+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 21
Scripts Thread, Powershell Help in Coding and Web Development; Hi, I have found a very handy powershell script to disable inactive user accounts. It works just how i want ...
  1. #1

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,374
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468

    Powershell Help

    Hi,

    I have found a very handy powershell script to disable inactive user accounts. It works just how i want it apart from one thing. When an account is disabled its supposed to put in the description "Account Disabled on <date here> for Inactivity". But there its supposed to put the date its failing and just leaving a white space.

    Can anyone help please?

    Thanks

    Code:
    ### User Variables ###
    
    # Query Options #
    $searchRoot = "domain.local/" # Where to begin your recursive search - If you use top-level (e.g. "domain.local/") make sure to have a trailing slash, otherwise do not use a slash (e.g. "domain.local/Users")
    $inactiveDays = 90 # Integer for number of days of inactivity (e.q. 90)
    $timeSinceCreation = 30 # Integer for number of "grace" days since the account was created (to prevent disabling of brand new accounts)
    $sizeLimit = 0 # How many users do you want returned. 0 = unlimited. Without setting this the default is 1000
    
    # Email Settings #
    $emailAlerts = 1 # Turn e-mail alerts on or off. 0 = off
    $fromAddr = "InactiveAccounts@Domain.com" # Enter the FROM address for the e-mail alert
    $toAddr = "User@Domain.com" # Enter the TO address for the e-mail alert
    $smtpsrv = "192.168.1.1" # Enter the FQDN or IP of a SMTP relay
    
    # Enable Script #
    $enableAction = 1 # Change to 0 if you want to "whatif" this script - It will bypass the actual account disabling (turn e-mail alerts on!)
    
    ######################
    
    Add-PSSnapin "Quest.ActiveRoles.ADManagement"
    
    $creationCutoff = (Get-Date).AddDays(-$timeSinceCreation)
    $inactiveUsers = @(Get-QADUser -SearchRoot $searchRoot -Enabled -NotLoggedOnFor $inactiveDays -CreatedBefore $creationCutoff -SizeLimit $sizeLimit | Select-Object Name,SamAccountName,LastLogonTimeStamp,Description | Sort-Object Name)
    
    ### Disable Accounts ###
    if ($enableAction -eq 1 -and $inactiveUsers -ne $null){
    foreach($user in $inactiveUsers){
    Set-QADUser $user.SamAccountName -Description "Account Disabled on $date for Inactivity - $($user.Description)" | Disable-QADUser
    }
    }
    ######
    
    ### Email Alerts ###
    if ($emailAlerts -eq 1 -and $inactiveUsers -ne $null){
    
    $date = Get-Date -DisplayHint Date
    
    $body = @("
    <center><table border=1 width=50% cellspacing=0 cellpadding=8 bgcolor=Black cols=3>
    <tr bgcolor=White><td>Name</td><td>Account</td><td>Last Login</td></tr>")
    
    $i = 0
    
    do {
    if($i % 2){$body += "<tr bgcolor=#D2CFCF><td>$($inactiveUsers[$i].Name)</td><td>$($inactiveUsers[$i].SamAccountName)</td><td>$($inactiveUsers[$i].LastLogonTimestamp)</td></tr>";$i++}
    else {$body += "<tr bgcolor=#EFEFEF><td>$($inactiveUsers[$i].Name)</td><td>$($inactiveUsers[$i].SamAccountName)</td><td>$($inactiveUsers[$i].LastLogonTimestamp)</td></tr>";$i++}
    }
    while ($inactiveUsers[$i] -ne $null)
    
    $body += "</table></center>"
    
    Send-MailMessage -To $toAddr -From $fromAddr -Subject "Info: $($inactiveUsers.Count) User Accounts Disabled on $date" -Body "$body" -SmtpServer $smtpsrv -BodyAsHtml
    }
    ######
    
    exit

  2. #2

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,956
    Thank Post
    775
    Thanked 1,487 Times in 1,234 Posts
    Rep Power
    367
    I'm no powershell expert, so don't know exactly how it all works but try moving the "$date = ..." line higher up, preferably above the active code, so you could put it at the bottom of all the user variables. That way it will be populated before it's used.

