Solved

inactive users

Posted on 2016-10-06
13
54 Views
Last Modified: 2016-10-19
dear experts

I am trying to change this code to get "inactive user" that sits in a specified OU not entire domain!

there are high number users in OU that I do not know when they last accessed domain.

is the lastlogonTimestamp correct option to use? I am not sure if it is  replicated between DCs so I can get accurate information?

could you please help me to get information I need from specific OU with their samaccountName and home drive path?

import-module activedirectory  
$domain = "my domain "  
$DaysInactive = 210  
$time = (Get-Date).Adddays(-($DaysInactive))
 
# Get all AD User with lastLogonTimestamp less than our time and set to enable
Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp |
 
# Output Name and lastLogonTimestamp into CSV  
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd_hh:mm:ss')}} | export-csv c:\temp\OLD_User.csv -notypeinformation
0
Comment
Question by:kuzum
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 4

Expert Comment

by:Kevin Stanush
ID: 41832858
I can't help you with the code, but yes, 'LastLogonTimeStamp' is what you want to use, provided you know that its got about a 10-day accuracy limitation (worst-case).  

Here is good article on how it works:

https://blogs.technet.microsoft.com/askds/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works/
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41833508
Using Search-ADAccount would be better..
Example..
$DaysInactive = 210 
$OU = "ou=Sales,ou=Test,dc=MyDomain,dc=com"
Search-ADAccount -UsersOnly -SearchBase $OU -AccountInactive -TimeSpan $DaysInactive | ?{$_.enabled} | Get-ADUser -Properties LastLogonTimeStamp,HomeDirectory,HomeDrive |

# Output Name and lastLogonTimestamp into CSV  
 select-object Name,HomeDirectory,HomeDrive,SamAccountName,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd_hh:mm:ss')}} | export-csv c:\temp\OLD_User.csv -notypeinformation 

Open in new window

0
 
LVL 4

Expert Comment

by:Kevin Stanush
ID: 41833646
The -AccountInactive switch looks at the 'LastLogonTimeStamp' attribute when comparing it to the $DaysInactive.
0
 

Author Comment

by:kuzum
ID: 41833662
is LastLogonTimeStamp    100% valid source to rely on?  is it only valid for short time like 10 days?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41833684
lastLogontimeStamp attribute is replicated to all DC’s, so it will have same value across all DC's..

Also Search-ADAccount is a Microsoft commandlet, so you can assume that the result would be accurate than any other third-party solution!..
0
 
LVL 4

Expert Comment

by:Kevin Stanush
ID: 41833685
No, its set and kept like other AD values.  Did you read that tech article on how it works ?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41833693
What I would do is, get the list of inactive accounts, keep it disabled for 30 to 60 days or so.. If no one comes back, then remove it (if you want to do so). you might also want to check with your HR department and see if any of the users in list are on long leave so you can keep those accounts.
0
 
LVL 4

Expert Comment

by:Kevin Stanush
ID: 41833711
Not wanting to start a disagreement, but Powershell and Search-ADAccount are not magic, and no more accurate than a 3rd party solution (disclosure: I own 3rd party ISV specializing in AD management).  Microsoft pre-packaged some commands, ie (-AccountInactive) that perform the work for you behind the scenes, but I prefer to explain what is happening.
1
 
LVL 40

Expert Comment

by:Subsun
ID: 41833731
@kstanush, There is no disagreement. I am talking about a practical and simple solution which many of us follow.. and what we have to live with.. I would not use shotgun to kill a fly, swatter is enough! :-)
2
 

Author Comment

by:kuzum
ID: 41833758
thanks Subhan, that is what I'm trying to achieve but I have to make sure that account I will disable are not active for last 90 days?
0
 
LVL 40

Accepted Solution

by:
Subsun earned 250 total points
ID: 41833854
I have not seen any false positive with Search-ADAccount results. Export the report and validate the lastLogontimeStamp.

Also keep in mind there are account in some environment which is used as a shared mailbox (usually the shared mailbox account will be  disabled, but some cases it may be kept as enabled)or common account etc, which they rarely used to login, you also need to consider such accounts.. But if you have a very large environment and don'ts follow any proper process (like naming standard or updating description about the purpose of account, owner of account, etc..) It's difficult to track.. In such scenario, you need to have multiple follow-up with all departments to find out if the account still need to be in AD.

In shot carefully verify the report and investigate any account which you feel is not a normal user account.

With Search-ADAccount, You can also use -DateTime parameter instead of -TimeSpan

$DaysInactive = "7/16/2010"
$OU = "ou=Sales,ou=Test,dc=MyDomain,dc=com"
Search-ADAccount -UsersOnly -SearchBase $OU -AccountInactive -DateTime  $DaysInactive | ?{$_.enabled} | Get-ADUser -Properties LastLogonTimeStamp,HomeDirectory,HomeDrive |

Open in new window


Update : in code posted in comment ID: 41833508, use $DaysInactive = "210.00:00:00"
0
 
LVL 8

Assisted Solution

by:Kevin k
Kevin k earned 250 total points
ID: 41843065
Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 90 | Get-ADUser -Properities Name, sAMAccountName, givenName, sn, userAccountControl | Where {($_.userAccountControl -band 2) -eq $False} | Select Name, sAMAccountName, givenName, sn

Open in new window


To get in more detailed, please refer to this earlier thread i.e. 90 day inactive user report using PowerShell: https://social.technet.microsoft.com/Forums/office/en-US/eaff2f69-d17b-4235-9f8a-9f42840cac56/90-day-inactive-user-report-using-powershell?forum=winserverpowershell

Here is another informative post which lets you how to find and remove stale users and computers in Active Directory: https://community.spiceworks.com/how_to/125704-how-to-find-and-remove-stale-users-and-computers-in-active-directory

Hope this helps!
1
 

Author Closing Comment

by:kuzum
ID: 41849798
subsun's code worked and thanks for additional information Kevin which was very helpful.
0

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now