非活动ADUser查询和ADGroup操作遇到问题

时间:2016-06-01 19:36:10

标签: powershell

我正在尝试(最初)查询特定OU中的ADUsers;识别那些不活动90天的人;记录他们的团体会员资格;在描述字段中记下该帐户从x-date开始被禁用;禁用已识别的帐户并将已禁用的帐户移至“停车”OU。

我也在Gist中做过笔记,但是感谢任何有助于团队会员工作的帮助。

https://gist.github.com/rsmith7712/fdfe025d989508102044fdbbf5d3b9a8

2 个答案:

答案 0 :(得分:0)

我没有测试过这个,但它可能是解决问题的一种方法

# http://stackoverflow.com/questions/37577369/inactive-aduser-query-and-adgroup-manipulation-encountering-issues

# Import Modules Needed
Import-Module ActiveDirectory

# Output results to CSV file
$LogFile = "C:\ZombieAcct_90dayRpt_n_Move.csv"

# Today's Date
$today = get-date -uformat "%Y/%m/%d"

# Date to search by
$xDays = (get-date).AddDays(-90)

# Expiration date
$expire = (get-date).AddDays(-1)

# Date disabled description variable
$userDesc = "Disabled Inactive" + " - " + $today

# Sets the OU to do the base search for all user accounts, change as required
$SearchBase = "OU=DEFINE,OU=DEFINE,OU=DEFINE,DC=DEFINE,DC=com"

# Sets the OU where accounts will be MOVED TO, change as required
$ParkingOU = "OU=30Days, OU=Disabled Accounts, OU=Domain Services, DC=DEFINE, DC=com"

# Pull all inactive users older than 90-days from a specified OU
$Users = Get-ADUser -SearchBase $SearchBase -Properties memberof, LastLogonDate, PasswordLastSet, PasswordNeverExpires, WhenCreated, DisplayName -Filter {
    (LastLogonDate -notlike '*' -OR LastLogonDate -le $xDays) 
    -AND (PasswordLastSet -le $xDays) 
    -AND (Enabled -eq $True)
    -AND (PasswordNeverExpires -eq $false) 
    -AND (WhenCreated -le $xDays)
} | ForEach-Object {
    Set-ADUser $_ -AccountExpirationDate $expire -Description $userdesc -WhatIf
    Move-ADObject $_ -TargetPath $ParkingOU -WhatIf
    $_ | select DisplayName, Name, SAMaccountName, PasswordExpired, PasswordNeverExpires, WhenCreated, PasswordLastSet, LastLogonDate, @{n='Groups';e={(($_.memberof | Get-ADGroup).Name) -join '; '}}
}

$Users | Export-Csv $LogFile -NoTypeInformation

start $LogFile

答案 1 :(得分:0)

@AnthonyStringer - 拿起你的脚本并为环境调整它。这是(近)最终脚本,谢谢你的帮助。

问题仍然存在: - 收集ADUser组成员资格仍然适用于指定的$ SearchBase OU中的每个人,而不是能够查询满足$ xDays变量的那些ADUser帐户。

Dev将继续使用Gist,但关闭这个问题。 https://gist.github.com/rsmith7712/fdfe025d989508102044fdbbf5d3b9a8 

# Inactive_ADUserRpt_n_Move_v3.ps1
#
# Git- rsmith7712, 2016-05-20
# 
# Contributors:
# @EricRocconi, @AnthonyStringer, 
# 
# Purpose of Script:
# 1. Query ADUsers in a specific OU and identify those that have been inactive for 90-days or more 
# 2. Document their Group Memberships 
# 3. Make a note in the user's Description field that the 'Account Disabled as of yyyy/mm/dd' 
# 4. Disable user's account 
# 5. Move the disabled user's account to a 'Parking' OU 
# 
# ############################################# 
# 
# Current Issues:
# 1. Unable to add in the functionality of querying and adding the results of Get-ADGroup and MemberOf to the original query 
#
# --> Need to add ability to constrain query to $xDays variable (IF unable to include results in Inactive Users query)
# 
# ############################################# 
# 


# Import Modules Needed
Import-Module ActiveDirectory

# Output results to CSV file
$LogFile = "C:\Inactive_ADUserRpt_n_Move_v3_USERS.csv"

# Today's Date
$today = get-date -uformat "%Y/%m/%d"

# Date to search by
#$xDays = (get-date).AddDays(-90)
#$xDays = (get-date).AddDays(-120)
$xDays = (get-date).AddDays(-365)

# Expiration date
$expire = (get-date).AddDays(-1)

# Date disabled description variable
$userDesc = "Disabled Inactive" + " - " + $today + " - " + "Moved From OU" + " - " + $SearchBase

# Sets the OU to do the base search for all user accounts, change as required
#$SearchBase = "OU=MIT, OU=Service Accounts, OU=Domain Services, DC=Domain, DC=com"
$SearchBase = "OU=Laptop, OU=IS, OU=Corporate Computers, DC=Domain, DC=com"


# Sets the OU where accounts will be MOVED TO, change as required
$ParkingOU = "OU=30Days, OU=Disabled Accounts, OU=Domain Services, DC=Domain, DC=com"


# Document Group Memberships and export to CSV 
# -- This will generate a CSV for ALL users in OU regardless of account status
# --> Need to add ability to constrain query to $xDays variable

Get-ADUser -SearchBase $SearchBase -Filter * -Properties DisplayName, MemberOf | % {
  New-Object PSObject -Property @{
    UserName = $_.DisplayName
    Groups = ($_.MemberOf | Get-ADGroup | Select -ExpandProperty Name) -join ","
    }
} | Select UserName, Groups | Export-Csv C:\ADUser_GroupMembership_Rpt.csv -NTI


# Pull all inactive users older than 90-days from a specified OU
$Users = Get-ADUser -SearchBase $SearchBase -Properties memberof, PasswordNeverExpires, WhenCreated, PasswordLastSet, LastLogonDate -Filter {
    (LastLogonDate -notlike '*' -OR LastLogonDate -le $xDays)
    -AND (PasswordLastSet -le $xDays)
    -AND (Enabled -eq $True)
    -AND (PasswordNeverExpires -eq $false)
    -AND (WhenCreated -le $xDays)
} |  ForEach-Object {
    Set-ADUser $_ -AccountExpirationDate $expire -Description $userdesc -WhatIf
    Move-ADObject $_ -TargetPath $ParkingOU -WhatIf
    $_ | select Name, SamAccountName, PasswordExpired, PasswordNeverExpires, WhenCreated, PasswordLastSet, LastLogonDate, @{n='Groups';e={(($_.memberof | Get-ADGroup).Name) -join '; '}}
}

$Users | Where-Object {$_} | Export-Csv $LogFile -NoTypeInformation

#start $LogFile
相关问题
最新问题