Share via

I am trying to delete users with powershell after 90 days who are also disabled and member of a specific group

Rudy van Tuijn 0 Reputation points
2023-03-01T13:48:42.6433333+00:00

I am trying to make the following powershell to get to work, but currently it doesn't do anything except for importing the active directory module:

Import-Module ActiveDirectory -ErrorAction:SilentlyContinue

# Define the OU and group names
$ouName = "OU NAME HERE"
$groupName = "SG_Uitdienst"

# Get the current date
$currentDate = Get-Date

# Get a list of user accounts in the specified OU that are a member of the specified group
$userAccounts = Get-ADUser -SearchBase $ouName -Filter {(MemberOf -like "*$groupName*") -and (Enabled -eq $false)}

# Loop through each user account
foreach ($user in $userAccounts) {
    # Check if the user account has been inactive for longer than 90 days
    if (($currentDate - $user.LastLogonTimestamp).Days -gt 90) {
        # Delete the user account
        Remove-ADUser -Identity $user -Confirm:$false
        Write-Host "Deleted user account $($user.SamAccountName)."
    }
}
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | PowerShell
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. Rich Matheisen 47,901 Reputation points
    2023-03-03T16:27:09.4433333+00:00

    The "memberof" property is multi-valued property that holds the distinguishedName of the groups.

    Your use of the LastLogonTimeStamp won't produce accurate results. While that property is replicated to other DCs, the replication may take between 3 and 14 days. It's precise only on the DC that handled the logon.

    You have to check the value on ALL domain controllers in the accounts' domain and use the most recent value on your determination of which accounts to remove.

    # Define the OU and group names
$ouName = "OU NAME HERE"
$groupName = "SG_Uitdienst"                 # must be the sAMAccountname of the group
$groupDN = (Get-ADGroup -Identity $groupName).distinguishedName
if ($null -eq $groupDN) {
    Write-Host "Did not find group '$groupName'"
    Return
}

# Get the current date
$currentDate = Get-Date

# Get a list of user accounts in the specified OU that are a member of the specified group
Get-ADUser -SearchBase $ouName -Filter { Enabled -eq $false } |
    ForEach-Object {
        $acct = $_.sAMAccountname
        if ($_.memberof -contains $groupDN) {
            # Check if the user account has been inactive for longer than 90 days
            if (($currentDate - $user.LastLogonTimestamp).Days -gt 90) {            # INACCURATE!!!!!
                # Delete the user account
                Try{
                    Remove-ADUser -Identity $_.distinguishedName -Confirm:$false -ErrorAction STOP
                    Write-Host "Deleted user account $($_.SamAccountName)."
                }
                Catch{
                    Write-Host "Failed to deleted user account $acct)."
                    $_
                }
            }
        }
    }
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.