Disable AD Users and Move

PowerShell Help
1

Hello All,

I searched the forum for answers but couldn’t find anything that quite explains the problem I’m facing.

I am trying to

  1. grab users that haven’t logged in after 55 days,
  2. disabled them, and
  3. move them to the disabled OU.

Getting the list of users part works fine, but the if-else statement doesn’t work; the output only shows the else output as if it doesn’t find any users. I am trying to turn this into a Scheduled Tasks; that’s the reason why I don’t just want to use get-ADuser by itself.

I included the output at the bottom of the script. Please help.

Import-Module ActiveDirectory

$time             = (Get-Date).Adddays(-55)
$OUUser           = "user OU"
$OUSupport        = "support user OU"
$OUUserMove       = "disable user OU"
$OUSupportMove    = "disabled support user OU"
$OU1              = "service account OU"
$DirPath          = "C:\bin\ADAM"
$LogFile          = $DirPath + "\" + "Disable_and_Move_User_Accounts.log"


$userlist=Get-ADUser -Filter {(LastLogonDate -lt $time) -and (Enabled -eq "True")} -Properties LastLogonDate | Where-Object {$_.distinguishedname -notlike $OU1}
#Get-ADUser -Filter {(LastLogonDate -lt $time) -and (Enabled -eq "True")} -Properties LastLogonDate | Where-Object {$_.distinguishedname -notlike $OU1}


Start-Transcript -path $LogFile

ForEach ($users in $userlist){
        If ($users.distinguishedName -like "$OUUser"){
            $desc="Disabled on $(Get-Date)  for being inactive - $($users.Description)"
            Set-ADUser $users -Description $desc -Enabled $false
            Move-ADObject $users -TargetPath $OUUserMove
            }

        If ($users.distinguishedName -like "$OUSupport"){
            $desc="Disabled on $(Get-Date)  for being inactive - $($users.Description)"
            Set-ADUser $users -Description $desc -Enabled $false
            Move-ADObject $users -TargetPath $OUSupportMove
            } 
else {
        echo " "
        echo " "
        echo "All users are active"
        echo " "
        echo " "

        
} 

}

Stop-Transcript

below are the results I am getting:

Transcript started, output file is C:\bin\ADAM\Disable_and_Move_User_Accounts.log

All users are active

All users are active

All users are active

All users are active

Transcript stopped, output file is C:\bin\ADAM\Disable_and_Move_User_Accounts.log

2

You realize your else only applies to your second if statement?

Put something in the if blocks to indicate some action is taking place. You may realize it is actually working. No way for me to test, at first glance, it looks like it should work since you are getting no errors.

3

I’m not following what you’re saying; the above statement is already in my if statement. I in fact have two statements with two if commands?

4

when using like, its used with wildcards. $something -like "*$havingthis*". Otherwise use -match without *

5

Things are working now!the first if statement was working, but the second one wasn’t. to get the 2nd one working, I had to a 2nd foreach statement. below are the is the final script.Also, if you notice I added the “**” to the if statements. Thanks everyone!Import-Module ActiveDirectory

$time             = (Get-Date).Adddays(-55)
$OUUser           = "User OU"
$OUSupport        = "Support OU"
$OUUserMove       = "Disabled User OU"
$OUSupportMove    = "Disabled Support OU"
$OU1              = "Service OU"
$DirPath          = "C:\bin\ADAM"
$LogFile          = $DirPath + "\" + "Disable_and_Move_User_Accounts.log"


$userlist=Get-ADUser -Filter {(LastLogonDate -lt $time) -and (Enabled -eq "True")} -Properties LastLogonDate | Where-Object {$_.distinguishedName -notlike $OU1}
#Get-ADUser -Filter {(LastLogonDate -lt $time) -and (Enabled -eq "True")} -Properties LastLogonDate | Where-Object {$_.distinguishedName -notlike $OU1}


Start-Transcript -path $LogFile

ForEach ($users in $userlist){
        If ($users.distinguishedName -like "*$OUUser*"){
            $desc="Disabled on $(Get-Date)  for being inactive - $($users.Description)"
            Set-ADUser $users -Description $desc -Enabled $false
            Move-ADObject $users -TargetPath $OUUserMove
            }

ForEach ($users in $userlist){
        If ($users.distinguishedName -like "*$OUSupport*"){
            $desc="Disabled on $(Get-Date)  for being inactive - $($users.Description)"
            Set-ADUser $users -Description $desc -Enabled $false
            Move-ADObject $users -TargetPath $OUSupportMove
            } 
else {
        echo " "
        echo "All users are active"
        echo " "

        
} 

}

}

Stop-Transcript
6

You can avoid the code duplication by doing something like this in your foreach
loop:

ForEach ($users in $userlist) {

    switch -Regex ($users.DistinguishedName) {
        'User OU'    {$targetPath = $OUUserMove}
        'Support OU' {$targetPath = $OUSupportMove}
    }

    $desc = "Disabled on $(Get-Date)  for being inactive - $($users.Description)"
    Set-ADUser $users -Description $desc -Enabled $false
    Move-ADObject $users -TargetPath $targetPath

}
1 Like
7

thank you for this. I will incorporate this into my script asap.