Forum Discussion

tincho1984's avatar
tincho1984
Copper Contributor
Jan 23, 2024
Solved

Add to the search of inactive users multiple OUs

Hi all I came with a script that works fine what it does is to find users that haven't logged on in more than 90 days in an specific OU and then it disables them, however I need the script to search...
Active Directory
AD
inactive users
multiple ous
ou
powershell
  • Harm_Veenstra's avatar
    Harm_Veenstra
    Jan 23, 2024

    tincho1984 Could you try this?

     

    #Script to disable users that not login for more than 90 days

#Create the report file
$FileName = "DisabledUsers" + (Get-Date).ToString("dd-MM-yyyy") + ".csv"
New-Item -Path "C:\temp" -Name $FileName -ItemType File
Add-Content -Path C:\temp\$fileName -Value "Account,Disabled date,Last Logon Date"
$DisabledDate = Get-Date -Format dd/MM/yyyy
$OUS="OU1","OU2"
foreach ($OU in $OUS) {
$UsersToDisable = Get-ADUser -Filter 'Enabled -eq $True' -SearchBase "$($OU)" -Properties LastLogonDate,WhenCreated | where {$_.LastLogonDate -lt (get-date).AddDays(-90) -and $_.WhenCreated -lt (get-date).AddDays(-90)}

foreach($User in $UsersToDisable){
    if($User.DistinguishedName -notlike "$($OU)"){
        Disable-ADAccount -Identity $User.SamAccountName -Confirm:$false 
        if((Get-ADUser -Identity $User.SamAccountName)){
            $Account = $User.SamAccountName
            $LastLogon = $User.LastLogonDate
            $Value = "$Account,$DisabledDate,$LastLogon"
            Add-Content -Path C:\temp\$FileName -Value $Value
            }
        }
    }
}



    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.

    If one of the posts was helpful in other ways, please consider giving it a Like.

LainRobertson's avatar
LainRobertson
Silver Contributor
Jan 24, 2024

tincho1984 

 

Hi, Martin.

 

As a footnote, if you only have a single domain controller then this script is fine but if you have more than one it's not.

 

This is because the lastLogon attribute (which Get-ADUser presents as LastLogonDate) is not replicated between domain controllers, meaning the time shown is only applicable to that specific domain controller.

 

If you have a small number of domain controllers, you could adjust your script to query each of them, but this approach doesn't scale well at all. Rather, in large environments, you'd need to leverage lastLogonTimestamp - which was introduced in the Server 2003 era.

 

Even here though, this comes with its own catch.

 

Under default conditions, lastLogonTimestamp can be anywhere up to around 14 days behind, since the attribute is not updated every single time a user logs on. If you're familiar with the DNS "no refresh" interval, it's a very similar concept. If not, then you just need to be aware that this attribute is useful as a broad indicator and cannot be relied upon for time-sensitive operations.

 

Put another way, if you're happy for your unused user accounts to be disabled anywhere within the window of 90 - 104 days, then lastLogonTimestamp is a more robust metric whereby you can confidently run it against a single domain controller.

 

If you need the script to strictly adhere to the 90 day timeframe then you need to consider adjusting the script to execute against all domain controllers, or leverage something called "event collection" - which is not something I'm going to dive into here as it's not a simple, quick topic to discuss (just be aware that it exists).

 

On an unrelated note, I'd move the date filtering into the actual LDAP filter rather than perform the filtering client-side. But if you're in a small organisation, this may not matter that much.

 

Cheers,

Lain

Resources