  3. Thanks to vikpaw from:

    FN-GM (29th January 2012)

  4. #3

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,374
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    your are correct thats fixed it. One thing is that is shows the exact time as well. It really inst needed do you happen to know how to get it to display only the date? Also It show the date in American format, do you know how to switch it to the British way please?

    Thanks
    Last edited by FN-GM; 29th January 2012 at 06:43 AM.

  5. #4
    Iain's Avatar
    Join Date
    Oct 2006
    Location
    Warwickshire
    Posts
    197
    Thank Post
    28
    Thanked 98 Times in 56 Posts
    Rep Power
    36
    Quote Originally Posted by FN-GM View Post
    your are correct thats fixed it. One thing is that is shows the exact time as well. It really inst needed do you happen to know how to get it to display only the date? Also It show the date in American format, do you know how to switch it to the British way please?

    Thanks
    You can use the -format switch on the Get-Date cmdlet to format the output. e.g.

    Code:
    Get-Date -format "d/M/yyyy"
    For details of the format specifiers for Get-Date, take a look here: Windows PowerShell Tip: Formatting Dates and Times

    Iain.

  6. Thanks to Iain from:

    FN-GM (29th January 2012)

  7. #5

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,374
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    Thanks perfect. I ageing to post the finished code on the blogs.

    Thanks guys

  8. #6


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,809
    Thank Post
    262
    Thanked 2,969 Times in 2,183 Posts
    Rep Power
    847
    Quote Originally Posted by FN-GM View Post
    how to switch it to the British way please?
    A bit late, but here are a few more examples...

    29-01-2012
    Code:
    [DateTime]::Now.ToString("dd-MM-yyyy")
    29/01/2012
    Code:
    [DateTime]::Now.ToShortDateString()


    Quote Originally Posted by Iain View Post
    For details of the format specifiers for Get-Date, take a look here: Windows PowerShell Tip: Formatting Dates and Times
    To quickly see what all of the date/time letters from that link do, try running this...

    Code:
    ForEach ($format in "d","D","f","F","g","G","m","r","s","t","T", "u","U","y","dddd, MMMM dd yyyy","M/yy","dd-MM-yy") { "$format`: {0}" -f (Get-Date).ToString($format) }
    This is what you should get...

    Code:
    d: 29/01/2012
    D: 29 January 2012
    f: 29 January 2012 09:15
    F: 29 January 2012 09:15:56
    g: 29/01/2012 09:15
    G: 29/01/2012 09:15:56
    m: 29 January
    r: Sun, 29 Jan 2012 09:15:56 GMT
    s: 2012-01-29T09:15:56
    t: 09:15
    T: 09:15:56
    u: 2012-01-29 09:15:56Z
    U: 29 January 2012 09:15:56
    y: January 2012
    dddd, MMMM dd yyyy: Sunday, January 29 2012
    M/yy: 1/12
    dd-MM-yy: 29-01-12
    Then simply replace the letter after the colon with whichever one you want from the list above...

    Code:
    "{0:g}" -f (Get-Date)

  9. #7


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,809
    Thank Post
    262
    Thanked 2,969 Times in 2,183 Posts
    Rep Power
    847
    I forgot to mention one of the best tips I have found so far regarding the date. As you may know, once a variable has been calculated, it doesn't change from that point on. Therefore, if you get the current date and time at the beginning of your script, it will have changed by the time you actually go to use it in another cmdlet further on.

    If you would like to re-calculate the $date variable every single time it is used, try this instead...

    Code:
    $global:date = Set-PSBreakpoint -Variable date -Mode Read -Action { $global:date = "{0:F}" -f (Get-Date) }
    Last edited by Arthur; 29th January 2012 at 11:10 AM.

  10. 2 Thanks to Arthur:

    FN-GM (29th January 2012), vikpaw (29th January 2012)

  11. #8

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,374
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    Thanks for the input. What would i need to do with the script I posted to make this now do the same for computer accounts please?

    Thanks

  12. #9


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,809
    Thank Post
    262
    Thanked 2,969 Times in 2,183 Posts
    Rep Power
    847
    This ought to do it...

