Help with Active Directory User Disable Script

I am pulling hairs right now. Im trying to disable user accounts that are inactive (haven’t logged in last 180 days), but exclude users who have been created in the last 30 days who haven’t logged in yet.

Currently I’m running:

Get-ADUser -SearchBase “OU=blah blah” -f * -properties SamAccountName,LastLogonDate,createTimeStamp | Where-Object {($.lastlogondate -le $180days) -AND ($.whencreated -le $30days) -AND ($_.enabled -eq $true)} | Export-CSV C:\blahblah\InactiveUsers.csv

My output shows a user who has a LastLogonDate of “2/8/2017” which is 27 days ago. He’s the ONLY problem child in my list.

Obviously there are no syntax errors, but I assume there is a logic error that is preventing my list to be accurate. Any help is appreciated.

You are using when_created in your comparison, but you are aren’t retrieving it, assuming you didn’t mix them up when posting.

I think you’ll need to change you -le operators (less than or equal) to -ge (greater than or equal) in the Where-Object filter. I’m assuming your $180days and $30days variables are set to a date 180 or 30 days ago.


# Input
$LastLogon       = (Get-Date).AddDays(-180)
$WhenCreated     = (Get-Date).AddDays(-30)

# Initialize
$adsi            = [adsisearcher]"objectcategory=user"
$adsi.SearchRoot = "LDAP://dc=$($env:USERDNSDOMAIN.replace('.',',dc='))"
$adsi.filter     = "(!(UserAccountControl:1.2.840.113556.1.4.803:=2))" # enabled users
$adsi.PageSize   = 1000000 
$ADUsersRaw      = $adsi.FindAll()

# Process
$ADUsers = $ADUsersRaw | % { 
    if ($_.Properties.objectcategory -match 'CN=Person') {
        New-Object -TypeName PSObject -Property @{
            SamAccountName  = $_.Properties.samaccountname | select -First 1 
            LastLogonDate   = $(
                if ($_.Properties.lastlogontimestamp) {
                    [datetime]::FromFileTime(($_.Properties.lastlogontimestamp | select -First 1))
            createTimeStamp = $_.Properties.whencreated | select -First 1         
$SelectADUsers = $ADUsers | where { $_.LastLogonDate -le $LastLogon -and $_.createTimeStamp -le $WhenCreated }

# Output
$SelectADUsers | select -First 20 | FT -a 
" Found $($SelectADUsers.Count) users created before $WhenCreated and have not logged on since $LastLogon"

I tried prior replacing the -le with -ge, and Im still pulling the same account that was created on 2/8/2017. While the 2 lists are different (le shows 65 users, ge shows 157 users), it’s not pulling the right accounts in either situation.

As Ron mentioned, you haven’t selected the whenCreated property but you’re testing for it. Get-ADUser does not return whenCreated by default. Please see if changing the condition in your Where-Object filter to createTimestamp or correcting the properties list of Get-ADUser fixes things.

Get-ADUser -SearchBase "OU=blah blah" -f * -properties SamAccountName,LastLogonDate,createTimeStamp | Where-Object {($_.lastlogondate -ge $180days) -AND ($_.createTimeStamp -ge $30days) -AND ($_.enabled -eq $true)} | Export-CSV C:\blahblah\InactiveUsers.csv

This might help: It’s a script that can remove inactive users and take into account those who didn’t log on in the last XX days, exclude service accounts, users that have never logged on and other useful stuff.