The Multifunctioning DBA

Sep 27 2009   9:00AM GMT

AD Audit in Powershell Script Part 5

Colin Smith Colin Smith Profile: Colin Smith

Now that we have disabled and moved all the disabled accounts to the Disabled OU I am going to get all the user object information from just the disabled OU this time. I need this since objects have been moved around. This scan of AD does go much faster as I am only scanning the one OU. I have this is the Delete_Users function. I chose not to have the gathering disabled users as a function but you certainly could break that out if you like.
In this function I create a csv file for all the objects in the disabled OU and now I determine if they meet the criteria for delection. If they do then I have a few things that I want to do with them.
First I want to get a list of all the groups that the user is a member of so I can remove them from the groups before deleting the user object. This will prevent us from getting hashes of UID’s in groups. I hate that…
Then I remove the user object and make note that I did so, again so paperwork can be done for this action. Then I need to go check and see if they have a home directory. I go out and look and if they do I move it to another chunk of disk that managers have access to so they can look through the data in that folder for anything that they may need. Those folders are removed at regular intervals by another clean up script.



########################################################## ## Function Delete_Accounts ## Find all acounts that are in the disabled OU's and ## determine what accounts have not been loged in with ## in over 180 days and also were created over 180 days ## ago. Once the accounts have been identified capture ## Users login name so that we can remove all groups ## from that user as well as move the users Home Drive ## folder to anothe location to await deletion. ########################################################## function Delete_Accounts { foreach($company in $companies) { Echo "Delete accounts for $company" $listedusers = Import-Csv "c:\90-180\$company.disabledou.csv" Clear-Content "c:\90-18\$company.deleted.txt" foreach($listeduser in $listedusers) { $fname = $listeduser.Firstname $lname = $listeduser.LastName $dn = $listeduser.dn $dn = $dn.replace(":", ",") $enabled = $listeduser.enabled $logon = $listeduser.lastlogon $logonname = $listeduser.logonname $created = $listeduser.createddate ########################################################## ## Check for accounts that have not been used and were ## created more than 180 days ago. If found then remove ## all groups, remove from domain, log removal from ## domain and move H: Drive to holding area. ########################################################## if(($created -lt $deletedate) -and ($logon -lt $deletedate)) { ########################################################## ## Gather all groups that the user is a member of ## and loop thru all groups to remove the user. ########################################################## if(Test-Path "c:\90-180\$logonname.groups.txt") { $groups = Get-Content "c:\90-180\$logonname.groups.txt" foreach($group in $groups) { Remove-QADGroupMember -Identity $group -Member $logonname -whatif } #rm "c:\90-180\$logonname.groups.txt" } ########################################################## ## Remove the User Object and log the removal ########################################################## Remove-QADObject $logonname -whatif echo "$fname $lname $logonname" >> "c:\90-180\$company.deleted.txt" ########################################################## ## Check to see if the user has an H: Drive ## If the folder exists then move it to the K: Drive ## to hold until the time limit to delete the folder ########################################################## if(Test-Path "\\servername\users$\$logonname") { move-item -literalPath "\\servername\users$\$logonname" -destination "\\servername\data\common\_term\$logonname" -whatIf Echo "Moved \\servername\users$\$logonname to \\servername\data\common\_term\$logonname" >> "c:\90-180\homedirs.txt" } else { Echo "NO H Drive found for $logonname" >> "c:\90-180\homedirs.txt" } } } } }

Well that does it for taking action on the AD Objects. Now I just need to send out the notifications of the actions that the script took. That will be next time. Let me know if you have any questions about this function.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: