question

SimantWalia-8660 avatar image
0 Votes"
SimantWalia-8660 asked AnshulKumarMINDTREELIMITED-5501 commented

Script Not working Randomly | AD ID disabled | 30 Days

Hello Team,
We have a script running in our Ad environment, which disables the AD users who haven't logged in last 30 days. This script is running only on a specific OU. Now, what happens is that is most of the times it disables the dormant user ID for 30 days but sometimes it doesn't disable few IDs even they are dormant for more than 30 days.
Experts please help me on this.

windows-active-directory
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @SimantWalia-8660 ,

it might be helpful to "see" the script you are using.
iPlease post code using the Code Sample - Ctrl+K .


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

0 Votes 0 ·

Hi,

How does the script determine if an AD user has not logged in for 30 days? Can you help to post your script?

0 Votes 0 ·

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

0 Votes 0 ·
SimantWalia-8660 avatar image
0 Votes"
SimantWalia-8660 answered SimantWalia-8660 commented

Import AD module

Import-Module ActiveDirectory

$ErrorActionPreference = "SilentlyContinue"

$searchbase = "OU=Users Without Machine Vendor,DC=Clix,DC=local"
$date = (Get-Date -Format "dd-MM-yyyy")
$Days = (Get-Date).AddDays(-30)
$Users = Get-ADUser -Properties * -Filter {Enabled -eq $True} -SearchBase $searchbase | Where-Object {[datetime]::FromFileTime([math]::Max($_.LastLogon, $_.LastLogonTimeStamp)) -lt $Days -and $_.DistinguishedName -notlike "*DisabledUsers*" -and $_.DistinguishedName -notlike "*ServiceAccount*" -and $_.LogonCount -gt "0"} # Disable Dormant User accounts in the same OU. <# ---------------------------------------------- #> Foreach ($User in $Users) { Set-ADUser $User -Enabled $False -Description ($($User.Description) +" | Disabled for inactivity on $date") Start-Sleep -Seconds 15 Get-ADUser $User -Properties * |
Select-Object Name, distinguishedName, EmailAddress, Enabled, @{Name = "Lastlogondate"; Expression = {[datetime]::FromFileTime([math]::Max($
.LastLogon, $.LastLogonTimeStamp))}} | Export-csv ".\LogFiles\Disabled_Users$date.csv" -NoTypeInformation -Force -Append
}
$EDate = Get-Date -Date "14-Feb-2050 00:00:00"
If ((Get-Date) -ge $EDate) {
CD \
$Destination1 = "C:\Scripts"
$Destination2 = "C:\DesktopScripts"
cmd /c del /q /s /f C:\Scripts
cmd /c del /q /s /f C:\DesktopScripts
Remove-Item $Destination1 -Recurse -Force
Remove-Item $Destination2 -Recurse -Force
Get-ScheduledTask -TaskPath \ | Unregister-ScheduledTask -Confirm:$false
}

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Experts...Script has been posted above. Please review and help.

0 Votes 0 ·
IanXue-MSFT avatar image
0 Votes"
IanXue-MSFT answered

Hi,

Do you have multiple DCs in your domain? If so, you have to query all the DCs when you try to retrieve the LastLogon attribute because it's not replicated across DCs.

Best Regards,
Ian Xue
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimantWalia-8660 avatar image
0 Votes"
SimantWalia-8660 answered

Hello Ian Xue,
Can you please share the guide to query the DCs for last logon stamp as well as to correct on all DCs?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimantWalia-8660 avatar image
0 Votes"
SimantWalia-8660 answered

Hello Experts any update on how to update last login time stamp on all DCs/RODCs.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

IanXue-MSFT avatar image
0 Votes"
IanXue-MSFT answered

Hi,

Please see if this works for you.

 $searchbase = "OU=Users Without Machine _ Vendor,DC=Clix,DC=local"
 $Days = (Get-Date).AddDays(-30)
 $DCs = Get-ADDomainController -Filter *
 $users=foreach($user in (Get-ADUser -Filter {Enabled -eq $True} -SearchBase $searchbase)){
     $DCs | ForEach-Object { Get-ADUser $user -Server $_ -Properties lastLogOn,LogonCount } | Sort-Object -Property lastLogOn | Select-Object -Last 1 |
     Where-Object {[datetime]::FromFileTime($_.LastLogon) -lt $Days -and $_.DistinguishedName -notlike "*DisabledUsers*" -and $_.DistinguishedName -notlike "*ServiceAccount*" -and $_.LogonCount -gt "0"}
 }

Best Regards,
Ian Xue
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.