In this video, I talk a little more about performing Active Directory Maintenance with PowerShell. Specifically, finding user objects that have not authenticated to the domain in X number of days.
This script will search an Organizational Unit for Users accounts that have not authenticated to the Domain in 1 hour. You can easily modify the number of hours or change it to days by replacing this bit of code.
# Change this Today.AddHours($hours) # to this Today.AddDays($hours)
For sanities sake, you also want to change the $hours variable to $days. This script is essentially the same functionality as the script I posted a couple weeks ago that does the same thing for computer objects. You can find that video here.
<#
*** THIS SCRIPT IS PROVIDED WITHOUT WARRANTY, USE AT YOUR OWN RISK ***
.DESCRIPTION
1. Search an OU for user accounts that have not authenticated in x number of days ($days)
2. Disable those accounts
3. Move those disabled user accounts to another OU ($disabledOU)
4. Also creates a logfile of all the userss that were disabled ($logpath)
.NOTES
File Name: Get-StaleUsers.ps1
Author: David Hall
Contact Info:
Website: www.signalwarrant.com
Twitter: @signalwarrant
Facebook: facebook.com/signalwarrant/
Google +: plus.google.com/113307879414407675617
YouTube Subscribe link: https://www.youtube.com/channel/UCgWfCzNeAPmPq_1lRQ64JtQ?sub_confirmation=1
Requires: PowerShell Remoting Enabled (Enable-PSRemoting)
Tested: PowerShell Version 5, Windows Server 2012 R2
.PARAMETER
.EXAMPLE
.\Get-StaleUsers.ps1
#>
###################################
####### Edit these Variables
###################################
# Gets todays Date
$date = Get-Date
# Number of days it's been since the computer authenticated to the domain
# In my case 1 day
$hours = "-1"
# Sets a description on that object so other admins know why the object was disabled
$description = "Disabled by SignalWarrant on $date due to inactivity for 1 days."
# This is the OU you are searching for Stale Computer accounts
$ou = "OU=_Test_Users,DC=signalwarrant,DC=local"
# This is where the disabled accounts get moved to.
$disabledOU = "OU=_Disabled_Users,DC=signalwarrant,DC=local"
# path to the log file
$logpath = "c:\scripts\disabled_users.csv"
###################################
#######
###################################
$finduser = Get-aduser –filter * -SearchBase $ou -properties cn,lastlogondate |
Where {$_.LastLogonDate –le [DateTime]::Today.AddHours($hours) -and ($_.lastlogondate -ne $null) }
$finduser | export-csv $logpath
$finduser | set-aduser -Description $description –passthru | Disable-ADAccount
write-host -foregroundcolor Green "Searching OU for disabled User Accounts"
[System.Threading.Thread]::Sleep(500)
$disabledAccounts = Search-ADAccount -AccountDisabled -UsersOnly -SearchBase $ou
write-host -foregroundcolor Green "Moving disabled Users to the Disabled_Users OU"
[System.Threading.Thread]::Sleep(500)
$disabledAccounts | Move-ADObject -TargetPath $disabledOU
write-host -foregroundcolor Green "Script Complete"