Hello Guys,
First of all thank you everyone for reading this.
I would like to extract the list of users from AD that were disabled (whenDisabled) during a fixed period of time (i.e. February), but i’m not sure how to add that condition to this script below since i’m pretty knew to Powershell. Could you please help me?
[pre]Get-ADUser -server “SERVER” -Filter ‘*’ -Properties sAMAccountName,givenName,sn,userAccountControl,mail,employeeID,lastLogonDate,whenDisabled |select sAMAccountName,givenName,sn,userAccountControl,mail,employeeID,lastLogonDate,whenDisabled| Export-csv ‘C:\powershell scripts\europe_02012019_NA-02.csv’[/pre]
Thanks !!!
Bogdan
So unfortunately there doesn’t seem to be a built-in attribute that stores a timestamp that the user was last disabled. So my solution isn’t going to be super simple, but it is functional. It uses the [pre]Get-ADReplicationAttributeMetadata[/pre] Cmdlet to get the last time the userAccountControl attribute changed for each disabled user. The UAC stores the bitwise value that flags an account as disabled. One small possibility to understand is that if the UAC attribute was modified with some other flag sometime since the account was disabled so you could potentially see a date that is later than the actual disablement timestamp. This is technically possible since that attribute stores flags for many different things, but unlikely except for perhaps a small percentage of user accounts in most environments.
This is not PS issue, but an ADDS limitation.
Only auditing can resolve this. Only WS2008 implements a good auditing solution. Pre-WS2008 will need a custom solution or a third party auditing tool.
Or edit or extend you user ADDS Attributes with a field that you can store this info.