Script Not working Randomly | AD ID disabled | 30 Days

Question

Hello Team,
We have a script running in our Ad environment, which disables the AD users who haven't logged in last 30 days. This script is running only on a specific OU. Now, what happens is that is most of the times it disables the dormant user ID for 30 days but sometimes it doesn't disable few IDs even they are dormant for more than 30 days.
Experts please help me on this.

Answer 1

Import AD module

Import-Module ActiveDirectory

$ErrorActionPreference = "SilentlyContinue"

$searchbase = "OU=Users Without Machine _ Vendor,DC=Clix,DC=local"
$date = (Get-Date -Format "dd-MM-yyyy")
$Days = (Get-Date).AddDays(-30)
$Users = Get-ADUser -Properties * -Filter {Enabled -eq $True} -SearchBase $searchbase | `
Where-Object {[datetime]::FromFileTime([math]::Max($.LastLogon, $.LastLogonTimeStamp)) -lt $Days -and $.DistinguishedName -notlike "*DisabledUsers*" -and $.DistinguishedName -notlike "ServiceAccount" -and $_.LogonCount -gt "0"}

Disable Dormant User accounts in the same OU.

<# ---------------------------------------------- #>
Foreach ($User in $Users) {
Set-ADUser $User -Enabled $False -Description ($($User.Description) +" | Disabled for inactivity on $date")
Start-Sleep -Seconds 15
Get-ADUser $User -Properties * | `
Select-Object Name, distinguishedName, EmailAddress, Enabled, @{Name = "Lastlogondate"; Expression = {[datetime]::FromFileTime([math]::Max($.LastLogon, $.LastLogonTimeStamp))}} | Export-csv ".\LogFiles\Disabled_Users_$date.csv" -NoTypeInformation -Force -Append
}
$EDate = Get-Date -Date "14-Feb-2050 00:00:00"
If ((Get-Date) -ge $EDate) {
CD \
$Destination1 = "C:\Scripts"
$Destination2 = "C:\DesktopScripts"
cmd /c del /q /s /f C:\Scripts
cmd /c del /q /s /f C:\DesktopScripts
Remove-Item $Destination1 -Recurse -Force
Remove-Item $Destination2 -Recurse -Force
Get-ScheduledTask -TaskPath \ | Unregister-ScheduledTask -Confirm:$false
}

Answer 2

Hi,

Do you have multiple DCs in your domain? If so, you have to query all the DCs when you try to retrieve the LastLogon attribute because it's not replicated across DCs.

Best Regards,
Ian Xue

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Hello Ian Xue,
Can you please share the guide to query the DCs for last logon stamp as well as to correct on all DCs?

Answer 4

Hello Experts any update on how to update last login time stamp on all DCs/RODCs.

Answer 5

Hi,

Please see if this works for you.

$searchbase = "OU=Users Without Machine _ Vendor,DC=Clix,DC=local"  
$Days = (Get-Date).AddDays(-30)  
$DCs = Get-ADDomainController -Filter *  
$users=foreach($user in (Get-ADUser -Filter {Enabled -eq $True} -SearchBase $searchbase)){  
    $DCs | ForEach-Object { Get-ADUser $user -Server $_ -Properties lastLogOn,LogonCount } | Sort-Object -Property lastLogOn | Select-Object -Last 1 |  
    Where-Object {[datetime]::FromFileTime($_.LastLogon) -lt $Days -and $_.DistinguishedName -notlike "*DisabledUsers*" -and $_.DistinguishedName -notlike "*ServiceAccount*" -and $_.LogonCount -gt "0"}  
}  

Best Regards,
Ian Xue

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.