    Code:
    Get-QADComputer -IncludeAllProperties | Where-Object { $_.lastlogon -lt (Get-Date).AddDays(-90) } | Disable-QADComputer

  13. #10

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,374
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    Thanks. I had seen that, but the one here does exactly what I want. It will add a note on the account, I can drill down to a particular ou and get it to email me a report.

    That's why I want to try and convert this one :-)

    Thanks

  14. #11

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    116
    I take it you read my pedantic comments in your related thread?? Not a huge deal but nevertheless something you should be aware of when doing anything based on when a user/computer last logged on, especially if it's a scheduled task that makes changes based on the result.

    --

    More broadly: Perhaps it's just what turns up at the top of Google searches but I don't get why QAD keeps getting used for things like this rather than the out-of-box MS ActiveDirectory module on 2008 R2. Then again I get around a bit, so regardless of which might be easiest I will always pick tech that will be there are opposed to tech that might need installing. It's just as easy with MS in this case with their Get-ADUser or alternatively there is Search-ADAccount that can pull out inactive computer/user accounts based on a fixed date or timespan e.g. 90 days, that could then be thrown at Disable- or (don't do it!) Remove- cmdlets.

  15. #12

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,374
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    I take it you read my pedantic comments in your related thread?? Not a huge deal but nevertheless something you should be aware of when doing anything based on when a user/computer last logged on, especially if it's a scheduled task that makes changes based on the result.
    I have got this in my mind. I have read a few posts on the net that say you can increase the replication rate of this. Unless i can adapt the script to look at all DC's?

    More broadly: Perhaps it's just what turns up at the top of Google searches but I don't get why QAD keeps getting used for things like this rather than the out-of-box MS ActiveDirectory module on 2008 R2. Then again I get around a bit, so regardless of which might be easiest I will always pick tech that will be there are opposed to tech that might need installing. It's just as easy with MS in this case with their Get-ADUser or alternatively there is Search-ADAccount that can pull out inactive computer/user accounts based on a fixed date or timespan e.g. 90 days, that could then be thrown at Disable- or (don't do it!) Remove- cmdlets.
    Sorry i dont understand you, please can you elaborate? Thanks

  16. #13

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,374
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    Quote Originally Posted by PiqueABoo
    I take it you read my pedantic comments in your related thread?? Not a huge deal but nevertheless something you should be aware of when doing anything based on when a user/computer last logged on, especially if it's a scheduled task that makes changes based on the result.
    Looking at this page the lastLogontimeStamp attribute is replicated to all DC's in real time. My script uses this time stamp (i think). The lastLogon attribute that i think your talking about replicates every 9 - 14 days. So i should be safe. Do you agree?

    Thanks

  17. #14

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    116
    Look again...

    - lastLogon gets updated every time on the DC where the logon happens but that doesn't replicate.
    - lastLogonTimestamp only gets updated when the a logon happens if the current value is more than 9-14 days old. If it is changed that new value does replicate.

    Your script uses lastLogonTimestamp and a 90 day timespan thus risks picking up some users who in the worst case, last logged on 76 days ago. They're still old and for this kind of thing it's not often an issue.. if you want to guarantee "at least 90 days old" then just use a 104 day timespan instead of 90.

    OTOH if you're running this daily and must get accounts as soon as they hit 90 days old you will need to look at lastLogon on all the DCs and check the age of the freshest one.

  18. #15

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,374
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    I think I get you, so what would you suggest please?

    Thanks
    Last edited by FN-GM; 30th January 2012 at 11:29 AM.



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 3
    Last Post: 27th October 2011, 07:35 PM
  2. Powershell help needed please!
    By RabbieBurns in forum Scripts
    Replies: 2
    Last Post: 13th May 2010, 10:12 AM
  3. Powershell Help
    By mbedford in forum Coding
    Replies: 0
    Last Post: 1st August 2009, 04:25 PM
  4. Powershell Exchange 2007 help
    By maf_001 in forum Coding
    Replies: 2
    Last Post: 14th June 2009, 09:57 PM
  5. Exchange 2007 Powershell Help
    By ezzauk in forum Windows
    Replies: 0
    Last Post: 25th September 2008, 02:02 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •