Disable Inactive users in AD

Question

Disable Inactive users in AD

A.Elrayes 186

Hello,

I got a script to get all in active users in AD then disable them and move to another OU

$DaysInactive = ((Get-Date).AddDays(-90)).Date
$InactiveUsers = Get-ADUser -Filter {(LastLogonDate -lt $DaysInactive) -and (enabled -eq $true)} -Properties * | select-object displayName,samaccountname,givenname,surname,LastLogonDate,DistinguishedName,enabled | ? {$_.DistinguishedName -notlike ",CN=Monitoring Mailboxes,"}
$InactiveUsers | Export-Csv C:\InactiveUsers15.csv -NoTypeInformation

foreach ( $User in $InactiveUsers)

{
$OriginalOU= $User.Distinguishedname
$ChangeDiscription = $User.Samaccountname
$User | Disable-ADAccount
$User | MoveADobject - Targetpath "OU=old users"
Set-ADuser $ChangeDiscription ( " DIsabled dueto inactivity - Moved from " + OriginalOU)
}

The bellow error is after run this script for the first time

Note that the inactive users are disabled through the script but not moved to the specified OU.

What is the issue in this script ?

Thanks

Answer accepted by question author

1 additional answer

Your answer

Answer 1

Andreas Baumgarten 129.4K MVP Volunteer Moderator

Hi @A.Elrayes ,

Move-AdObject expect a GUID or DN as the -Identity parameter.
Also you should provide the full DN of the -TargetPath.
https://learn.microsoft.com/en-us/powershell/module/activedirectory/move-adobject?view=windowsserver2022-ps

In your script the variable $OriginalOU contains the DN of the user, not the OU of the user. So could try this:

Move-ADobject -Identity $OriginalOU -Targetpath "OU=old users,OU=xxx,DC=xyz,DC=abc"

For Set-AdUser you could try this:

Set-ADuser $ChangeDiscription -Description ("Disabled dueto inactivity - Moved from  $OriginalOU")

If you are posting scripts please use the Code Sample option (the Icon with 101010). The Q&A editor will remove some characters of scripts if you paste the script as normal text.

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

A.Elrayes 186 Reputation points

2022-08-28T13:25:37.937+00:00

Hi AndreasBaumgarten,

Great thanks it is working now.

One more thing
I need a loop to export the CSV with the date of the day that is executed at, for example the CSV will be exported as InactiveUsers_28-8-2022 and the next day is InactiveUsers_29-8-2022 and so on.

Thanks
A.Elrayes 186 Reputation points

2022-08-28T14:08:36.077+00:00

I got that and working

$InactiveUsers | Export-Csv -Path C:\InactiveUsers" "$((Get-Date).ToString('dd-MM-yyyy')).csv -NoTypeInformation

Thanks
Andreas Baumgarten 129.4K Reputation points MVP Volunteer Moderator

2022-08-28T14:12:33.667+00:00

Hi @A.Elrayes ,

looks great.

I would recommend to use Year-Month-Date. Might be better for sorting the files in Explorer.
Otherwise the sort order in File Explorer by name is all the files from date 01- , than date 02-
I prefer the Y-M-D sorting for files. But it's totally up to you.

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Answer 2

Andreas Baumgarten 129.4K MVP Volunteer Moderator

Hi @A.Elrayes ,

please add this at the beginning of the script:

$csvPath = "C:\Junk\" # folder of CSV files  
$csvFilename = "InactiveUsers_$(Get-Date -UFormat "%Y%m%d").csv" # dynamic filename with date

Modify the with the Export-Csv like this:

$InactiveUsers | Export-Csv $($csvPath + $csvFilename)  -NoTypeInformation

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

A.Elrayes 186 Reputation points

2022-08-28T14:11:28.25+00:00

Great !

Thanks for your support :)
Andreas Baumgarten 129.4K Reputation points MVP Volunteer Moderator

2022-08-28T14:13:43.337+00:00

You are welcome.

----------

Kind regards
Andreas Baumgarten
A.Elrayes 186 Reputation points

2022-08-29T13:17:49.29+00:00

Hi AndreasBaumgarten ,

I hope all is going well.

I need to add to the above script a part to set a date of the day to an attribute. this is because I need to disable the user and move to another OU with the date of movement and then run another script to check and delete the users that are exceed (movement date + 90 day )

My vision but not working as the below:

foreach ( $User in $InactiveUsers)

{
$Date = Get-Date $Date.Text
$OriginalOU= $User.Distinguishedname

$User | Disable-ADAccount
Set-ADAccountExpiration -DateTime $Date
$OriginalOU | MoveADobject - Targetpath $OU

Thanks.
Andreas Baumgarten 129.4K Reputation points MVP Volunteer Moderator

2022-08-29T14:12:13.377+00:00
Hi @A.Elrayes ,

here is the code example to set an expiration date for an AD user account:

$user = "mmouse" # SammAccountName of AD User $timeSpan = "90" # x days from now $usr = Get-AzADUser -Identity $user # Get Ad User object $usr | Set-ADAccountExpiration -TimeSpan $timeSpan # set Expiration date x days from now

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten
A.Elrayes 186 Reputation points

2022-09-04T14:06:55.247+00:00

Hi AndreasBaumgarten,

Regarding to "get inactive users script", I have checked the result and I found some users with old logon date in Onprime AD but when I checked on them on 365 admin center I found that they are authenticate through O365 and it seems that the lastlogin attribute not synced for these users between onprime and Azure AD.
Is there any workaround to get all inactive users in both onprime and Azure AD ?

Thanks in advance.

Share via

Disable Inactive users in AD

1 additional answer

Your answer