For each to disable, move to specific OU, append AD discription with text

Hi,

I’m trying to write a script that will allow me to search for user accts based on last login time stamp that is X days in the past. I have that working but want to also have it disable / move / append the description field with text that includes “Disabled” then use the current date. Below is what I have so far which works to provide the list in a CSV. If anyone could help, I would greatly appreciate it.

import-module activedirectory
$domain = “mydomain.com
$DaysInactive = 90
$time = (Get-Date).Adddays(-($DaysInactive))

Get all AD User with lastLogonTimestamp less than our time and set to enable

Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp -SearchBase “DC=mydomain,DC=com” |
? {$.DistinguishedName -notmatch ‘OU=Users,DC=mydomain,DC=COM’ `
-and $
.DistinguishedName -notmatch ‘OU=IT,DC=mydomain,DC=COM’ `
-and $.SamAccountName -notlike “IWAM” `
-and $
.SamAccountName -notlike “IUSR” `
-and $.SamAccountName -notlike “WMUS” `
-and $
.SamAccountName -notlike “Mailbox” ` } |

Output SamAccountName and lastLogonTimestamp into CSV

select-object SamAccountName,@{Name=“Stamp”; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString(‘yyyy-MM-dd_hh:mm:ss’)}} | export-csv OLD_User.csv -notypeinformation

For moving the users, you should be able to save your Get-ADUser command as a variable, and then pipe it to Move-ADObject

https://technet.microsoft.com/en-us/library/ee617248.aspx

The same holds true for Disable-ADAccount

https://technet.microsoft.com/en-us/library/ee617197.aspx

Similarly to the first two, you can pipe your Get-ADUser command to Set-ADUser specifying the description with a Get-Date variable for today’s date IF you don’t care what was previously in the description field for the account before you run the script (or if you know there is no description on any of the accounts). However, if you want to keep the original descriptions and then append your new one, you should pull the descriptions with Get-ADUser as well and save them to a variable and then concatenate them together in your set command

$Today = Get-Date -format d
$Query = Get-ADUser -properties Description
$oldDescription = $Query.Description
$addDescription = "User disabled on $Today"
$newDescription = "$addDescription; oldDescription"
$Query | Set-ADUser -Description $newDescription

Another note, try to do as much filtering as far left as possible. Distinguished name is a caveat as it’s a constructed value, so it must either be filtered with a WHERE clause or use SearchScope and\or SearchBase to only search the required OU(s). Understand you’re returning more records than you need, so your AD search is slower, so move the filterable items directly into your AD filter:

$filter = @"
    LastLogonTimeStamp -lt $((Get-Date).Adddays(-90))
    -and 
    Enabled -eq $true
    -and 
    SamAccountName -notlike '*IWAM*'
    -and 
    SamAccountName -notlike '*IUSR*'
    -and 
    SamAccountName -notlike '*WMUS*'
    -and 
    SamAccountName -notlike '*Mailbox*'
"@


$users = Get-ADUser -Filter $filter -Properties LastLogonTimeStamp -SearchBase "DC=mydomain,DC=com" |
Where {$_.DistinguishedName -notmatch 'OU=Users,DC=mydomain,DC=COM' -and $_.DistinguishedName -notmatch 'OU=IT,DC=mydomain,DC=COM'} 

thank you both very much. I have it working now.

Line 5 should be

$newDescription = "$addDescription; $oldDescription"