Add to the search of inactive users multiple OUs

Question

Add to the search of inactive users multiple OUs

tincho1980 25

Hi all I came with a script that works fine what it does is to find users that haven't logged on in more than 90 days in an specific OU and then it disables them, however I need the script to search for 2 more OUs instead of only one but I couldn't make it work, this is the script. In this part Get-ADUser -Filter 'Enabled -eq $True' -SearchBase “OU TO SEARCH” i tried to create above something like this: $OU = 'OU1','OU2' and then tried to pipe it but it did not work. Any thoughts how could I make it work? Many thanks!

#Script to disable users that not login for more than 90 days

#Create the report file
$FileName = "DisabledUsers" + (Get-Date).ToString("dd-MM-yyyy") + ".csv"
New-Item -Path "C:\temp" -Name $FileName -ItemType File
Add-Content -Path C:\temp\$fileName -Value "Account,Disabled date,Last Logon Date"
$DisabledDate = Get-Date -Format dd/MM/yyyy
$UsersToDisable = Get-ADUser -Filter 'Enabled -eq $True' -SearchBase “OU TO SEARCH” -Properties LastLogonDate,WhenCreated | where {$_.LastLogonDate -lt (get-date).AddDays(-90) -and $_.WhenCreated -lt (get-date).AddDays(-90)}
foreach($User in $UsersToDisable){
foreach($User in $UsersToDisable){
    if($User.DistinguishedName -notlike "OU TO NOT SEARCH"){
        Disable-ADAccount -Identity $User.SamAccountName -Confirm:$false 
        if((Get-ADUser -Identity $User.SamAccountName)){
            $Account = $User.SamAccountName
            $LastLogon = $User.LastLogonDate
            $Value = "$Account,$DisabledDate,$LastLogon"
            Add-Content -Path C:\temp\$FileName -Value $Value
            }
        }
    }

Accepted answer

0 additional answers

Your answer

Answer 1

Thameur-BOURBITA 36,261 Moderator

Hi @tincho1980

If you want search in multiple OU You can try with $OU= @("OU1","OU2","OU3")

I tried to adjust your script:

#Script to disable users that not login for more than 90 days

#Create the report file
$FileName = "DisabledUsers" + (Get-Date).ToString("dd-MM-yyyy") + ".csv"
New-Item -Path "C:\temp" -Name $FileName -ItemType File
Add-Content -Path C:\temp\$fileName -Value "Account,Disabled date,Last Logon Date"
$DisabledDate = Get-Date -Format dd/MM/yyyy
$OU= @("OU1","OU2","OU3")
foreach($OU in $OUs){
$UsersToDisable = Get-ADUser -Filter 'Enabled -eq $True' -SearchBase “$OU” -Properties LastLogonDate,WhenCreated | where {$_.LastLogonDate -lt (get-date).AddDays(-90) -and $_.WhenCreated -lt (get-date).AddDays(-90)}

foreach($User in $UsersToDisable){

$DN= $User.DistinguishedName
$Samaccountname = $User.SamAccountName
$LastLogon = $User.LastLogonDate
    if($DN -notlike "OU TO NOT SEARCH"){
        Disable-ADAccount -Identity $SamAccountName -Confirm:$false 
        if((Get-ADUser -Identity $SamAccountName)){
            
            
            
            Add-Content -Path C:\temp\$FileName -Value "$SamAccountName,$DisabledDate,$LastLogon"
            }
        }
    }
    $DN= $null
    $Samaccountname = $null
    $LastLogon =$null
    }

Please don't forget to accept helpful answer

tincho1980 25 Reputation points

2024-01-23T16:56:30.49+00:00

Hi thanks a lot for your script, I just checked it and targetted an specific OU that I know that have users that have not logged on in more than 90 days and it doesn't disable them.

Thameur-BOURBITA 36,261 Moderator

@tincho1980 Check if the variable $UsersToDisable is not null because if the OU not empty but it's possible that the last user logon was after 90 days I have tested the script and it work. You have just adjust it by adding the right OU :

#Script to disable users that not login for more than 90 days

#Create the report file
$FileName = "DisabledUsers" + (Get-Date).ToString("dd-MM-yyyy") + ".csv"
New-Item -Path "C:\temp" -Name $FileName -ItemType File
Add-Content -Path C:\temp\$fileName -Value "Account,Disabled date,Last Logon Date"
$DisabledDate = Get-Date -Format dd/MM/yyyy
$OU= @("OU1","OU2","OU3")
foreach($OU in $OUs){
$UsersToDisable = Get-ADUser -Filter 'Enabled -eq $True' -SearchBase “$OU” -Properties LastLogonDate,WhenCreated | where {$_.LastLogonDate -lt (get-date).AddDays(-90) -and $_.WhenCreated -lt (get-date).AddDays(-90)}

foreach($User in $UsersToDisable)
{

$DN= $User.DistinguishedName
$Samaccountname = $User.SamAccountName
$LastLogon = $User.LastLogonDate
    if($DN -notlike "OU TO NOT SEARCH")
        {
        Disable-ADAccount -Identity $SamAccountName -Confirm:$false 
        if((Get-ADUser -Identity $SamAccountName))
            {
            
            Write-Host "$SamAccountName,$DisabledDate,$LastLogon" 
            
            Add-Content -Path C:\temp\$FileName -Value "$SamAccountName,$DisabledDate,$LastLogon"
            }
        }
    $DN= $null
    $Samaccountname = $null
    $LastLogon =$null
    }
   
    }

Please don't forget to accept helpful answer

tincho1980 25 Reputation points

2024-01-23T18:24:22.1666667+00:00

Hi Variable UsersToDIsable is not null and I placed a valid OU in the variable $OU but still not working :(

Thameur-BOURBITA 36,261 Moderator

Try this

Disable-ADAccount -Identity $DN -Confirm:$fals

if it still not working you can try this

Get-aduser -Identity $SamAccountName | Disable-ADAccount -Identity $SamAccountName -Confirm:$false

or

Get-adobject Identity $SamAccountName | Disable-ADAccount -Identity $SamAccountName -Confirm:$false

Please don’t forget to accept helpful answer

Rich Matheisen 47,901 Reputation points

2024-01-23T19:17:34.7+00:00

An important question that hasn't been asked is "do you have multiple domain controllers" in the AD domain? The property you're using to acquire the date/time of the users' last login isn't a replicated property. You must query each DC in the users' domain and keep the most recent value. It's that value that you'll compare to the "inactive" date. Another question is "do you have multiple AD domains in your forest?" In this case the search for DCs must be done using the users' domain, not the domain in which the person running the query was authenticated. In this situation you may encounter authentication problems when querying a DC in domain "B" while you logged in by domain "A".
Thameur-BOURBITA 36,261 Reputation points Moderator

2024-01-24T09:13:24.95+00:00

Hi @tincho1980

Just checking if there is any update ?

Please don't forget to accept helpful answer
tincho1980 25 Reputation points

2024-01-24T19:18:06.7233333+00:00

Thanks a lot for all your help :)
Thameur-BOURBITA 36,261 Reputation points Moderator

2024-01-24T19:20:13.3233333+00:00

You are welcome

Share via

Add to the search of inactive users multiple OUs

0 additional answers

Your answer