I am sure there is probably an easier way to do this but I wanted to check my understanding of the way I did it and if I am correct for future reference.
I want to move all users accounts that have not logged in for 90days OR all users that have never logged in but only if they were created prior to 30 days.
This is what I have:
$30days = (get-date).adddays(-30)
$lastLogon = (get-date).adddays(-90)
get-aduser -filter {(lastLogonTimestamp -lt $lastLogon) -or (whencreated -lt $30days) -and (lastLogonTimeStamp -notlike "*")} -searchbase "ou=MYOUPATH" -searchscope onelevel -properties whencreated,lastlogondate | Select Name,whencreated,lastlogondate | sort lastlogondate | Move-ADObject -TargetPath "ou=Disabled Users OU Path"
This gives me the correct results but it feels like I should have to tie the last 2 conditions together so it would either evaluate condition 1 OR conditions 2 AND 3 but this already seems to be the case but I don’t think its right. I just think the values are causing it to appear correct.
I know this is wrong but it seems like instead of this:
-filter {(lastLogonTimestamp -lt $lastLogon) -or (whencreated -lt $30days) -and (lastLogonTimeStamp -notlike "*")}
it should be something like this:
-filter {(lastLogonTimestamp -lt $lastLogon) -or ((whencreated -lt $30days) -and (lastLogonTimeStamp -notlike "*")}}
tying the last 2 together but I do not know how to do that correctly.
Thanks,
Scott
Would this be the correct way? Having trouble figuring out how to test is 
-filter {lastLogonTimestamp -lt $lastLogon -or (whencreated -lt $30days -and lastLogonTimeStamp -notlike "*")}
I think this would do the trick for you. I think your filter from your first post would work, and that is what I coded with. I added your filters separately in different commands, then combined then. The check at the end should return true, showing that you that the filter works the same when combined, and giving you the exact same results.
$30days = (get-date).AddDays(-30)
$lastLogon = (get-date).AddDays(-90)
$30dayUsers = get-aduser -filter {(whencreated -lt $30days) -and (lastLogonTimeStamp -notlike "*")} -searchbase $ouPath -searchscope oneLevel -properties whencreated,lastlogondate
$90dayusers = get-aduser -filter {(lastLogonTimestamp -lt $lastLogon)} -searchbase $ouPath -searchscope oneLevel -properties whencreated,lastlogondate
$30or90Users = get-aduser -filter {(lastLogonTimestamp -lt $lastLogon) -or ((whencreated -lt $30days) -and (lastLogonTimeStamp -notlike "*"))} -searchbase $ouPath -searchscope oneLevel -properties whencreated,lastlogondate
$30or90Users.count -eq ($30dayUsers.count + $90dayusers.count)
You have a type-o, you have an opening ( with a closing } which should be a closing ), next to last character. That than that, this filter is perfectly fine.
-filter {(lastLogonTimestamp -lt $lastLogon) -or ((whencreated -lt $30days) -and (lastLogonTimeStamp -notlike "*")}}
should be
-filter {(lastLogonTimestamp -lt $lastLogon) -or ((whencreated -lt $30days) -and (lastLogonTimeStamp -notlike "*"))}
Thanks to both of you for the help! It works without the extra parentheses I now realize because of the data but was incorrect. It’s good to know how to do it correctly.
Thanks again!!
Scott
Seeing that you guys are dealing with the same issue I am facing does anyone know how to compare the lastlogondate from local AD and 365 Azure AD so that you don’t move accounts that were logged into 365. The lastlogondate parameter is not part of the ADsync functionality so it gives a mismatch for administrators to do any type of security management for true (LastLogon).
365 LastLogonDate
get-mailboxstatistics -identity doe.john | select lastlogontime
LastLogonTime
9/15/2017 8:50:55 AM
AD On-Premise LastLogonDate
PS C:\scripts\ActiveScheduledScripts> Get-ADUser -Filter * -SearchBase "cn=doe.john,ou=axb,dc=site,dc=org" -Res
ultPageSize 0 -Prop CN,lastLogonTimestamp | Select CN,@{n="lastLogonDate";e={[datetime]::FromFileTime($_.lastLogonTimest
amp)}}
lastLogonTimeStamp
8/24/2016 2:06:23 PM