List Active account in AD with lastlogondate more than 90 days.

I try the following script by one of the experts to list "active" AD accounts which their lastlogondate is more than 90 days.

Import-module activedirectory
$OU = "ou=myou,dc=domain,dc=com"
$Date = get-date
Get-ADUser -Filter * -SearchBase $OU -Properties samaccountname, givenname, surname, LastLogonDate |
? { $_.LastLogonDate -lt $Date.AddDays(-90) } |
Select samaccountname, givenname, surname, LastLogonDate |
Export-csv "c:\UserExport.csv" -nti

I see those active accounts when I run it against an user OU.  However, when I change the $OU to "dc=mydomain,dc=com" to search the entire domain, I see the "INACTIVE" accounts are included as well.  HOw can I get rid of those INACTIVE account in the result file?

PLease advise how to fix this.  

Thanks.
nav2567Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Add enabled to the data you get for each user.

Check for enabled=true to only display active users/accounts.

Try adding the following before the lastlogon check.

|
? { $_.Enabled -eq $True }
0
arnoldCommented:
You can also instead use the filter,
Get-ADUser -Filter 'enabled -eq $true'
0
nav2567Author Commented:
Can you modify the whole line?  I tried it but it still bounces error.

Thanks.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

nav2567Author Commented:
Nevermind.  It works.  

Would you please add PS command in the script so all the accounts being listed are moved into a specific OU?

Thanks again.
0
nav2567Author Commented:
Also, can someone tell me why a lot of the accounts being list with LASTLOGONDATE is blank in the result file?

Thanks.
0
arnoldCommented:
They may never have logged in.  I am not sure why it is empty. Do you have a user GPO that each user upon login records their login/logout sessions.
https://technet.microsoft.com/en-us/library/dd378802%28v=ws.10%29.aspx
Move-ADObject 'CN=Brad Sutton,CN=Users,DC=Fabrikam,DC=com' -TargetPath 'OU=Accounting,DC=Fabrikam,DC=com'

in your script example the list of items you are passing will need to be passed one at a time to the ...
You will need to loop  foreach if the data of users you are passing.

http://social.technet.microsoft.com/wiki/contents/articles/4542.powershell-loops.aspx

Presumably you are working out the determination /logic which users from the list you want moved, or will you be feeding the next script a modified version of the csv file?
0
Will SzymkowskiSenior Solution ArchitectCommented:
I have modified the code below...

Import-module activedirectory
 $OU = "ou=myou,dc=domain,dc=com"
 $Date = get-date
 Get-ADUser -Filter * -SearchBase $OU -Properties samaccountname, givenname, surname, LastLogonDate |
 ? { $_.LastLogonDate -lt $Date.AddDays(-90) -and $_.Enabled -eq $true } |
 Select samaccountname, givenname, surname, LastLogonDate |
 Export-csv "c:\UserExport.csv" -nti

Open in new window


As stated if the LastLogonDate is blank when the user has never logged in.

Will.
0
nav2567Author Commented:
Thanks, guys.

Will, can you add another line to move these accounts into a specific OU?
0
Will SzymkowskiSenior Solution ArchitectCommented:
Sure see below...
Import-module activedirectory
$OU = "ou=myou,dc=domain,dc=com"
$TargetOU = "ou=newou,dc=domain,dc=com"
$Date = get-date
Get-ADUser -Filter * -SearchBase $OU -Properties samaccountname, givenname, surname, LastLogonDate, DistinguishedName |
? { $_.LastLogonDate -lt $Date.AddDays(-90) -and $_.Enabled -eq $true } |
Move-ADObject -Identity $_.DistinguishedName -TargetPath $TargetOU
Get-ADUser -Filter * -SearchBase $TargetOU -Properties  samaccountname, givenname, surname, LastLogonDate |
Select samaccountname, givenname, surname, LastLogonDate |
Export-csv "c:\UserExport.csv" -nti

Open in new window


Try that out. I have not tested this. If this does not work then i might have to use a ForEach loop, but it should work for you. Let me know if you have any errors.

Also make sure that you change the TargetOU variable with the OU where you want the objects removed.

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.