This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
I got a script to get all in active users in AD then disable them and move to another OU
$DaysInactive = ((Get-Date).AddDays(-90)).Date
$InactiveUsers = Get-ADUser -Filter {(LastLogonDate -lt $DaysInactive) -and (enabled -eq $true)} -Properties * | select-object displayName,samaccountname,givenname,surname,LastLogonDate,DistinguishedName,enabled | ? {$_.DistinguishedName -notlike ",CN=Monitoring Mailboxes,"}
$InactiveUsers | Export-Csv C:\InactiveUsers15.csv -NoTypeInformation
foreach ( $User in $InactiveUsers)
{
$OriginalOU= $User.Distinguishedname
$ChangeDiscription = $User.Samaccountname
$User | Disable-ADAccount
$User | MoveADobject - Targetpath "OU=old users"
Set-ADuser $ChangeDiscription ( " DIsabled dueto inactivity - Moved from " + OriginalOU)
}
The bellow error is after run this script for the first time
Note that the inactive users are disabled through the script but not moved to the specified OU.
What is the issue in this script ?
Thanks
Hi @A.Elrayes ,
Move-AdObject expect a GUID or DN as the -Identity parameter.
Also you should provide the full DN of the -TargetPath.
https://learn.microsoft.com/en-us/powershell/module/activedirectory/move-adobject?view=windowsserver2022-ps
In your script the variable $OriginalOU contains the DN of the user, not the OU of the user. So could try this:
Move-ADobject -Identity $OriginalOU -Targetpath "OU=old users,OU=xxx,DC=xyz,DC=abc"
For Set-AdUser you could try this:
Set-ADuser $ChangeDiscription -Description ("Disabled dueto inactivity - Moved from $OriginalOU")
If you are posting scripts please use the Code Sample option (the Icon with 101010). The Q&A editor will remove some characters of scripts if you paste the script as normal text.
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten
Hi AndreasBaumgarten,
Great thanks it is working now.
One more thing
I need a loop to export the CSV with the date of the day that is executed at, for example the CSV will be exported as InactiveUsers_28-8-2022 and the next day is InactiveUsers_29-8-2022 and so on.
Thanks
Hi @A.Elrayes ,
please add this at the beginning of the script:
$csvPath = "C:\Junk\" # folder of CSV files
$csvFilename = "InactiveUsers_$(Get-Date -UFormat "%Y%m%d").csv" # dynamic filename with date
Modify the with the Export-Csv like this:
$InactiveUsers | Export-Csv $($csvPath + $csvFilename) -NoTypeInformation
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten
Great !
Thanks for your support :)
You are welcome.
----------
Kind regards
Andreas Baumgarten
Hi AndreasBaumgarten ,
I hope all is going well.
I need to add to the above script a part to set a date of the day to an attribute. this is because I need to disable the user and move to another OU with the date of movement and then run another script to check and delete the users that are exceed (movement date + 90 day )
My vision but not working as the below:
foreach ( $User in $InactiveUsers)
{
$Date = Get-Date $Date.Text
$OriginalOU= $User.Distinguishedname
$User | Disable-ADAccount
Set-ADAccountExpiration -DateTime $Date
$OriginalOU | MoveADobject - Targetpath $OU
Thanks.
Hi @A.Elrayes ,
here is the code example to set an expiration date for an AD user account:
$user = "mmouse" # SammAccountName of AD User
$timeSpan = "90" # x days from now
$usr = Get-AzADUser -Identity $user # Get Ad User object
$usr | Set-ADAccountExpiration -TimeSpan $timeSpan # set Expiration date x days from now
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten
Hi AndreasBaumgarten,
Regarding to "get inactive users script", I have checked the result and I found some users with old logon date in Onprime AD but when I checked on them on 365 admin center I found that they are authenticate through O365 and it seems that the lastlogin attribute not synced for these users between onprime and Azure AD.
Is there any workaround to get all inactive users in both onprime and Azure AD ?
Thanks in advance.
I got that and working
$InactiveUsers | Export-Csv -Path C:\InactiveUsers" "$((Get-Date).ToString('dd-MM-yyyy')).csv -NoTypeInformation
Thanks
Hi @A.Elrayes ,
looks great.
I would recommend to use Year-Month-Date. Might be better for sorting the files in Explorer.
Otherwise the sort order in File Explorer by name is all the files from date 01- , than date 02-
I prefer the Y-M-D sorting for files. But it's totally up to you.
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten