public/Get-InactiveUsers.ps1
|
function Get-InactiveUsers { <# .SYNOPSIS This function gets users in the domain that have been inactivate (not logged on) for $DaysInactive Optionally specify the $Disable to disable the account and move them to the _DISABLED OU .NOTES Name: Get-InactivateUsers Author: Elliott Marter .EXAMPLE Get-InactivateUsers -DaysInactive 90 -DisableAccount .LINK https://www.powershellgallery.com/profiles/elliottmarter #> [cmdletbinding(SupportsShouldProcess=$True)] Param( [Parameter(Mandatory)] [int] $DaysInactive, [switch] $DisableAccount ) $Date = (Get-Date -UFormat %Y-%m-%d) Start-Transcript -OutputDirectory "C:\elm_adtools_logs\$Date" $domain = (Get-ADDomain).DistinguishedName $oucheckname = "_DISABLED" $oucheck = [adsi]::Exists("LDAP://OU=$oucheckname,$domain") if ($oucheck -eq $false) { New-ADOrganizationalUnit -Name _DISABLED } $DisabledOU = (Get-ADOrganizationalUnit -Filter 'Name -eq "_DISABLED"').DistinguishedName $Users = Search-ADAccount -UsersOnly -AccountInactive -TimeSpan "$DaysInactive.00:00:00" | Where-Object { ($_.Enabled -eq $true) -and ($_.lastlogondate -ne $null) -and ($_.name -notlike "*admin*")} $Users | Sort-Object LastLogonDate | Select-Object Name,LastLogonDate if ($DisableAccount) { foreach ($U in $Users) { $Description = (get-aduser -Identity $U.SamAccountName -Properties description).description $Note = " (Disabled: $(get-date -UFormat %d/%m/%y))" $NewDescription = $Description + $Note Set-ADUser -Identity $U.DistinguishedName -Description $NewDescription -Enabled $false Move-ADObject -Identity $U.DistinguishedName -TargetPath $DisabledOU Write-Verbose "Successfully disabled $($Item.Name)" } } } |