我整理了这个脚本来清理不活动的帐户:禁用,将其移动到另一个OU,登录这些操作,最后将报告通过电子邮件发送到服务台。
对此有何改进?
$LogDate = Get-Date -f yyyyMMddhhmm
$SearchBase = "OU=Users,DC=domain,DC=com"
$moveToOU = "OU=Inactive Accounts,OU=Disabled,DC=domain,DC=com"
$LogArray = @()
$PasswordAge = (Get-Date).AddDays(-29)
$log = "C:\temp\logdisable_$LogDate.log"
$DisabledUsers = (Get-ADUser -SearchBase $SearchBase -Properties samaccountname, name, distinguishedname -Filter {((lastlogondate -notlike "*") -or (lastlogondate -le $Passwordage)) -and (enabled -eq $True) -and (whencreated -le $Passwordage)})
if ($DisabledUsers -ne $null ) {
foreach ($DisabledUser in $DisabledUsers) {
try {
Disable-ADAccount -Identity $($DisabledUser.samaccountname) -ErrorAction Stop -PassThru -Verbose -WhatIf
$LogDate + " : " + $DisabledUser.samaccountname + " AD account Disabled " | Out-File $log -Append
Set-ADUser $DisabledUser -replace @{description = "InactiveUserAccount"} -ErrorAction Stop -PassThru -WhatIf
$LogDate + " : " + $DisabledUser.samaccountname + " Description Set as Inactive " | Out-File $log -Append
Move-ADObject -Identity $($disableduser.SamAccountName) -TargetPath $moveToOU -WhatIf
} catch {
Write-Output "$LogDate $error[0] $($id)" | Out-File $log -append
}
}
}