Find AD users that have been inactive for more than 90 days and have not been created in the past 90 days

I am working on an AD cleanup script but am having trouble getting it to work correctly. The parameters that I am attempting to meet are User has not logged in for the past 90 days and was created before 90 days ago. The problem is that it is getting users that were created within the past 90 days. Here is the script I am working on:

Import-Module ActiveDirectory

$OU="ou=Users,ou=middle,ou=top,dc=contoso,dc=com"


$CSV_USERS=""


foreach ($x in $OU) {
$USERS=Search-ADAccount -AccountInactive -Timespan 90.00:00:00 -Searchbase $x | Where {$_.whenCreated -le ((Get-Date).AddDays(-90).toFileTime())}



if ($USERS) {
  $CSV_USERS=$CSV_USERS + $USERS
}
}

$date=Get-Date -Format "dMy"
$path="C:\Scripts\TestScript_disable_users_"+$date+".csv"
if($CSV_USERS) {
    Out-File -FilePath $path -InputObject $CSV_USERS
}

Once the script works properly I will add the following lines under the $CSV_USERS=$CSV_USERS + $USERS

$USERS | Disable-AdAccount 
$USERS | Move-AdObject -TargetPath "OU=Inactive employees,dc=contoso,dc=com"

Can anyone help me find out why the "| Where" parameters are not working for me?

Greg

Posted 2017-01-05T20:30:19.360

Reputation: 1

there's no whenCreated property. and it also doesn't make sense. if search-adaccount -accountinactive -timespan 90 returns users, these users have to be created longer than 90 days ago, otherwise it wouldn't return them because of the timespan. so you don't need your where. change your timepan to 90 instead of 90.00:00:00 and it should work properly – SimonS – 2017-01-06T13:35:23.643

@Greg what error or results are you getting? There is a WhenCreated Property in AD but Search-Adaccount doesn't return. You need a second call to AD for that. – uSlackr – 2017-01-06T14:30:29.580

It looks like you have created a second account, which will also interfere with your ability to comment within your thread and to accept an answer. See How can one link/merge/combine/associate two accounts/users? and/or I accidentally created two accounts; how do I merge them? for guidance on how to merge your accounts.

– DavidPostill – 2017-01-07T12:07:56.210

Answers

I think you're making this a little more complicated than it needs to be. No need for a for loop to find your users. Embrace the power of PowerShell!

Import-Module Active Directory

$thresholdDate = (get-date).AddDays(-90)

$oldUsers = get-aduser -filter * -searchbase "ou=Users,ou=middle,ou=top,dc=contoso,dc=com" -properties whenCreated,LastLogonDate | 
where {$_.whenCreated -lt $thresholdDate -And $_.LastLogonDate -lt $thresholdDate}

$date=Get-Date -Format "dMy"
$path="C:\Scripts\TestScript_disable_users_$date.csv"

$oldUsers | export-CSV -notypeinformation $path

$oldUsers | DisableADAccount

Just beware of the pitfalls of using LastLogonDate. The value is only updated for any given user every 12 days or so: http://windowsitpro.com/systems-management/use-get-aduser-find-inactive-ad-users

JustusThane

Posted 2017-01-05T20:30:19.360

Reputation: 111

Not tested but this should get you moving.

Import-Module ActiveDirectory

$OU="ou=Users,ou=middle,ou=top,dc=contoso,dc=com"


$CSV_USERS=""
$OldUserAccts = ""

foreach ($x in $OU) {
    Search-ADAccount -AccountInactive -Timespan 90.00:00:00 -Searchbase $x | foreach {
        $user = get-aduser $_ -Properties whenCreated
        if ($user.whenCreated -le ((Get-Date).AddDays(-90).toFileTime())) { $oldUSerAccts = $oldUserAccts + $User}
    }            


if ($OldUserAccts) {
  $CSV_USERS=$CSV_USERS + $OldUserAccts
}
}

$date=Get-Date -Format "dMy"
$path="C:\Scripts\TestScript_disable_users_"+$date+".csv"
if($CSV_USERS) {
    Out-File -FilePath $path -InputObject $CSV_USERS
}

uSlackr

Posted 2017-01-05T20:30:19.360

Reputation: 8 755