none
Automatically moving inactive users to another OU via Powershell RRS feed

  • Question

  • Hi there.  I'm trying to create an automated script to search a directory, locate any users with lastlogontime greater than X and then perform a few steps on those accounts including, documenting their memberships, disabling, and then moving the accounts.

    I'm not a powershell wiz, so I started off with some links I've found online (see the notes in my below code).  What I have does everything I want except I can't get it to filter specifically on the logon time stamp.  

    Any advice?

    ##################################################################################
    # https://community.spiceworks.com/topic/1609734-moving-inactive-users-in-active-directory
    ##################################################################################
    
    Import-Module ActiveDirectory 
    
    #Set the OU to search for inactive users.
    $SearchOU = "ou=test,ou=ParentOU,dc=DOMAIN,dc=LOCAL" 
    
    #OU to put inactive users.
    $TargetOU= "ou=InactiveFor90Days,ou=ParentOU,dc=DOMAIN,dc=LOCAL" 
    
    #Days required to be inactive.
    $daysInactive = 0
    
    $Time = (get-Date).Adddays(-($DaysInactive)) 
    
    #########
    # This does not work, switched for below code, but that one doesn't not use lastlogontimestamp
    #$Inactive = Get-ADUser -SearchBase $SearchOU -Filter {LastLogonTimeStamp -lt $Time} 
    
    
    
    	##################################################################################
    	# START https://powershell.org/forums/topic/set-aduser-append-to-ad-notes-field	
    	##################################################################################
    
    	###############
    	# This entry works but doesn't filter by TIME.  This obviously has to change before going into production
    	$Inactive = Get-ADUser -SearchBase $SearchOU -Filter * -Properties memberof,info
    	###############
    
    	foreach ($user in $Inactive) {
    	#Disable the account
    	Disable-ADAccount -identity $user.SAMAccountName
    
    	
    
    	# Copy group memberships to Notes field and remove group memberships
    
    	if ($user.memberof -ne $null) {
    
    	$date=get-date
    
    	$oldinfo=$user.info
    
    	$membership= $user.MemberOf -join "`r `n" # @{Name='memberof';Expression={[string]::join(“`r`n”, ($user.memberof))}}
    
    	$newinfo="Memberships:`r`n$($membership)`r`n`r`nUser disabled:`r`n$date"
    
    	$user.SamAccountName | Set-ADUSer -Replace @{info="$($oldinfo)`r`n`r`n$($newinfo)"}
    
    	#foreach ($membership) {$user.memberof | remove-adgroupmember -Members $user.SAMAccountName -Confirm:$false}
     
    
    
    Get-ADObject $user | Move-ADObject -TargetPath $TargetOU
    
    	 }
    
    	}
    	
    	##################################################################################
    	# END https://powershell.org/forums/topic/set-aduser-append-to-ad-notes-field
    	##################################################################################
    

    • Moved by Bill_Stewart Friday, August 4, 2017 9:37 PM This is not "scripts on demand"
    Wednesday, June 28, 2017 4:25 PM

All replies

  • Hint: First remove all unnecessary comments and format code in a standard way so that it is readable as code:

    Example:

    $SearchOU = "ou=test,ou=ParentOU,dc=DOMAIN,dc=LOCAL"
    $TargetOU = "ou=InactiveFor90Days,ou=ParentOU,dc=DOMAIN,dc=LOCAL"
    
    $Inactive = Get-ADUser -SearchBase $SearchOU -Filter * -Properties memberof, info
    foreach ($user in $Inactive) {
    	Disable-ADAccount -identity $user.SAMAccountName
    	if ($user.memberof -ne $null) {
    		$date = get-date
    		$oldinfo = $user.info
    		$membership = $user.MemberOf -join "`r `n"
    		$newinfo = "Memberships:`r`n$($membership)`r`n`r`nUser disabled:`r`n$date"
    		Set-ADUSer $user.SamAccountName -Replace @{ info = "$($oldinfo)`r`n`r`n$($newinfo)" }
    		$user | Move-ADObject -TargetPath $TargetOU
    	}
    }

    Now try to understand what you have and ask your question based on an understanding of the code.

    There is no logon timestamp in AD that you have here.

    To get users based on "Inactive" use "Search-AdAccount".

    help Search-AdAccount -full

    Also a user can have a null MemberOf value and will still be a member of the primary group.


    \_(ツ)_/


    • Edited by jrv Wednesday, June 28, 2017 5:58 PM
    Wednesday, June 28, 2017 5:56 PM