I am trying to delete users with powershell after 90 days who are also disabled and member of a specific group

Rudy van Tuijn 0 Reputation points
2023-03-01T13:48:42.6433333+00:00

I am trying to make the following powershell to get to work, but currently it doesn't do anything except for importing the active directory module:

Import-Module ActiveDirectory -ErrorAction:SilentlyContinue

# Define the OU and group names
$ouName = "OU NAME HERE"
$groupName = "SG_Uitdienst"

# Get the current date
$currentDate = Get-Date

# Get a list of user accounts in the specified OU that are a member of the specified group
$userAccounts = Get-ADUser -SearchBase $ouName -Filter {(MemberOf -like "*$groupName*") -and (Enabled -eq $false)}

# Loop through each user account
foreach ($user in $userAccounts) {
    # Check if the user account has been inactive for longer than 90 days
    if (($currentDate - $user.LastLogonTimestamp).Days -gt 90) {
        # Delete the user account
        Remove-ADUser -Identity $user -Confirm:$false
        Write-Host "Deleted user account $($user.SamAccountName)."
    }
}
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,799 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,008 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  2. Rich Matheisen 44,456 Reputation points
    2023-03-03T16:27:09.4433333+00:00

    The "memberof" property is multi-valued property that holds the distinguishedName of the groups.

    Your use of the LastLogonTimeStamp won't produce accurate results. While that property is replicated to other DCs, the replication may take between 3 and 14 days. It's precise only on the DC that handled the logon.

    You have to check the value on ALL domain controllers in the accounts' domain and use the most recent value on your determination of which accounts to remove.

    # Define the OU and group names
    $ouName = "OU NAME HERE"
    $groupName = "SG_Uitdienst"                 # must be the sAMAccountname of the group
    $groupDN = (Get-ADGroup -Identity $groupName).distinguishedName
    if ($null -eq $groupDN) {
        Write-Host "Did not find group '$groupName'"
        Return
    }
    
    # Get the current date
    $currentDate = Get-Date
    
    # Get a list of user accounts in the specified OU that are a member of the specified group
    Get-ADUser -SearchBase $ouName -Filter { Enabled -eq $false } |
        ForEach-Object {
            $acct = $_.sAMAccountname
            if ($_.memberof -contains $groupDN) {
                # Check if the user account has been inactive for longer than 90 days
                if (($currentDate - $user.LastLogonTimestamp).Days -gt 90) {            # INACCURATE!!!!!
                    # Delete the user account
                    Try{
                        Remove-ADUser -Identity $_.distinguishedName -Confirm:$false -ErrorAction STOP
                        Write-Host "Deleted user account $($_.SamAccountName)."
                    }
                    Catch{
                        Write-Host "Failed to deleted user account $acct)."
                        $_
                    }
                }
            }
        }
    
    0 comments No comments