Powershell Help

[FN-GM]

Hi,

I have found a very handy powershell script to disable inactive user accounts. It works just how i want it apart from one thing. When an account is disabled its supposed to put in the description "Account Disabled on <date here> for Inactivity". But there its supposed to put the date its failing and just leaving a white space.

Can anyone help please?

Thanks

Code:

### User Variables ###

# Query Options #
$searchRoot = "domain.local/" # Where to begin your recursive search - If you use top-level (e.g. "domain.local/") make sure to have a trailing slash, otherwise do not use a slash (e.g. "domain.local/Users")
$inactiveDays = 90 # Integer for number of days of inactivity (e.q. 90)
$timeSinceCreation = 30 # Integer for number of "grace" days since the account was created (to prevent disabling of brand new accounts)
$sizeLimit = 0 # How many users do you want returned. 0 = unlimited. Without setting this the default is 1000

# Email Settings #
$emailAlerts = 1 # Turn e-mail alerts on or off. 0 = off
$fromAddr = "InactiveAccounts@Domain.com" # Enter the FROM address for the e-mail alert
$toAddr = "User@Domain.com" # Enter the TO address for the e-mail alert
$smtpsrv = "192.168.1.1" # Enter the FQDN or IP of a SMTP relay

# Enable Script #
$enableAction = 1 # Change to 0 if you want to "whatif" this script - It will bypass the actual account disabling (turn e-mail alerts on!)

######################

Add-PSSnapin "Quest.ActiveRoles.ADManagement"

$creationCutoff = (Get-Date).AddDays(-$timeSinceCreation)
$inactiveUsers = @(Get-QADUser -SearchRoot $searchRoot -Enabled -NotLoggedOnFor $inactiveDays -CreatedBefore $creationCutoff -SizeLimit $sizeLimit | Select-Object Name,SamAccountName,LastLogonTimeStamp,Description | Sort-Object Name)

### Disable Accounts ###
if ($enableAction -eq 1 -and $inactiveUsers -ne $null){
foreach($user in $inactiveUsers){
Set-QADUser $user.SamAccountName -Description "Account Disabled on $date for Inactivity - $($user.Description)" | Disable-QADUser
}
}
######

### Email Alerts ###
if ($emailAlerts -eq 1 -and $inactiveUsers -ne $null){

$date = Get-Date -DisplayHint Date

$body = @("
<center><table border=1 width=50% cellspacing=0 cellpadding=8 bgcolor=Black cols=3>
<tr bgcolor=White><td>Name</td><td>Account</td><td>Last Login</td></tr>")

$i = 0

do {
if($i % 2){$body += "<tr bgcolor=#D2CFCF><td>$($inactiveUsers[$i].Name)</td><td>$($inactiveUsers[$i].SamAccountName)</td><td>$($inactiveUsers[$i].LastLogonTimestamp)</td></tr>";$i++}
else {$body += "<tr bgcolor=#EFEFEF><td>$($inactiveUsers[$i].Name)</td><td>$($inactiveUsers[$i].SamAccountName)</td><td>$($inactiveUsers[$i].LastLogonTimestamp)</td></tr>";$i++}
}
while ($inactiveUsers[$i] -ne $null)

$body += "</table></center>"

Send-MailMessage -To $toAddr -From $fromAddr -Subject "Info: $($inactiveUsers.Count) User Accounts Disabled on $date" -Body "$body" -SmtpServer $smtpsrv -BodyAsHtml
}
######

exit

[vikpaw]

I'm no powershell expert, so don't know exactly how it all works but try moving the "$date = ..." line higher up, preferably above the active code, so you could put it at the bottom of all the user variables. That way it will be populated before it's used.

[FN-GM]

your are correct thats fixed it. One thing is that is shows the exact time as well. It really inst needed do you happen to know how to get it to display only the date? Also It show the date in American format, do you know how to switch it to the British way please?

Thanks

[Iain]

your are correct thats fixed it. One thing is that is shows the exact time as well. It really inst needed do you happen to know how to get it to display only the date? Also It show the date in American format, do you know how to switch it to the British way please?

Thanks

You can use the -format switch on the Get-Date cmdlet to format the output. e.g.

Code:

Get-Date -format "d/M/yyyy"

For details of the format specifiers for Get-Date, take a look here: Windows PowerShell Tip: Formatting Dates and Times

Iain.

[FN-GM]

Thanks perfect. I ageing to post the finished code on the blogs.

Thanks guys

[Arthur]

how to switch it to the British way please?

A bit late, but here are a few more examples...

29-01-2012

Code:

[DateTime]::Now.ToString("dd-MM-yyyy")

29/01/2012

Code:

[DateTime]::Now.ToShortDateString()

For details of the format specifiers for Get-Date, take a look here: Windows PowerShell Tip: Formatting Dates and Times

To quickly see what all of the date/time letters from that link do, try running this...

