Forum Discussion
Add to the search of inactive users multiple OUs
Hi all
I came with a script that works fine what it does is to find users that haven't logged on in more than 90 days in an specific OU and then it disables them, however I need the script to search for 2 more OUs instead of only one but I couldn't make it work, this is the script:
#Script to disable users that not login for more than 90 days
#Create the report file
$FileName = "DisabledUsers" + (Get-Date).ToString("dd-MM-yyyy") + ".csv"
New-Item -Path "C:\temp" -Name $FileName -ItemType File
Add-Content -Path C:\temp\$fileName -Value "Account,Disabled date,Last Logon Date"
$DisabledDate = Get-Date -Format dd/MM/yyyy
$UsersToDisable = Get-ADUser -Filter 'Enabled -eq $True' -SearchBase “OU” -Properties LastLogonDate,WhenCreated | where {$_.LastLogonDate -lt (get-date).AddDays(-90) -and $_.WhenCreated -lt (get-date).AddDays(-90)}
foreach($User in $UsersToDisable){
foreach($User in $UsersToDisable){
if($User.DistinguishedName -notlike "OU"){
Disable-ADAccount -Identity $User.SamAccountName -Confirm:$false
if((Get-ADUser -Identity $User.SamAccountName)){
$Account = $User.SamAccountName
$LastLogon = $User.LastLogonDate
$Value = "$Account,$DisabledDate,$LastLogon"
Add-Content -Path C:\temp\$FileName -Value $Value
}
}
}
In this part Get-ADUser -Filter 'Enabled -eq $True' -SearchBase “OU” i tried to create above something like this:
$OU = 'OU1','OU2' and then tried to pipe it but it did not work.
Any thoughts how could I make it work?
Many thanks!
tincho1984 Could you try this?
#Script to disable users that not login for more than 90 days #Create the report file $FileName = "DisabledUsers" + (Get-Date).ToString("dd-MM-yyyy") + ".csv" New-Item -Path "C:\temp" -Name $FileName -ItemType File Add-Content -Path C:\temp\$fileName -Value "Account,Disabled date,Last Logon Date" $DisabledDate = Get-Date -Format dd/MM/yyyy $OUS="OU1","OU2" foreach ($OU in $OUS) { $UsersToDisable = Get-ADUser -Filter 'Enabled -eq $True' -SearchBase "$($OU)" -Properties LastLogonDate,WhenCreated | where {$_.LastLogonDate -lt (get-date).AddDays(-90) -and $_.WhenCreated -lt (get-date).AddDays(-90)} foreach($User in $UsersToDisable){ if($User.DistinguishedName -notlike "$($OU)"){ Disable-ADAccount -Identity $User.SamAccountName -Confirm:$false if((Get-ADUser -Identity $User.SamAccountName)){ $Account = $User.SamAccountName $LastLogon = $User.LastLogonDate $Value = "$Account,$DisabledDate,$LastLogon" Add-Content -Path C:\temp\$FileName -Value $Value } } } }
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If one of the posts was helpful in other ways, please consider giving it a Like.
tincho1984 Could you try this?
#Script to disable users that not login for more than 90 days #Create the report file $FileName = "DisabledUsers" + (Get-Date).ToString("dd-MM-yyyy") + ".csv" New-Item -Path "C:\temp" -Name $FileName -ItemType File Add-Content -Path C:\temp\$fileName -Value "Account,Disabled date,Last Logon Date" $DisabledDate = Get-Date -Format dd/MM/yyyy $OUS="OU1","OU2" foreach ($OU in $OUS) { $UsersToDisable = Get-ADUser -Filter 'Enabled -eq $True' -SearchBase "$($OU)" -Properties LastLogonDate,WhenCreated | where {$_.LastLogonDate -lt (get-date).AddDays(-90) -and $_.WhenCreated -lt (get-date).AddDays(-90)} foreach($User in $UsersToDisable){ if($User.DistinguishedName -notlike "$($OU)"){ Disable-ADAccount -Identity $User.SamAccountName -Confirm:$false if((Get-ADUser -Identity $User.SamAccountName)){ $Account = $User.SamAccountName $LastLogon = $User.LastLogonDate $Value = "$Account,$DisabledDate,$LastLogon" Add-Content -Path C:\temp\$FileName -Value $Value } } } }
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If one of the posts was helpful in other ways, please consider giving it a Like.Thanks a lot for all your help 🙂
Cheers!
Hi, Martin.
As a footnote, if you only have a single domain controller then this script is fine but if you have more than one it's not.
This is because the lastLogon attribute (which Get-ADUser presents as LastLogonDate) is not replicated between domain controllers, meaning the time shown is only applicable to that specific domain controller.
If you have a small number of domain controllers, you could adjust your script to query each of them, but this approach doesn't scale well at all. Rather, in large environments, you'd need to leverage lastLogonTimestamp - which was introduced in the Server 2003 era.
Even here though, this comes with its own catch.
Under default conditions, lastLogonTimestamp can be anywhere up to around 14 days behind, since the attribute is not updated every single time a user logs on. If you're familiar with the DNS "no refresh" interval, it's a very similar concept. If not, then you just need to be aware that this attribute is useful as a broad indicator and cannot be relied upon for time-sensitive operations.
Put another way, if you're happy for your unused user accounts to be disabled anywhere within the window of 90 - 104 days, then lastLogonTimestamp is a more robust metric whereby you can confidently run it against a single domain controller.
If you need the script to strictly adhere to the 90 day timeframe then you need to consider adjusting the script to execute against all domain controllers, or leverage something called "event collection" - which is not something I'm going to dive into here as it's not a simple, quick topic to discuss (just be aware that it exists).
On an unrelated note, I'd move the date filtering into the actual LDAP filter rather than perform the filtering client-side. But if you're in a small organisation, this may not matter that much.
Cheers,
Lain
