question

BranzN-8631 avatar image
0 Votes"
BranzN-8631 asked NewbieJones-6218 edited

Help with PowerShell Script whenChanged

Hello,
I have a Problem with my Script. It does not work like I want it to do. I need to write a script which is executed every 7 days. It should deactivate all users (they all start with abc_) in a specific group. They get activated if they are needed and usually they are all deactivated. I want to have a txt file with the DisplayName of all Users which got deactivated if possible. Can someone pls help me?


$SearchBase = 'OU=A,DC=D,DC=F' $SevenDaysBefore = ((Get-Date).Date).AddDays(-7) $ADUserList = Get-ADUser -Filter "enabled -eq '$true' -and DisplayName -like 'abc_*'" -SearchBase $SearchBase -Properties whenChanged, DisplayName foreach ($ADUser in $ADUserList) { if ($ADUser.whenChanged -lt $SevenDaysBefore) { Disable-ADAccount -Identity $ADUser.SamAccountName } }

windows-server-powershell
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

LimitlessTechnology-2700 avatar image
1 Vote"
LimitlessTechnology-2700 answered

Hi there,

You can first use a script to collect all users that are inactive for the said period and then export it to a text file and deactivate all the users as per the text file.

If you saved the text file to a different location than c:\it\users.txt you will need to update the script.

$users=Get-Content c:\it\users.txt

ForEach ($user in $users)
{
Disable-ADAccount -Identity $user
write-host "user $($user) has been disabled"
}

Run the command below to return only the username of disabled accounts and you can verify it with the text file.

Get-ADUser -Filter {Enabled -eq $false} | FT samAccountName


--If the reply is helpful, please Upvote and Accept it as an answer–

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered BranzN-8631 commented

Instead of using "whenChanged", try using the "modified" property of the user.

Just be aware that the whenChanged and Modified value change under circumstances over which you have no control. I think you'd be better served using some other attribute (one of the extensionAttribute properties, for example) to keep track of the date.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BranzN-8631 avatar image BranzN-8631 ·

Hello,

Yes i know it is not the best way to achieve the goal to deactivate user accounts which are longer than 7 days active, but these accounts are just for test purposes so they get activated and deacitvated. There is no other thing that we do with them. We do not add any roles to it or else. These accounts just get activated and afterwards they get deactivated.

0 Votes 0 ·
NewbieJones-6218 avatar image
0 Votes"
NewbieJones-6218 answered NewbieJones-6218 edited

I need a script that is executed every 7 days.
It should deactivate all users that start with abc* in a specific group.
I want to have a txt file with the DisplayName of the all users which got deactivated

Not sure where the sevendaysbefore actually comes into play here.
Do you only want to disable the accounts that have been "changed" in the last seven days? Or all enabled accounts in the group not matter what.

Based on the initial "requirements". Please consider the following...

 $workingDirectory="H:\" #change as appropriate
 $currentDate = date -uformat "%y%m%d-%H%M"
 $logfile = ($workingDirectory+"Deactivatelog-$currentDate.csv")
    
 $Results=@()
    
 $group="groupA"
    
 $users=Get-ADGroupMember -Identity $group |
     Get-ADUser -properties DisplayName, Enabled |
         Where-Object {$_.Enabled -eq "True" -and $_.DisplayName -like "ABC*"} |
             Select-Object DistinguishedName, DisplayName, Enabled, @{name="group";expression={$group}}
                 
    
 If ($users) { # if not null
     ForEach ($account in $users) {
         Write-Host Disabling $account.DisplayName
         Disable-ADAccount -Identity $account.DistinguishedName
            
         $Results +=  New-Object -TypeName PSObject -property @{
             DisplayName=$account.DisplayName;
             Group=$account.group}                   
     }
        
     $Results | Export-CSV $logfile -noTypeInformation
    
 } Else {
   Write-Host "No Accounts found"  
 }
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.