This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 13%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
I am trying to remove inactive users from a Group. I am using lastlogontimestamp to identify inactivity.
I was able to make the same work using the below script.
$DateCutOff=(Get-Date).AddDays(-30)
Get-ADGroupMember Office365 | Get-ADUser -Properties lastLogonTimestamp | select @{N='LastLogon'; E={[DateTime]::FromFileTime($.LastLogontimestamp)}},samaccountname | Where-Object {$.lastLogon -lt $DateCutOff } | foreach { Remove-ADGroupMember Office365 -Members $_.samaccountname -Confirm:$false}
However now my requirement is that only inactive members from a specifc OU should be removed. Rest of the inactive user should remain in the group. I have tried using the search base command. When using the searchbase with Filter after the piping it lists out all users instead of all members of the group.
Get-ADGroupMember Office365 | Get-ADUser -Properties lastLogonTimestamp -Filter * -searchbase 'OU=DisabledUser,DC=federalbank,DC=co,DC=in' | select @{N='LastLogon'; E={[DateTime]::FromFileTime($.LastLogontimestamp)}},samaccountname | Where-Object {$.lastLogon -lt $DateCutOff } | foreach { Remove-ADGroupMember Office365 -Members $_.samaccountname -Confirm:$false}
I am not sure how to filter the results further for specific OU users.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 79%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENJ%3C/text%3E%3C/svg%3E)
You can do this by updating the Where-Object client side filter.
You currently have...
Where-Object {$.lastLogon -lt $DateCutOff }
Try the following..
Where-Object {$.lastLogon -lt $DateCutOff -and $_.DistinguishedName -notlike "*OU=skip,OU=example,DC=example,DC=com"}
The Where-Object client side filter should probably be before the select statement where you drop any extraneous attributes. DistinguishedName is part of the default attributes for Get-ADUser and you need this for the filter to work.
On a side note, you can't really use lastLogon like that.
LastLogin is not a replicated attribute, which means it can be different based on the domain controller that services that request. Therefore in order to get an accurate lastLogon, you need to query all of the domain controllers and get the newest date.
Thanks for the reply. will check this out and update.
Even I was considering whether to use the Distinguished name instead of OU path.
Also I am using LastlogonTimeStamp instead of Lastlogon. In this code LastlogonTimestamp is converted to date format and saved as lastlogon.
Even though Lastlogon time stamp is updated with a delay of a few days it serves my purpose as I am using a buffer to determine the inactive period.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
The LastLogonTimeStamp is an inaccurate way to deal with this. See here: a-lastlogontimestamp
If you have multiple domain controllers the value is (probably) accurate on one of them, but the replication of the value is not immediate. In fact, it's not even remotely close to the replication interval between DCs for other modifications!
The LastLogin isn't replicated, but you can be assured that at least one of the DC's will have an up-to-date value (which is why you have to look at all the DCs in the users' login domain).
Here is a function you can use for LastLogon with a example.
Function Get-LastLogon {
<#
.SYNOPSIS
Returns LastLogon information
.DESCRIPTION
Queries the LastLogin information for a user across domain controllers and returns the highest (latest) value
.EXAMPLE
Get-LastLogon User
.EXAMPLE
Get-LastLogon -Identity User
.EXAMPLE
Get-ADUser User | Get-LastLogon
.EXAMPLE
Get-LastLogon User1, User2
.PARAMETER users
List of users - pipeline can be used
#>
[CmdletBinding()]
param
(
[Parameter(Position= 0,
Mandatory=$True,
ValueFromPipeline=$True,
HelpMessage='What user would you like to find the last logon for?')]
$identity
)
Begin {}
Process {
Foreach ($account in $identity) {
$dateStamp = $null
$domainController =$null
# Using Filter to remove Azure domain controllers
Get-ADDomainController -Filter {Site -eq "xyz"} | Foreach {
$dc = $_.HostName
$lastLogon = (Get-ADUser $account -Properties LastLogon -server $dc | Select-Object Name,@{n='LastLogon';e={[DateTime]::FromFileTime($_.LastLogon)}}).Lastlogon
If ($dateStamp -le $lastlogon)
{
$dateStamp = $lastlogon
$domainController = $dc
}
} # End of ForEach
$properties = @{
Name=$account;
LastLogon=$dateStamp;
DomainController=$domainController}
New-Object -TypeName PSObject -Prop $properties
} # End of ForEach
} # End of Process
End {}
} # End of Function
$list = IMPORT-CSV 'users.csv'
$list | ForEach {
Get-ADUser $_.SamAccountName | Get-LastLogon | Select-Object Name, Lastlogon
} | Export-CSV LastLogon.csv -NoTypeInformation