Script to find expired accounts but near "real-time"?

by virtuallywarped at 2012-12-07 22:00:59


I am trying to get a script that I can run as a scheduled task and have the script find any account that is set to expire in a specific time frame. I’m using Quest ActiveRoles server and I can set a "virtual attribute" so that helpdesk staff can enter a date/times for the account to expire.

Then this script would be setup as a scheduled task and when it runs I need it to find any accounts that expire "at the time the script runs and any that expired prior to the script running". If I run this every couple of hours then that will satisfy the auditors we are doing this for. Expiring the accounts doesn’t close off all access, so this script will trigger a deprovision action that does that process which is already setup for each account that is returned in the query.
by DonJ at 2012-12-08 08:46:38
I don’t know of any pre-existing script, so you’d probably need to write this from scratch yourself. If you’re not sure how to accomplish some pieces, let’s tackle them one at a time. I don’t know much about Quest ARS, so I’m probably not going to be a lot of help there, but we can try and get Kirk, who used to work for Quest, help out if your questions are with that piece.
by RichardSiddaway at 2012-12-09 02:36:01
Get-QADuser has the -AccountExpiresBefore and -AccountExpiresAfter attributes - you should be able to use them. Not sure that you a virtual attribute when AD already has an attribute for account expiry date
by virtuallywarped at 2012-12-12 21:02:50
Thank you both, really appreciate it. So here’s what I need and what I’ve found so far.

I need to:

1. Get-Date - it can be the exact time

2. Query an OU & All Sub-OUs for accounts that have a date/time set in the attribute that is either "now - the time the script is running" and any date/time prior to the time the script is running.

This would let me set the scheduled task to run every 1 hours, then when it runs after the 1st time, it should only show accounts that have essentially expired in the past hour.

I came up with this and it finds accounts that will expire ‘today’, but I am not sure how to do the time piece I need.

$expiredusers = get-qaduser -proxy -LdapFilter "(expirationtime=*)" | where-object {$_.expirationtime -lt (Get-Date)}
by virtuallywarped at 2012-12-17 16:27:24

I am still stuck on this, can someone help me out with getting the query running?

I am not sure how to do the "date/time as of now - which is when the script runs" and anything prior to that date/time.

Once this runs the 1st time it won’t matter about "prior" because it can go back as far as any prior time. The issue I have is I’m not sure how to search for accounts that expire for example on 12/17/2012 at 5:00pm and anything before that date and time, then perform the action on them.

I can’t use just get-date as I don’t want to run the process until the specific time comes up.