-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCleanUpUsers.ps1
More file actions
53 lines (46 loc) · 2.68 KB
/
CleanUpUsers.ps1
File metadata and controls
53 lines (46 loc) · 2.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<#
Requirements:
Active Directory module or run from DC
#>
#User Variables:
$FileLocation = Get-Location
$OutputFileLocation = "."
$OutputFileName = "\users.csv"
[INT]$OverThisManyDays = 90
$TargetOU = "" #This has to be the OUs distinguished name
#Script Variables:
$TodaysDate = (Get-Date)
$OldDate = $TodaysDate.AddDays(-($OverThisManyDays))
$Timespan = "$OverThisManyDays" + ":00:00:00"
# Types of objects to review
$EnabledUsers = Get-ADUser -Filter * -Properties employeeType, LastLogonDate | where employeeType -eq "user" | where enabled -eq $true
$EnabledServiceAccounts = Get-ADUser -Filter * -Properties employeeType, LastLogonDate | where employeeType -eq "service" | where enabled -eq $true
$EnabledNoType = Get-ADUser -Filter * -Properties employeeType, LastLogonDate | where employeeType -eq $null | where enabled -eq $true
$UsersPasswordNoExpire = Get-ADUser -filter * -properties SamAccountName, Name, PasswordNeverExpires, Enabled, employeeType | where {$_.passwordNeverExpires -eq "true" -And $_.Enabled -eq "True" -And $_.employeeType -eq "user" } | Select-Object DistinguishedName,Name,Enabled,SamAccountName
# Set user accounts to not expire
#Get-ADUser -filter * -properties SamAccountName, Name, PasswordNeverExpires, Enabled, employeeType | where {$_.passwordNeverExpires -eq "true" -And $_.Enabled -eq "True" -And $_.employeeType -eq "user" } | Select-Object DistinguishedName,Name,Enabled,SamAccountName | ForEach-Object {Set-ADUser -Identity $_.SamAccountName -PasswordNeverExpires:$FALSE}
# These need to match positions
$ObjectTypes = @($EnabledUsers,$EnabledServiceAccounts,$EnabledNoType,$UsersPasswordNoExpire)
$OutputFiles = @(".\users-not-logged-in.csv",".\services-not-logged-in.csv",".\notype-not-logged-in.csv",".\users-not-expired.csv")
Try {
For ($i=0; $i -lt $ObjectTypes.length; $i++) {
Write-Host "CSV file generated -" $OutputFiles[$i] -ForegroundColor Green
$ObjectTypes[$i] | ?{$_.LastLogonDate -lt $OldDate} |Select-Object Name, DistinguishedName, LastLogonDate| Sort-Object LastLogonDate| Export-Csv -Path $OutputFiles[$i] -Force -NoTypeInformation
#Be real careful here:
#Delete the # at the end of the next line if you want to disable the systems found.
<#
ForEach ($oldsystem in $TooLongSinceLogon)
{
Write-host ""$oldsystem" is being disabled" -ForegroundColor Yellow
$UserDN = (Get-ADUser -Identity $_.SamAccountName).distinguishedName
Get-ADComputer "$oldsystem"| Set-ADComputer -Enabled $False
Move-ADObject -Identity $UserDN -TargetPath $TargetOU -WhatIf
Write-Host ""$oldsystem" is disabled" -ForegroundColor Green
}
#>
##Stop being careful here:
}
}
Catch {
Write-Host "Generic error caught." -ForegroundColor Red
}