Hello,
is it possible to deactivate Users which are activated in the Active Directory for more than 7 days?
Not the Sign Up just the activation time in the Acitve Directory.
Regards Nico
Let me try to answer this with a counter-question. Is there a way to achieve that without PowerShell? Is there an AD attribute representing the activation timestamp of an account? 
Maybe via the Changed on: under Object when you open the properties of a User.
But that attribute is not only set when you activate an account. As far as I know there is no attribute representing the time an account is activated. Sorry. 
When i run my script to deactivate specific accounts, the time from changed on changes. Could i write a scipt which deactivates these Specific users when the time they were last changed on was longer ago than 7 days? Because these users are usually disabled and get activated only when they are needed.
Of course you could. But the attribute whenChanged is not only set when an account is activated. So it would be an unreliable “answer to your question”.
Could you help me to write such a script. I asked a few colleagues and we have no problem with the whenChanged or Modified attribute.
That depends pretty much what exactly you mean with “helping you writing a script”.
This forum is for scripting questions rather than script requests. We do not write customized and ready to use scripts or solutions on request.
We expect you to make an own attempt to get your task done or to solve your problem. If you have done so already please document here what exactly you have done and show your code. Then we probably might be able to help you step further.
This is what i got. But i have no idea how to use the Modified attribute
Import-Module ActiveDirectory
$refDate = (Get-Date).AddDays(-7)
GET-ADuser -Filter 'DisplayName -like "abc_*"' -Properties Modified | where {$_.enabled -eq $true}
if ($_.Modified -lt $refDate)
{
Disable-ADAccount
}
Hmmm,
I’d recommend to do a big step back and start with learning the very basics of PowerShell first. It will save you from a lot of wasted time and frustrations.
Something like this should work:
$SearchBase = 'OU=Users,OU=Germany,OU=Europe,DC=Company,DC=com'
$SevenDaysBefore = ((Get-Date).Date).AddDays(-7)
$ADUserList = Get-ADUser -Filter "enabled -eq '$true' -and DisplayName -like 'abc_*'" -SearchBase $SearchBase -Properties Modified, DisplayName
foreach ($ADUser in $ADUserList) {
if ($ADUser.Modified -lt $SevenDaysBefore) {
Disable-ADAccount -Identity $ADUser.sAMAccountName
}
}
Of course you have to adapt the searchbase to your environment. 
Yes it works, thank you.
How can I define User exceptions for 4 specific Users?
Should i activate them afterwards or can I add the Users as exceptions?
Whatever works for you … I’d create a list with sAMAccountNames and filter them with a Where-Object.
Please, always read the help for the cmdlets you’re about to use completely including the examples to learn how to use them!
Hello,
I rewrote the script to my personal preferences and needs. Now I have the Problem that I don’t know how i should implement a outfile or something similiar. I get a empty txt file and there is nothing displayed even with the few changes I made.
The following Code is just the example Code and does not represent my complete code.
$SearchBase = 'OU=Users,OU=Germany,OU=Europe,DC=Company,DC=com'
$SevenDaysBefore = ((Get-Date).Date).AddDays(-7)
$ADUserList = Get-ADUser -Filter "enabled -eq '$true' -and DisplayName -like 'abc_*'" -SearchBase $SearchBase -Properties Modified, DisplayName
foreach ($ADUser in $ADUserList) {
if ($ADUser.Modified -lt $SevenDaysBefore) {
Disable-ADAccount -Identity $ADUser.sAMAccountName
}
}
Out-File -FilePath 'Path'
Cool. 
Does it do what you want? You may share your code to help other comming here having the same or a similar problem.
What do you mean with that?
And why do you post it then? 
I’m afraid I don’t understand you question.
Out-File needs to know what to put into the file. At this point, you are not putting anything into Out-File, so you are getting an empty file. Example:
$Output = {result of something your script did}
$Output | Out-File -FilePath ‘Path’
I tried almost everything i knew to get a result of something my script did. But in my
foreach ($ADUser in $ADUserList)
{
if ($ADUser.whenChanged -lt $SevenDaysBefore)
{
Disable-ADAccount -Identity $ADUser.SamAccountName
}
}
I Get no output. I don’t know if I should change something there or if it is possible to declare $Output with an other variable.
My Code (I test with $SevenDaysBefore = ((Get-Date).AddMinutes(-1))):
$SearchBase = 'OU=Benutzer,DC=test,DC=local'
$SevenDaysBefore = ((Get-Date).AddDays(-7))
$ADUserList = Get-ADUser -Filter "enabled -eq '$true' -and DisplayName -like 'abc_*'" -SearchBase $SearchBase -Properties whenChanged
$ADUserEnabled = Get-ADUser -Filter "DisplayName -like 'abc_2_*' -or DisplayName -eq 'abc_1_test'" -SearchBase $Searchbase
foreach ($ADUser in $ADUserList)
{
if ($ADUser.whenChanged -lt $SevenDaysBefore)
{
Disable-ADAccount -Identity $ADUser.SamAccountName
}
}
foreach ($ADUser in $ADUserEnabled)
{
Enable-ADAccount -Identity $ADUSer.SamAccountName
}
$Output =
$Output | Out-File -FilePath 'path'
The Output i want are just Users that got deactivated.
Please re-read the help - especially the paragraph about Outputs!
… and then take a look at the parameter -Passthru!!!
follow the link olaf posted and then do a test with 1 user
$disableuser =
Disable-ADAccount -Identity testuser1 -PassThru
$disableuser | Select-Object Name,Enabled,SamAccountName |
Export-Csv -Path C:\it\disabletest.csv -NoTypeInformation