Batch script (powershell?) to audit user/pc accts in domain, disable/move them

Greetings experts.  I need to run a script once a month that will accomplish the following tasks:
  • Query the last time users in our domain logged in
  • If the user hasn't logged in more than 7 weeks, disable the accounts
  • Move the disabled accounts to the Inactive OU
Eager to see what expert can accomplish this!


Domain is structured:



Here is what I have been using (batch script) but for some reason, when I run it now, it throws an error [dsquery failed:directory object not found]
@echo off

set users_log=c:\tools\logs\%date:~4,2%-%date:~7,2%-%date:~10%_dsquery.log
set user_cleanup_log=c:\tools\logs\%date:~4,2%-%date:~7,2%-%date:~10%_cleanup.log

dsquery user -o samid -limit 0 -inactive 8 ou=depts,ou=nca,dc=ds,dc=com >%users_log%

echo "Finished dsquery" >>%user_cleanup_log%


FOR /f "delims= " %%i in (%users_log%) do ( 
	echo disabling %%i && echo. && dsquery user -samid %%i | dsmod user -disabled Yes && echo.
)  >>%user_cleanup_log%

echo "Finished dsmod" >>%user_cleanup_log%


FOR /f "delims= " %%i in (%users_log%) do ( 
	echo Moving %%i && echo. && dsquery user -samid %%i | dsmove -newparent 

"ou=depts,ou=nca,dc=ds,dc=com" && echo.
)  >>%user_cleanup_log%


Open in new window

Who is Participating?
Dustin SaundersConnect With a Mentor Director of OperationsCommented:
You can test run this, update the $disabledOU value with the target OU for disabled accounts.

If the results are good (I haven't had a chance to test run it) then remove -WhatIf from the end of the lines that have them.

Import-Module ActiveDirectory

$disabledOU = "OU=InactiveUsers,DC=my,DC=domain,DC=com"

$users = Get-ADUser -Filter * -Properties SAMAccountName, lastLogonTimeStamp | ?{[DateTime]::FromFileTime($_.lastLogonTimeStamp) -lt (Get-Date).AddDays(-49)}
foreach ($user in $users)
    Disable-ADAccount -Identity $user.SAMAccountName -WhatIf
    Move-ADObject -Identity $user.SAMAccountName -TargetPath $disabledOU -WhatIf

Open in new window

samiam41Author Commented:
D@mn!  That's slick.  It worked as advertised.  I left the -whatif in the script but it still moved the user accounts, which is fine, but I thought I would let you know.

One thing I noticed, there's no way to log show when this was ran or what users were moved.  I'll post a follow up question to add that variable to the script.
samiam41Author Commented:
Amazing, clean and to the point!  Thanks for the hard work.
samiam41Author Commented:
samiam41Author Commented:
New question about this script.  Just audited 10k+ user accounts.  :)'s-being-audited-in-PS-script.html
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.