The Multifunctioning DBA

Sep 25 2009   4:57PM GMT

AD Audit in Powershell Script Part 4



Posted by: Colin Smith
Tags:
AD
AD Administration
AD Managment
Powershell
Scripting

Now that we have all of the users information into a csv file it is time to start sorting through all of that data and determining what objects need to be disabled and moved to the disabled OU that I have set up for all disabled accounts to go and await deletion. Lets do that with the Disable_Accounts function. This is a pretty basic function but I have a do a few different things here. First we have a Holding OU and that is available for our new account provisioning system. It creates accounts and places them in this OU in a disabled state. I am going to look in this OU to see if the account has been there for 30 days or more and if so I will move the user object. I am also going to go scan for any accounts that are disabled but not in the Disabled or Holding OU’s and then move them. This keeps things clean just in case a person disables an account and does not move it. Lastly I will disable and move all accounts that meet my criteria. I am also logging the accounts that I disable so that paperwork can also be done for these accounts.



########################################################## ## Function Disable_Accounts ## Find all accounts that need to be disabled ## Disable the account ## Move the account to the appropriate disabled OU ## Log the account that has been disabled and moved ########################################################## function Disable_Accounts { foreach($company in $companies) { $listedusers = Import-Csv "c:\90-180\$company.csv" foreach($listeduser in $listedusers) { $fname = $listeduser.Firstname $lname = $listeduser.LastName $dn = $listeduser.dn $dn = $dn.replace(":", ",") $enabled = $listeduser.enabled $logon = $listeduser.lastlogon $logonname = $listeduser.logonname $created = $listeduser.createddate ########################################################## ## Check for accounts in Holding OU that are still ## disabled and beyond the 30 holding limit and ## move them to the disabled OU ########################################################## if(($enabled -eq "DISABLED") -and ($created -lt $holdingdate) -and ($dn -like "*holding*")) { $logonname | Move-QADObject -NewParentContainer "pni.us.ad.gannett.com/$company/Users/Disabled" -WhatIf echo "$fname $lname $logonname" >> "c:\90-180\$company.disabled.txt" } ########################################################## ## Find any accounts that are disabled and not in the ## Holding OU and move them to the disabled OU ## This cleans up any accounts that have been disabled ## by hand and not moved to the disabled OU. ########################################################## if(($enabled -eq "DISABLED")-and ($dn -notlike "*holding*")) { $logonname | Move-QADObject -NewParentContainer 'pni.us.ad.gannett.com/$company/Users/Disabled' -WhatIf echo "$fname $lname $logonname" >> "c:\90-180\$company.disabled.txt" } ########################################################## ## Check for accounts not in holding OU that are beyond ## the 90 day limit for login and create date ## and disable them and move them to the disabled OU. ########################################################## if(($enabled -eq "ENABLED") -and ($logon -lt $disabledate) -and ($created -lt $disabledate) -and ($dn -notlike "*Holding*")) { $logonname | Disable-QADUser -WhatIf $logonname | Move-QADObject -NewParentContainer "pni.us.ad.gannett.com/$company/Users/Disabled" -WhatIf echo "$fname $lname $logonname" >> "c:\90-180\$company.disabled.txt" } } } }

Nothing to complex here. Let me know if you have any questions about this function.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: