Help with PowerShell Script whenChanged

Question

Hello,
I have a Problem with my Script. It does not work like I want it to do. I need to write a script which is executed every 7 days. It should deactivate all users (they all start with abc_) in a specific group. They get activated if they are needed and usually they are all deactivated. I want to have a txt file with the DisplayName of all Users which got deactivated if possible. Can someone pls help me?

`$SearchBase = 'OU=A,DC=D,DC=F'
$SevenDaysBefore = ((Get-Date).Date).AddDays(-7)

$ADUserList = Get-ADUser -Filter "enabled -eq '$true' -and DisplayName -like 'abc_*'" -SearchBase $SearchBase -Properties whenChanged, DisplayName

foreach ($ADUser in $ADUserList) {
    if ($ADUser.whenChanged -lt $SevenDaysBefore) {
        Disable-ADAccount -Identity $ADUser.SamAccountName
   }
}

`

Answer 1

Hi there,

You can first use a script to collect all users that are inactive for the said period and then export it to a text file and deactivate all the users as per the text file.

If you saved the text file to a different location than c:\it\users.txt you will need to update the script.

$users=Get-Content c:\it\users.txt

ForEach ($user in $users)
{
Disable-ADAccount -Identity $user
write-host "user $($user) has been disabled"
}

Run the command below to return only the username of disabled accounts and you can verify it with the text file.

Get-ADUser -Filter {Enabled -eq $false} | FT samAccountName

---

--If the reply is helpful, please Upvote and Accept it as an answer–

Answer 2

Instead of using "whenChanged", try using the "modified" property of the user.

Just be aware that the whenChanged and Modified value change under circumstances over which you have no control. I think you'd be better served using some other attribute (one of the extensionAttribute properties, for example) to keep track of the date.

Answer 3

I need a script that is executed every 7 days.
It should deactivate all users that start with abc* in a specific group.
I want to have a txt file with the DisplayName of the all users which got deactivated

Not sure where the sevendaysbefore actually comes into play here.
Do you only want to disable the accounts that have been "changed" in the last seven days? Or all enabled accounts in the group not matter what.

Based on the initial "requirements". Please consider the following...

$workingDirectory="H:\" #change as appropriate
$currentDate = date -uformat "%y%m%d-%H%M"
$logfile = ($workingDirectory+"Deactivatelog-$currentDate.csv")

$Results=@()

$group="groupA"

$users=Get-ADGroupMember -Identity $group |
    Get-ADUser -properties DisplayName, Enabled |
        Where-Object {$_.Enabled -eq "True" -and $_.DisplayName -like "ABC*"} |
            Select-Object DistinguishedName, DisplayName, Enabled, @{name="group";expression={$group}}


If ($users) { # if not null
    ForEach ($account in $users) {
        Write-Host Disabling $account.DisplayName
        Disable-ADAccount -Identity $account.DistinguishedName

        $Results +=  New-Object -TypeName PSObject -property @{
            DisplayName=$account.DisplayName;
            Group=$account.group}                   
    }

    $Results | Export-CSV $logfile -noTypeInformation

} Else {
  Write-Host "No Accounts found"  
}