Inactive Users
Dear Experts,
In my organization Windows server 2012 is installed & also AD configured . I want to know which all users are inactive for 90 days. So that those accounts gets disabled automatically & moves to different OU. Is it possible through GP .
Please help as i am new to servers.
Regards,
JCT
In my organization Windows server 2012 is installed & also AD configured . I want to know which all users are inactive for 90 days. So that those accounts gets disabled automatically & moves to different OU. Is it possible through GP .
Please help as i am new to servers.
Regards,
JCT
ASKER
Hi ,
Is there any script which will perform the above requirement. Also i want to exclude those service accounts .
Regards,
JCT
Is there any script which will perform the above requirement. Also i want to exclude those service accounts .
Regards,
JCT
Here is a question I answered with a script that does the delete, simply change the date/time window you need.
https://www.experts-exchange.com/questions/28506778/Powershell-script-help-required-from-a-guru.html
For disabled users:
For removing accounts not disabled but not logged on for more than 90 days:
the script assumes your service accounts have a name starting with svc*
https://www.experts-exchange.com/questions/28506778/Powershell-script-help-required-from-a-guru.html
For disabled users:
$time = (Get-Date).Adddays(-(105))
$delreport = @()
#first step Removing all disabled users not logged in for more than 195 days
Get-ADuser -filter * | where {$_.Enabled -eq $false -and $_.Name -notlike "SVC_*" -and $_.LastLogonTimeStamp -lt $time} | % {
$user = $_.Name
$grps = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name)
#Remove users from groups
$grps | % {
Remove-ADGroupMember -Identity $_ -Member $user -whatif
}
#Remove user from AD
Remove-AdUser -Identity $user -whatif
#create csv report
$item = New-Object PSObject
$item | Add-Member -type NoteProperty -Name 'FNAME' -Value $_.GivenName
$item | Add-Member -type NoteProperty -Name 'LNAME' -Value $_.Surname
$item | Add-Member -type NoteProperty -Name 'USERNAME' -Value $_.samaccountname
$item | Add-Member -type NoteProperty -Name 'USERSID' -Value $_.SID
$delreport += $item
}
$delreport | export-csv report.csv -nti
For removing accounts not disabled but not logged on for more than 90 days:
$time = (Get-Date).Adddays(-(105))
$delreport = @()
#first step Removing all disabled users not logged in for more than 105 days
Get-ADuser -filter * | where {$_.Enabled -eq $true -and $_.Name -notlike "SVC_*" -and $_.LastLogonTimeStamp -lt $time} | % {
$user = $_.Name
Remove-AdUser -Identity $user -whatif
#create csv report
$item = New-Object PSObject
$item | Add-Member -type NoteProperty -Name 'FNAME' -Value $_.GivenName
$item | Add-Member -type NoteProperty -Name 'LNAME' -Value $_.Surname
$item | Add-Member -type NoteProperty -Name 'USERNAME' -Value $_.samaccountname
$item | Add-Member -type NoteProperty -Name 'USERSID' -Value $_.SID
$delreport += $item
}
$delreport | export-csv Enabled-userdelete.csv -ntithe script assumes your service accounts have a name starting with svc*
ASKER
Hi ,
I did run the below script .
@echo off
dsquery user -inactive 13 > C:\Inactiveuser.txt
@echo No of Inactive users:
dsquery user -inactive 13 | find "CN=" /c
@echo Disabling users
dsquery user -inactive 13 | dsmod user -disabled Yes
@echo Moving users
for /F "delims=" %%V in (C:\move.txt) do dsmove %%V -newparent "OU=Disabledusers,DC=aa,DC
But after running the above script the the users which were inactive for 90 days are getting disabled automatically but it is not getting moved to another OU.
Regards,
JCT
I did run the below script .
@echo off
dsquery user -inactive 13 > C:\Inactiveuser.txt
@echo No of Inactive users:
dsquery user -inactive 13 | find "CN=" /c
@echo Disabling users
dsquery user -inactive 13 | dsmod user -disabled Yes
@echo Moving users
for /F "delims=" %%V in (C:\move.txt) do dsmove %%V -newparent "OU=Disabledusers,DC=aa,DC
But after running the above script the the users which were inactive for 90 days are getting disabled automatically but it is not getting moved to another OU.
Regards,
JCT
You can do this in powershell:
gc C:\Inactiveuser.txt | % { Get-Aduser $_ | Move-ADObject -TargetPath 'OU=Disabledusers,DC=aa,DC=local'}ASKER
Hi ,
Just to confirm if i run the above mentioned command in the powershell it will move only the disabled users.
Active users should not be affected. Please confirm
Regards,
JCT
Just to confirm if i run the above mentioned command in the powershell it will move only the disabled users.
Active users should not be affected. Please confirm
Regards,
JCT
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi ,
In inactiveuser .txt the users which are not active for 90 days list is there. but here some users are there who never logged in till now. that account also is disabled . I want to move all the disabled users to different OU.
Regards,
JCT
In inactiveuser .txt the users which are not active for 90 days list is there. but here some users are there who never logged in till now. that account also is disabled . I want to move all the disabled users to different OU.
Regards,
JCT
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
https://www.experts-exchange.com/questions/24890316/how-do-i-create-a-group-policy-to-diable-inactive-accounts-after-x-number-of-days-in-an-OU-in-AD.html