Solved

Inactive Users

Posted on 2014-10-30
9
105 Views
Last Modified: 2014-11-09
Dear Experts,

In my organization Windows server 2012 is installed & also AD configured . I want to know which all users are inactive for 90 days. So that those accounts gets disabled automatically & moves to different OU. Is it possible through GP .

Please help as i am new to servers.

Regards,

JCT
0
Comment
Question by:jct_777
  • 5
  • 4
9 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40414307
Here is a previously answered question which will get you on the right path:

http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_24890316.html
0
 
LVL 1

Author Comment

by:jct_777
ID: 40418978
Hi ,

Is there any script which will perform the above requirement. Also i want to exclude those service accounts .

Regards,

JCT
0
 
LVL 29

Expert Comment

by:becraig
ID: 40419701
Here is a question I answered with a script that does the delete, simply change the date/time window you need.
http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_28506778.html


For disabled users:
$time = (Get-Date).Adddays(-(105))
$delreport = @()
#first step Removing all disabled users not logged in for more than 195 days 
Get-ADuser -filter * | where {$_.Enabled -eq $false -and $_.Name -notlike "SVC_*" -and $_.LastLogonTimeStamp -lt $time} | % {
$user = $_.Name
$grps = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name)
#Remove users from groups
$grps | % {
            Remove-ADGroupMember -Identity $_ -Member $user -whatif
          }

#Remove user from AD
Remove-AdUser -Identity $user -whatif

#create csv report
$item = New-Object PSObject
$item | Add-Member -type NoteProperty -Name 'FNAME' -Value $_.GivenName
$item | Add-Member -type NoteProperty -Name 'LNAME' -Value $_.Surname
$item | Add-Member -type NoteProperty -Name 'USERNAME' -Value $_.samaccountname
$item | Add-Member -type NoteProperty -Name 'USERSID' -Value $_.SID
$delreport += $item
}

$delreport | export-csv report.csv -nti

                        

Open in new window

                       
                 

For removing accounts not disabled but not logged on for more than 90 days:

$time = (Get-Date).Adddays(-(105))
$delreport = @()
#first step Removing all disabled users not logged in for more than 105 days 
Get-ADuser -filter * | where {$_.Enabled -eq $true -and $_.Name -notlike "SVC_*" -and $_.LastLogonTimeStamp -lt $time} | % {
$user = $_.Name
Remove-AdUser -Identity $user -whatif

#create csv report
$item = New-Object PSObject
$item | Add-Member -type NoteProperty -Name 'FNAME' -Value $_.GivenName
$item | Add-Member -type NoteProperty -Name 'LNAME' -Value $_.Surname
$item | Add-Member -type NoteProperty -Name 'USERNAME' -Value $_.samaccountname
$item | Add-Member -type NoteProperty -Name 'USERSID' -Value $_.SID
$delreport += $item
}

$delreport | export-csv Enabled-userdelete.csv -nti

Open in new window

                                         

the script assumes your service accounts have a name starting with svc*
0
 
LVL 1

Author Comment

by:jct_777
ID: 40423392
Hi ,

I did run the below script .

@echo off
dsquery user -inactive 13 > C:\Inactiveuser.txt
@echo No of Inactive users:
dsquery user -inactive 13 | find "CN=" /c
@echo Disabling users
dsquery user -inactive 13 | dsmod user -disabled Yes
@echo Moving users
for /F "delims=" %%V in (C:\move.txt) do dsmove %%V -newparent "OU=Disabledusers,DC=aa,DC=local"

But after running the above script the the users which were  inactive for 90 days are getting disabled automatically but it is not getting moved to another OU.

Regards,

JCT
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 29

Expert Comment

by:becraig
ID: 40424684
You can do this in powershell:
gc C:\Inactiveuser.txt  | % { Get-Aduser $_ | Move-ADObject -TargetPath 'OU=Disabledusers,DC=aa,DC=local'}

Open in new window

0
 
LVL 1

Author Comment

by:jct_777
ID: 40425519
Hi ,

Just to confirm if i run the above mentioned command in the powershell it will move only the disabled users.

Active users should not be affected. Please confirm

Regards,

JCT
0
 
LVL 29

Assisted Solution

by:becraig
becraig earned 500 total points
ID: 40425523
It will move only the users in your text file, you can add -whatif so you can verify.

gc C:\Inactiveuser.txt | % { Get-Aduser $_ | Move-ADObject -TargetPath 'OU=Disabledusers,DC=aa,DC=local' -whatif}

Open in new window

0
 
LVL 1

Author Comment

by:jct_777
ID: 40425566
Hi ,

In inactiveuser .txt the users which are not active for 90 days list is there. but here some users are there who never logged in till now. that account also is disabled . I want to move all the disabled users to different OU.

Regards,

JCT
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 40426779
You can either run the script for each list or simply put all the users in one text file and then run the script against that file.

The input will come from the text files you already have from the previous scripts.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Log files are useful in diagnosing and repairing problems.  This is a list of common log files and their standard locations that I've compiled.   While this is not exhaustive, it is a pretty good list that I've found to be useful.  I may update it f…
This article describes how to set permissions to allow a limited-permissions user to start and stop a particular System Service.   It is always best to give users only the permissions that they need to perform their job, so tweaking particular permi…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now