Posted by: Colin Smith
Active Directory, AD, AD Administration, Powershell
As I said before I have completed my re-write of my Active Directory Audit into Powershell. Man is it better. more functional and less code. I love it. This script goes out and searches my domain for user accounts that are old and stale. By old and stale I mean that they were both created, and have not been logged into in 90 days or more. If they meet that criteria then I go ahead and disable them, move the object to a disabled OU, and send out notifications about the account being disabled to the appropriate people so the action can be documented. That is only part one of the script.
Second is the script will now look at all the accounts that reside in the disabled OU and determine if the account has been created and that the last logon date was more than 180 days ago. If the account meets that criteria then I gather a list of all the groups that user is a member of, remove the user from the groups, delete the account, and finally I go out and see if they have a home directory folder. If they do then I move that folder and all contents to another file share so that managers and other top level employees can access that data. (I have another script that deletes that data after 30 days of inavtivity.)
So lets get into it a bit. Before we go over any code though I want to talk about AD and Replication. If you have more than one DC then you have an issue with getting accurate last logon timestamps. When a user logs in to the domain they can authenticate using any of the domain controllers but AD does not replicate that property to all the other DC’s you have. This is an issue with this script since I want to make sure I do not disable or delete an account based on information from a DC that may not have the latest information. This means that we must query all DC’s and look for the newest logon timestamp and use that.
Also just a side note, this script does require having the Quest AD Management cmdlets installed and available. You can get them at http://www.quest.com/powershell/activeroles-server.aspx
So next post we dive into the begining part of the script.