Code:

ForEach ($format in "d","D","f","F","g","G","m","r","s","t","T", "u","U","y","dddd, MMMM dd yyyy","M/yy","dd-MM-yy") { "$format`: {0}" -f (Get-Date).ToString($format) }

This is what you should get...

Code:

d: 29/01/2012
D: 29 January 2012
f: 29 January 2012 09:15
F: 29 January 2012 09:15:56
g: 29/01/2012 09:15
G: 29/01/2012 09:15:56
m: 29 January
r: Sun, 29 Jan 2012 09:15:56 GMT
s: 2012-01-29T09:15:56
t: 09:15
T: 09:15:56
u: 2012-01-29 09:15:56Z
U: 29 January 2012 09:15:56
y: January 2012
dddd, MMMM dd yyyy: Sunday, January 29 2012
M/yy: 1/12
dd-MM-yy: 29-01-12

Then simply replace the letter after the colon with whichever one you want from the list above...

Code:

"{0:g}" -f (Get-Date)

[Arthur]

I forgot to mention one of the best tips I have found so far regarding the date. As you may know, once a variable has been calculated, it doesn't change from that point on. Therefore, if you get the current date and time at the beginning of your script, it will have changed by the time you actually go to use it in another cmdlet further on.

If you would like to re-calculate the $date variable every single time it is used, try this instead...

Code:

$global:date = Set-PSBreakpoint -Variable date -Mode Read -Action { $global:date = "{0:F}" -f (Get-Date) }

[FN-GM]

Thanks for the input. What would i need to do with the script I posted to make this now do the same for computer accounts please?

Thanks

[Arthur]

This ought to do it...

Code:

Get-QADComputer -IncludeAllProperties | Where-Object { $_.lastlogon -lt (Get-Date).AddDays(-90) } | Disable-QADComputer

[FN-GM]

Thanks. I had seen that, but the one here does exactly what I want. It will add a note on the account, I can drill down to a particular ou and get it to email me a report.

That's why I want to try and convert this one :-)

Thanks

[PiqueABoo]

I take it you read my pedantic comments in your related thread?? Not a huge deal but nevertheless something you should be aware of when doing anything based on when a user/computer last logged on, especially if it's a scheduled task that makes changes based on the result.

--

More broadly: Perhaps it's just what turns up at the top of Google searches but I don't get why QAD keeps getting used for things like this rather than the out-of-box MS ActiveDirectory module on 2008 R2. Then again I get around a bit, so regardless of which might be easiest I will always pick tech that will be there are opposed to tech that might need installing. It's just as easy with MS in this case with their Get-ADUser or alternatively there is Search-ADAccount that can pull out inactive computer/user accounts based on a fixed date or timespan e.g. 90 days, that could then be thrown at Disable- or (don't do it!) Remove- cmdlets.

[FN-GM]

I take it you read my pedantic comments in your related thread?? Not a huge deal but nevertheless something you should be aware of when doing anything based on when a user/computer last logged on, especially if it's a scheduled task that makes changes based on the result.

I have got this in my mind. I have read a few posts on the net that say you can increase the replication rate of this. Unless i can adapt the script to look at all DC's?

More broadly: Perhaps it's just what turns up at the top of Google searches but I don't get why QAD keeps getting used for things like this rather than the out-of-box MS ActiveDirectory module on 2008 R2. Then again I get around a bit, so regardless of which might be easiest I will always pick tech that will be there are opposed to tech that might need installing. It's just as easy with MS in this case with their Get-ADUser or alternatively there is Search-ADAccount that can pull out inactive computer/user accounts based on a fixed date or timespan e.g. 90 days, that could then be thrown at Disable- or (don't do it!) Remove- cmdlets.

Sorry i dont understand you, please can you elaborate? Thanks

[FN-GM]

I take it you read my pedantic comments in your related thread?? Not a huge deal but nevertheless something you should be aware of when doing anything based on when a user/computer last logged on, especially if it's a scheduled task that makes changes based on the result.

Looking at this page the lastLogontimeStamp attribute is replicated to all DC's in real time. My script uses this time stamp (i think). The lastLogon attribute that i think your talking about replicates every 9 - 14 days. So i should be safe. Do you agree?

Thanks

[PiqueABoo]

Look again...

- lastLogon gets updated every time on the DC where the logon happens but that doesn't replicate.
- lastLogonTimestamp only gets updated when the a logon happens if the current value is more than 9-14 days old. If it is changed that new value does replicate.

Your script uses lastLogonTimestamp and a 90 day timespan thus risks picking up some users who in the worst case, last logged on 76 days ago. They're still old and for this kind of thing it's not often an issue.. if you want to guarantee "at least 90 days old" then just use a 104 day timespan instead of 90.

OTOH if you're running this daily and must get accounts as soon as they hit 90 days old you will need to look at lastLogon on all the DCs and check the age of the freshest one.

[FN-GM]

I think I get you, so what would you suggest please?

Thanks