asked on

inactive users

dear experts

I am trying to change this code to get "inactive user" that sits in a specified OU not entire domain!

there are high number users in OU that I do not know when they last accessed domain.

is the lastlogonTimestamp correct option to use? I am not sure if it is replicated between DCs so I can get accurate information?

could you please help me to get information I need from specific OU with their samaccountName and home drive path?

import-module activedirectory
$domain = "my domain "
$DaysInactive = 210
$time = (Get-Date).Adddays(-($DaysInactive))

# Get all AD User with lastLogonTimestamp less than our time and set to enable
Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp |

# Output Name and lastLogonTimestamp into CSV
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd_hh:mm:ss')}} | export-csv c:\temp\OLD_User.csv -notypeinformation

Kevin Stanush

I can't help you with the code, but yes, 'LastLogonTimeStamp' is what you want to use, provided you know that its got about a 10-day accuracy limitation (worst-case).

Here is good article on how it works:

https://blogs.technet.microsoft.com/askds/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works/

SubSun

Using Search-ADAccount would be better..
Example..

$DaysInactive = 210 
$OU = "ou=Sales,ou=Test,dc=MyDomain,dc=com"
Search-ADAccount -UsersOnly -SearchBase $OU -AccountInactive -TimeSpan $DaysInactive | ?{$_.enabled} | Get-ADUser -Properties LastLogonTimeStamp,HomeDirectory,HomeDrive |

# Output Name and lastLogonTimestamp into CSV  
 select-object Name,HomeDirectory,HomeDrive,SamAccountName,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd_hh:mm:ss')}} | export-csv c:\temp\OLD_User.csv -notypeinformation

Open in new window

Kevin Stanush

The -AccountInactive switch looks at the 'LastLogonTimeStamp' attribute when comparing it to the $DaysInactive.

kuzum

ASKER

is LastLogonTimeStamp 100% valid source to rely on? is it only valid for short time like 10 days?

SubSun

lastLogontimeStamp attribute is replicated to all DC’s, so it will have same value across all DC's..

Also Search-ADAccount is a Microsoft commandlet, so you can assume that the result would be accurate than any other third-party solution!..

Kevin Stanush

No, its set and kept like other AD values. Did you read that tech article on how it works ?

SubSun

What I would do is, get the list of inactive accounts, keep it disabled for 30 to 60 days or so.. If no one comes back, then remove it (if you want to do so). you might also want to check with your HR department and see if any of the users in list are on long leave so you can keep those accounts.

Kevin Stanush

Not wanting to start a disagreement, but Powershell and Search-ADAccount are not magic, and no more accurate than a 3rd party solution (disclosure: I own 3rd party ISV specializing in AD management). Microsoft pre-packaged some commands, ie (-AccountInactive) that perform the work for you behind the scenes, but I prefer to explain what is happening.

SubSun

@kstanush, There is no disagreement. I am talking about a practical and simple solution which many of us follow.. and what we have to live with.. I would not use shotgun to kill a fly, swatter is enough! :-)

kuzum

ASKER

thanks Subhan, that is what I'm trying to achieve but I have to make sure that account I will disable are not active for last 90 days?

ASKER CERTIFIED SOLUTION

SubSun

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION