CuriousMAUser
asked on
With PowerShell how may I record disabled accounts and export the findings to a CSV file?
Hello Expert,
I've cobbled together this script and am unable to output a CSV file with the active accounts and move the inactive accounts to the DisabledAccounts OU. Would you please review this script and offer suggestions to remedy this situation? Wasn't sure if the issue centered around the 'filter'parameter, 'whatif' parameter or something else.
# Disable inactive user accounts in the domain that have NOT logged in since the specified date
# PowerShell 4.0
# Client OS: Windows 7, Server OS: Windows 2008 R2
# Modified: IT Staff
# Date: 20-Jan-2015
import-module activedirectory
import-module grouppolicy
# Create script variables to apply
# Create a variable for the date stamp in the log file
$LogDate = get-date -f mm-dd-yy
#Sets the OU to do the base search for all user accounts
$SearchBase = "OU=Administrators,OU=Sett ings,OU=Te stOU,OU=Ad ministrato rAccounts, DC=test,DC =local"
#Create an empty array for the log file
$LogArray = @()
#Sets the number of days to disable user accounts based on lastlogontimestamp and pwdlastset.
$PasswordAge = (Get-Date).adddays(-2)
#Use ForEach to loop through all users with pwdlastset and lastlogontimestamp greater than date set. Also add users with no lastlogon date set. Disables the accounts and adds to log array.
#Add the properties you will be using to ensure they are available.
$DisabledUsers = (Get-ADUser -searchbase $SearchBase -Properties samaccountname, name, distinguishedname -Filter {((lastlogondate -notlike "*") -OR (lastlogondate -le $Passwordage) -AND (enabled -eq $True))})
# Code to apply the variables
if ($DisabledUsers -ne $null -and $DisabledUsers.Count > 0) {
ForEach ($DisabledUsers in $DisabledUsers) {
#Set the user objects description attribute to a date stamp. Example "19JAN2015" To log only add "-whatif"
Set-ADuser $DisabledUsers -Description ((get-date).toshortdatestr ing()) -WhatIf
#Disabled user object. To log only add "-Whatif"
Disable-ADaccount $DisabledUsers -WhatIf
#Create new object for logging
$obj = New-Object PSObject
$obj | Add-Member -MemberType NoteProperty -Name "name" -Value $DisabledUsers.name
$obj | Add-Member -MemberType NoteProperty -Name "samAccountName" -Value $DisabledUsers.samaccountn ame
$obj | Add-Member -MemberType NoteProperty -Name "distinguishedname" -Value $DisabledUsers.distinguish edName
$obj | Add-Member -MemberType NoteProperty -Name "status" -Value 'Disabled User'
#Adds object to the log array
$LogArray += $obj
# Move disabled users in TestOU to DisabledAccounts OU
Search-ADAccount –userAccountControl –UsersOnly –SearchBase “OU=Administrators,OU=Sett ings,OU=Te stOU,OU=Ad ministrato rAccounts, DC=sleepme d,DC=md” | Move-ADObject –TargetPath “OU=DisabledAccounts,OU=Te stOU,OU=Ad ministrato rAccounts, DC=test,DC =local” |
Move-ADObject –TargetPath “OU=DisabledAccounts,OU=Te stOU,OU=Ad ministrato rAccounts, DC=test,DC =local”
#Exports log array to CSV file in the Scripts directory with a date and time stamp.
$logArray | Export-Csv "C:\Scripts\User_Report.cs v" -NoTypeInformation
} else {
Write-Output "No disabled users to process for $PasswordAge."
}
}
I've cobbled together this script and am unable to output a CSV file with the active accounts and move the inactive accounts to the DisabledAccounts OU. Would you please review this script and offer suggestions to remedy this situation? Wasn't sure if the issue centered around the 'filter'parameter, 'whatif' parameter or something else.
# Disable inactive user accounts in the domain that have NOT logged in since the specified date
# PowerShell 4.0
# Client OS: Windows 7, Server OS: Windows 2008 R2
# Modified: IT Staff
# Date: 20-Jan-2015
import-module activedirectory
import-module grouppolicy
# Create script variables to apply
# Create a variable for the date stamp in the log file
$LogDate = get-date -f mm-dd-yy
#Sets the OU to do the base search for all user accounts
$SearchBase = "OU=Administrators,OU=Sett
#Create an empty array for the log file
$LogArray = @()
#Sets the number of days to disable user accounts based on lastlogontimestamp and pwdlastset.
$PasswordAge = (Get-Date).adddays(-2)
#Use ForEach to loop through all users with pwdlastset and lastlogontimestamp greater than date set. Also add users with no lastlogon date set. Disables the accounts and adds to log array.
#Add the properties you will be using to ensure they are available.
$DisabledUsers = (Get-ADUser -searchbase $SearchBase -Properties samaccountname, name, distinguishedname -Filter {((lastlogondate -notlike "*") -OR (lastlogondate -le $Passwordage) -AND (enabled -eq $True))})
# Code to apply the variables
if ($DisabledUsers -ne $null -and $DisabledUsers.Count > 0) {
ForEach ($DisabledUsers in $DisabledUsers) {
#Set the user objects description attribute to a date stamp. Example "19JAN2015" To log only add "-whatif"
Set-ADuser $DisabledUsers -Description ((get-date).toshortdatestr
#Disabled user object. To log only add "-Whatif"
Disable-ADaccount $DisabledUsers -WhatIf
#Create new object for logging
$obj = New-Object PSObject
$obj | Add-Member -MemberType NoteProperty -Name "name" -Value $DisabledUsers.name
$obj | Add-Member -MemberType NoteProperty -Name "samAccountName" -Value $DisabledUsers.samaccountn
$obj | Add-Member -MemberType NoteProperty -Name "distinguishedname" -Value $DisabledUsers.distinguish
$obj | Add-Member -MemberType NoteProperty -Name "status" -Value 'Disabled User'
#Adds object to the log array
$LogArray += $obj
# Move disabled users in TestOU to DisabledAccounts OU
Search-ADAccount –userAccountControl –UsersOnly –SearchBase “OU=Administrators,OU=Sett
Move-ADObject –TargetPath “OU=DisabledAccounts,OU=Te
#Exports log array to CSV file in the Scripts directory with a date and time stamp.
$logArray | Export-Csv "C:\Scripts\User_Report.cs
} else {
Write-Output "No disabled users to process for $PasswordAge."
}
}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER