cmatchett
asked on
Active Directory / Powershell / disable accounts
Hi,
I would like to disable Active Directory accounts that haven't been used in 30 days and who reside in a specific OU.
thanks in advance
I would like to disable Active Directory accounts that haven't been used in 30 days and who reside in a specific OU.
thanks in advance
ASKER
If i would like to write which accounts were disabled to a file?
Ken wrote an excellent blog on this on the scripting guys blog
http://blogs.technet.com/b/heyscriptingguy/archive/2011/11/30/use-powershell-to-find-and-remove-inactive-active-directory-users.aspx
note he is using lastlogontimestamp which as he said is accurate between 9-14 days. I really like that he set the description so you can easily query for that field.
thanks
Mike
http://blogs.technet.com/b/heyscriptingguy/archive/2011/11/30/use-powershell-to-find-and-remove-inactive-active-directory-users.aspx
note he is using lastlogontimestamp which as he said is accurate between 9-14 days. I really like that he set the description so you can easily query for that field.
thanks
Mike
check this first to test if you are fine with the list:
get-aduser -SearchBase $searchOU -filter * -properties lastlogondate | Where-Object {$_.enabled -eq "true"-and $_.lastlogondate -lt (get-date).adddays(-30)} | out-file c:\disabledaccounts.txt
get-aduser -SearchBase $searchOU -filter * -properties lastlogondate | Where-Object {$_.enabled -eq "true"-and $_.lastlogondate -lt (get-date).adddays(-30)} | out-file c:\disabledaccounts.txt
$searchOU=“OU=Accounts,OU= RootOU,DC= ChildDomai n,DC=RootD omain,DC=c om"
$results = get-aduser -SearchBase $searchOU -filter * -properties lastlogondate | Where-Object {$_.enabled -eq "true"-and $_.lastlogondate -lt (get-date).adddays(-30)} | Set-Aduser -enabled $false
$results | out-file c:\disabledaccounts.txt
$results = get-aduser -SearchBase $searchOU -filter * -properties lastlogondate | Where-Object {$_.enabled -eq "true"-and $_.lastlogondate -lt (get-date).adddays(-30)} | Set-Aduser -enabled $false
$results | out-file c:\disabledaccounts.txt
ASKER
then if i would like to append a date to the end of the text file?
i.e. disableduaccounts-01-04-20 14.txt
That will allow me to keep an archive
i.e. disableduaccounts-01-04-20
That will allow me to keep an archive
$date=get-date -Format "dd-mm-yyyy"
$results | out-file "C:\temp\rahmdel-$date.txt "
$results | out-file "C:\temp\rahmdel-$date.txt
ASKER
It disables the users, creates the text file but doesn't append the users who were disabled
what does $results show?
ASKER
Blank. i removed '| out-file "C:\temp\rahmdel-$date.txt "' from the powershell
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
get-aduser -SearchBase $searchOU -filter * -properties lastlogondate | Where-Object {$_.enabled -eq "true"-and $_.lastlogondate -lt (get-date).adddays(-30)}
if you run then and nothing return, your $result will be $null
ASKER
@ rah this works. what about updating the description with says "account disabled on" [date]
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
very good. what if i wanted to search say three different OUs
$ou1 = "ou=x,dc=x,dc=x,dc=x"
$ou2 = "ou=xx,dc=x,dc=x,dc=x"
$ou3 = "ou=xxx,dc=x,dc=x,dc=x"
$SearchOUs = $ou1,$ou2,$ou3
foreach ($SearchOU in $OUs)
{
$results = get-aduser -SearchBase $searchOU -filter * -properties lastlogondate | Where-Object {$_.enabled -eq "true"-and $_.lastlogondate -lt (get-date).adddays(-30)} | Set-Aduser -enabled $false
$results | out-file c:\disabledaccounts.txt -append
}
$ou2 = "ou=xx,dc=x,dc=x,dc=x"
$ou3 = "ou=xxx,dc=x,dc=x,dc=x"
$SearchOUs = $ou1,$ou2,$ou3
foreach ($SearchOU in $OUs)
{
$results = get-aduser -SearchBase $searchOU -filter * -properties lastlogondate | Where-Object {$_.enabled -eq "true"-and $_.lastlogondate -lt (get-date).adddays(-30)} | Set-Aduser -enabled $false
$results | out-file c:\disabledaccounts.txt -append
}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Meanwhile, the DS Query command will also be a nice approach to accomplish this task for what you are looking. Please checkout given link : http://social.technet.micr osoft.com/ wiki/conte nts/articl es/2195.ac tive-direc tory-dsque ry-command s.aspx
ASKER
very good
get-aduser -SearchBase $searchOU -filter * -properties lastlogondate | Where-Object {$_.enabled -eq "true"-and $_.lastlogondate -lt (get-date).adddays(-30)} | Set-Aduser -enabled $false