我正在尝试(最初)查询特定OU中的ADUsers;识别那些不活动90天的人;记录他们的团体会员资格;在描述字段中记下该帐户从x-date开始被禁用;禁用已识别的帐户并将已禁用的帐户移至“停车”OU。
我也在Gist中做过笔记,但是感谢任何有助于团队会员工作的帮助。
https://gist.github.com/rsmith7712/fdfe025d989508102044fdbbf5d3b9a8
答案 0 :(得分:0)
我没有测试过这个,但它可能是解决问题的一种方法
# http://stackoverflow.com/questions/37577369/inactive-aduser-query-and-adgroup-manipulation-encountering-issues
# Import Modules Needed
Import-Module ActiveDirectory
# Output results to CSV file
$LogFile = "C:\ZombieAcct_90dayRpt_n_Move.csv"
# Today's Date
$today = get-date -uformat "%Y/%m/%d"
# Date to search by
$xDays = (get-date).AddDays(-90)
# Expiration date
$expire = (get-date).AddDays(-1)
# Date disabled description variable
$userDesc = "Disabled Inactive" + " - " + $today
# Sets the OU to do the base search for all user accounts, change as required
$SearchBase = "OU=DEFINE,OU=DEFINE,OU=DEFINE,DC=DEFINE,DC=com"
# Sets the OU where accounts will be MOVED TO, change as required
$ParkingOU = "OU=30Days, OU=Disabled Accounts, OU=Domain Services, DC=DEFINE, DC=com"
# Pull all inactive users older than 90-days from a specified OU
$Users = Get-ADUser -SearchBase $SearchBase -Properties memberof, LastLogonDate, PasswordLastSet, PasswordNeverExpires, WhenCreated, DisplayName -Filter {
(LastLogonDate -notlike '*' -OR LastLogonDate -le $xDays)
-AND (PasswordLastSet -le $xDays)
-AND (Enabled -eq $True)
-AND (PasswordNeverExpires -eq $false)
-AND (WhenCreated -le $xDays)
} | ForEach-Object {
Set-ADUser $_ -AccountExpirationDate $expire -Description $userdesc -WhatIf
Move-ADObject $_ -TargetPath $ParkingOU -WhatIf
$_ | select DisplayName, Name, SAMaccountName, PasswordExpired, PasswordNeverExpires, WhenCreated, PasswordLastSet, LastLogonDate, @{n='Groups';e={(($_.memberof | Get-ADGroup).Name) -join '; '}}
}
$Users | Export-Csv $LogFile -NoTypeInformation
start $LogFile
答案 1 :(得分:0)
@AnthonyStringer - 拿起你的脚本并为环境调整它。这是(近)最终脚本,谢谢你的帮助。
问题仍然存在: - 收集ADUser组成员资格仍然适用于指定的$ SearchBase OU中的每个人,而不是能够查询满足$ xDays变量的那些ADUser帐户。
Dev将继续使用Gist,但关闭这个问题。 https://gist.github.com/rsmith7712/fdfe025d989508102044fdbbf5d3b9a8
# Inactive_ADUserRpt_n_Move_v3.ps1
#
# Git- rsmith7712, 2016-05-20
#
# Contributors:
# @EricRocconi, @AnthonyStringer,
#
# Purpose of Script:
# 1. Query ADUsers in a specific OU and identify those that have been inactive for 90-days or more
# 2. Document their Group Memberships
# 3. Make a note in the user's Description field that the 'Account Disabled as of yyyy/mm/dd'
# 4. Disable user's account
# 5. Move the disabled user's account to a 'Parking' OU
#
# #############################################
#
# Current Issues:
# 1. Unable to add in the functionality of querying and adding the results of Get-ADGroup and MemberOf to the original query
#
# --> Need to add ability to constrain query to $xDays variable (IF unable to include results in Inactive Users query)
#
# #############################################
#
# Import Modules Needed
Import-Module ActiveDirectory
# Output results to CSV file
$LogFile = "C:\Inactive_ADUserRpt_n_Move_v3_USERS.csv"
# Today's Date
$today = get-date -uformat "%Y/%m/%d"
# Date to search by
#$xDays = (get-date).AddDays(-90)
#$xDays = (get-date).AddDays(-120)
$xDays = (get-date).AddDays(-365)
# Expiration date
$expire = (get-date).AddDays(-1)
# Date disabled description variable
$userDesc = "Disabled Inactive" + " - " + $today + " - " + "Moved From OU" + " - " + $SearchBase
# Sets the OU to do the base search for all user accounts, change as required
#$SearchBase = "OU=MIT, OU=Service Accounts, OU=Domain Services, DC=Domain, DC=com"
$SearchBase = "OU=Laptop, OU=IS, OU=Corporate Computers, DC=Domain, DC=com"
# Sets the OU where accounts will be MOVED TO, change as required
$ParkingOU = "OU=30Days, OU=Disabled Accounts, OU=Domain Services, DC=Domain, DC=com"
# Document Group Memberships and export to CSV
# -- This will generate a CSV for ALL users in OU regardless of account status
# --> Need to add ability to constrain query to $xDays variable
Get-ADUser -SearchBase $SearchBase -Filter * -Properties DisplayName, MemberOf | % {
New-Object PSObject -Property @{
UserName = $_.DisplayName
Groups = ($_.MemberOf | Get-ADGroup | Select -ExpandProperty Name) -join ","
}
} | Select UserName, Groups | Export-Csv C:\ADUser_GroupMembership_Rpt.csv -NTI
# Pull all inactive users older than 90-days from a specified OU
$Users = Get-ADUser -SearchBase $SearchBase -Properties memberof, PasswordNeverExpires, WhenCreated, PasswordLastSet, LastLogonDate -Filter {
(LastLogonDate -notlike '*' -OR LastLogonDate -le $xDays)
-AND (PasswordLastSet -le $xDays)
-AND (Enabled -eq $True)
-AND (PasswordNeverExpires -eq $false)
-AND (WhenCreated -le $xDays)
} | ForEach-Object {
Set-ADUser $_ -AccountExpirationDate $expire -Description $userdesc -WhatIf
Move-ADObject $_ -TargetPath $ParkingOU -WhatIf
$_ | select Name, SamAccountName, PasswordExpired, PasswordNeverExpires, WhenCreated, PasswordLastSet, LastLogonDate, @{n='Groups';e={(($_.memberof | Get-ADGroup).Name) -join '; '}}
}
$Users | Where-Object {$_} | Export-Csv $LogFile -NoTypeInformation
#start $LogFile