you run then and nothing return, your $result will be $null

Author

Commented:
@ rah this works.  what about updating the description with says "account disabled on" [date]
Raheman M. AbdulMessaging and Directory Services
Commented:
$results = get-aduser -SearchBase $searchOU -filter * -properties lastlogondate | Where-Object {$_.enabled -eq "true"-and $_.lastlogondate -lt (get-date).adddays(-30)} | Set-Aduser -enabled $false -passthru  -Add @{description="Disabled On $date"}

You can use :
-description "Disabled On $date"
in place of
-Add @{description="Disabled On $date"}

If you want to add to the present description you can use:

-description "$($_.description) Disabled On $date"

Author

Commented:
very good.  what if i wanted to search say three different OUs
Justin YeungSenior Systems Engineer

Commented:
$ou1 = "ou=x,dc=x,dc=x,dc=x"
$ou2 = "ou=xx,dc=x,dc=x,dc=x"
$ou3 = "ou=xxx,dc=x,dc=x,dc=x"

$SearchOUs = $ou1,$ou2,$ou3
foreach ($SearchOU in $OUs)
{
$results = get-aduser -SearchBase $searchOU -filter * -properties lastlogondate | Where-Object {$_.enabled -eq "true"-and $_.lastlogondate -lt (get-date).adddays(-30)} | Set-Aduser -enabled $false

$results | out-file c:\disabledaccounts.txt -append
}
"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
That are lot of vars for nothing ... and the last foreach has to refer to $SearchOUs instead of $OUs.
And I would put the condition into the filter expression, which should speed up operation and reduce overhead:
$dt30 = (get-date).addDays(-30)
$nowISO = get-date -format 'yyyy-MM-dd'
"ou=x,dc=x,dc=x,dc=x" , "ou=xx,dc=x,dc=x,dc=x", "ou=xxx,dc=x,dc=x,dc=x"  | % {
  get-adUser -SearchBase $_ -filter { (enabled -eq "true") -and (lastlogon -le $dt30) } |
  set-adUser -enabled $false -description "Disabled on $nowISO" -PassThru 
} | select samAccountName, DistinguishedName | out-file "disableduaccounts-$nowISO.txt"

Open in new window

With a proper LDAPFilter we could even allow the search to run in one go, and be more effective, but LDAP syntax is, ehm, not straightforward.
Meanwhile, the DS Query command will also be a nice approach to accomplish this task for what you are looking. Please checkout given link : http://social.technet.microsoft.com/wiki/contents/articles/2195.active-directory-dsquery-commands.aspx

Author

Commented:
very good

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial