In this video, I talk a little more about performing Active Directory Maintenance with PowerShell. Specifically, finding user objects that have not authenticated to the domain in X number of days.
This script will search an Organizational Unit for Users accounts that have not authenticated to the Domain in 1 hour. You can easily modify the number of hours or change it to days by replacing this bit of code.
# Change this Today.AddHours($hours) # to this Today.AddDays($hours)
For sanities sake, you also want to change the $hours variable to $days. This script is essentially the same functionality as the script I posted a couple weeks ago that does the same thing for computer objects. You can find that video here.
<# *** THIS SCRIPT IS PROVIDED WITHOUT WARRANTY, USE AT YOUR OWN RISK *** .DESCRIPTION 1. Search an OU for user accounts that have not authenticated in x number of days ($days) 2. Disable those accounts 3. Move those disabled user accounts to another OU ($disabledOU) 4. Also creates a logfile of all the userss that were disabled ($logpath) .NOTES File Name: Get-StaleUsers.ps1 Author: David Hall Contact Info: Website: www.signalwarrant.com Twitter: @signalwarrant Facebook: facebook.com/signalwarrant/ Google +: plus.google.com/113307879414407675617 YouTube Subscribe link: https://www.youtube.com/channel/UCgWfCzNeAPmPq_1lRQ64JtQ?sub_confirmation=1 Requires: PowerShell Remoting Enabled (Enable-PSRemoting) Tested: PowerShell Version 5, Windows Server 2012 R2 .PARAMETER .EXAMPLE .\Get-StaleUsers.ps1 #> ################################### ####### Edit these Variables ################################### # Gets todays Date $date = Get-Date # Number of days it's been since the computer authenticated to the domain # In my case 1 day $hours = "-1" # Sets a description on that object so other admins know why the object was disabled $description = "Disabled by SignalWarrant on $date due to inactivity for 1 days." # This is the OU you are searching for Stale Computer accounts $ou = "OU=_Test_Users,DC=signalwarrant,DC=local" # This is where the disabled accounts get moved to. $disabledOU = "OU=_Disabled_Users,DC=signalwarrant,DC=local" # path to the log file $logpath = "c:\scripts\disabled_users.csv" ################################### ####### ################################### $finduser = Get-aduser –filter * -SearchBase $ou -properties cn,lastlogondate | Where {$_.LastLogonDate –le [DateTime]::Today.AddHours($hours) -and ($_.lastlogondate -ne $null) } $finduser | export-csv $logpath $finduser | set-aduser -Description $description –passthru | Disable-ADAccount write-host -foregroundcolor Green "Searching OU for disabled User Accounts" [System.Threading.Thread]::Sleep(500) $disabledAccounts = Search-ADAccount -AccountDisabled -UsersOnly -SearchBase $ou write-host -foregroundcolor Green "Moving disabled Users to the Disabled_Users OU" [System.Threading.Thread]::Sleep(500) $disabledAccounts | Move-ADObject -TargetPath $disabledOU write-host -foregroundcolor Green "Script Complete"