kuzum
asked on
inactive users
dear experts
I am trying to change this code to get "inactive user" that sits in a specified OU not entire domain!
there are high number users in OU that I do not know when they last accessed domain.
is the lastlogonTimestamp correct option to use? I am not sure if it is replicated between DCs so I can get accurate information?
could you please help me to get information I need from specific OU with their samaccountName and home drive path?
import-module activedirectory
$domain = "my domain "
$DaysInactive = 210
$time = (Get-Date).Adddays(-($Days Inactive))
# Get all AD User with lastLogonTimestamp less than our time and set to enable
Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp |
# Output Name and lastLogonTimestamp into CSV
select-object Name,@{Name="Stamp"; Expression={[DateTime]::Fr omFileTime ($_.lastLo gonTimesta mp).ToStri ng('yyyy-M M-dd_hh:mm :ss')}} | export-csv c:\temp\OLD_User.csv -notypeinformation
I am trying to change this code to get "inactive user" that sits in a specified OU not entire domain!
there are high number users in OU that I do not know when they last accessed domain.
is the lastlogonTimestamp correct option to use? I am not sure if it is replicated between DCs so I can get accurate information?
could you please help me to get information I need from specific OU with their samaccountName and home drive path?
import-module activedirectory
$domain = "my domain "
$DaysInactive = 210
$time = (Get-Date).Adddays(-($Days
# Get all AD User with lastLogonTimestamp less than our time and set to enable
Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp |
# Output Name and lastLogonTimestamp into CSV
select-object Name,@{Name="Stamp"; Expression={[DateTime]::Fr
Using Search-ADAccount would be better..
Example..
Example..
$DaysInactive = 210
$OU = "ou=Sales,ou=Test,dc=MyDomain,dc=com"
Search-ADAccount -UsersOnly -SearchBase $OU -AccountInactive -TimeSpan $DaysInactive | ?{$_.enabled} | Get-ADUser -Properties LastLogonTimeStamp,HomeDirectory,HomeDrive |
# Output Name and lastLogonTimestamp into CSV
select-object Name,HomeDirectory,HomeDrive,SamAccountName,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd_hh:mm:ss')}} | export-csv c:\temp\OLD_User.csv -notypeinformation
The -AccountInactive switch looks at the 'LastLogonTimeStamp' attribute when comparing it to the $DaysInactive.
ASKER
is LastLogonTimeStamp 100% valid source to rely on? is it only valid for short time like 10 days?
lastLogontimeStamp attribute is replicated to all DC’s, so it will have same value across all DC's..
Also Search-ADAccount is a Microsoft commandlet, so you can assume that the result would be accurate than any other third-party solution!..
Also Search-ADAccount is a Microsoft commandlet, so you can assume that the result would be accurate than any other third-party solution!..
No, its set and kept like other AD values. Did you read that tech article on how it works ?
What I would do is, get the list of inactive accounts, keep it disabled for 30 to 60 days or so.. If no one comes back, then remove it (if you want to do so). you might also want to check with your HR department and see if any of the users in list are on long leave so you can keep those accounts.
Not wanting to start a disagreement, but Powershell and Search-ADAccount are not magic, and no more accurate than a 3rd party solution (disclosure: I own 3rd party ISV specializing in AD management). Microsoft pre-packaged some commands, ie (-AccountInactive) that perform the work for you behind the scenes, but I prefer to explain what is happening.
@kstanush, There is no disagreement. I am talking about a practical and simple solution which many of us follow.. and what we have to live with.. I would not use shotgun to kill a fly, swatter is enough! :-)
ASKER
thanks Subhan, that is what I'm trying to achieve but I have to make sure that account I will disable are not active for last 90 days?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
subsun's code worked and thanks for additional information Kevin which was very helpful.
Here is good article on how it works:
https://blogs.technet.micr