Disclaimer
This is my personal blog. The opinions and views I express are my own. The information I provide is on an as-is basis. I make no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this blog and will not be liable for any errors, omissions, or delays in this information or any losses, injuries or damages arising from its use.

Active Directory Maintenance: Finding Stale User Objects w/ PowerShell

In this video, I talk a little more about performing Active Directory Maintenance with PowerShell. Specifically, finding user objects that have not authenticated to the domain in X number of days.

This script will search an Organizational Unit for Users accounts that have not authenticated to the Domain in 1 hour. You can easily modify the number of hours or change it to days by replacing this bit of code.

# Change this 
Today.AddHours($hours)

# to this
Today.AddDays($hours)

For sanities sake, you also want to change the $hours variable to $days. This script is essentially the same functionality as the script I posted a couple weeks ago that does the same thing for computer objects. You can find that video here.

<#
*** THIS SCRIPT IS PROVIDED WITHOUT WARRANTY, USE AT YOUR OWN RISK ***

.DESCRIPTION
	1. Search an OU for user accounts that have not authenticated in x number of days ($days)
    2. Disable those accounts
    3. Move those disabled user accounts to another OU ($disabledOU)
    4. Also creates a logfile of all the userss that were disabled ($logpath)

.NOTES
	File Name: Get-StaleUsers.ps1
	Author: David Hall
	Contact Info: 
		Website:&nbsp;www.signalwarrant.com
		Twitter:&nbsp;@signalwarrant
		Facebook:&nbsp;facebook.com/signalwarrant/
		Google +:&nbsp;plus.google.com/113307879414407675617
		YouTube Subscribe link: https://www.youtube.com/channel/UCgWfCzNeAPmPq_1lRQ64JtQ?sub_confirmation=1
	Requires: PowerShell Remoting Enabled (Enable-PSRemoting) 
	Tested: PowerShell Version 5, Windows Server 2012 R2

.PARAMETER
		 
.EXAMPLE
     .\Get-StaleUsers.ps1
#>

###################################
####### Edit these Variables
###################################

# Gets todays Date
$date = Get-Date

# Number of days it's been since the computer authenticated to the domain
# In my case 1 day
$hours = "-1"

# Sets a description on that object so other admins know why the object was disabled
$description = "Disabled by SignalWarrant on $date due to inactivity for 1 days."

# This is the OU you are searching for Stale Computer accounts
$ou = "OU=_Test_Users,DC=signalwarrant,DC=local"

# This is where the disabled accounts get moved to.
$disabledOU = "OU=_Disabled_Users,DC=signalwarrant,DC=local"

# path to the log file
$logpath = "c:\scripts\disabled_users.csv"

###################################
#######
###################################

$finduser = Get-aduser –filter * -SearchBase $ou -properties cn,lastlogondate | 
Where {$_.LastLogonDate –le [DateTime]::Today.AddHours($hours) -and ($_.lastlogondate -ne $null) }

$finduser | export-csv $logpath
$finduser | set-aduser -Description $description –passthru | Disable-ADAccount

write-host -foregroundcolor Green "Searching OU for disabled User Accounts"
[System.Threading.Thread]::Sleep(500)

$disabledAccounts = Search-ADAccount -AccountDisabled -UsersOnly -SearchBase $ou

write-host -foregroundcolor Green "Moving disabled Users to the Disabled_Users OU"
[System.Threading.Thread]::Sleep(500)

$disabledAccounts | Move-ADObject -TargetPath $disabledOU

write-host -foregroundcolor Green "Script Complete"

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.