CODEWITHSUNDEEP
powershellactive-directory
nlks
nlks

Reputation: 69

migrate from get-qaduser to get-aduser

I have setup my script to disable inactive user in my Win 2003 AD server using Quest's AD tool GET-QADUSER, and now I am going to migrate AD to Win 2008 R2. Since there is Active Directory module and Quest's tool is no longer free to download (is that?), I am going to migrate to GET-ADUSER.

I am converting from:

Foreach ($ou in $searchBase) {
#$inactUsr += @(Get-QADUser -SearchRoot $ou -Enabled -PasswordNeverExpires:$false -NotLoggedOnFor $inactiveDays -CreatedBefore $creationCutoff -SizeLimit $sizeLimit | Select-Object Name,SamAccountName,LastLogonTimeStamp,Description,passwordneverexpires,canonicalName | Sort-Object Name)
}

to:

$inactUsr += @(Get-ADUser -SearchRoot $ou -Filter 'enabled -eq $true -and PasswordNeverExpires -eq $False' -Properties Name,SamAccountName,LastLogonTimeStamp,Description,passwordneverexpires,canonicalName | Select Name,SamAccountName,@{N='LastLogonTimeStamp'; E={[DateTime]::FromFileTime($_.LastLogonTimeStamp)}},Description,passwordneverexpires,canonicalName | Sort Name)

I am almost there and leave only -NotLogonFor (which select user that not logon for certain days) and -CreatedBefore (which give a grace period for newly created ID). I want to select ID NotLogon for 30 days and DO NOT want ID created less than 30 days.

Appreciate if anyone can let me know whether there is a built-in properties or any manual method to achieve that.

Edited: I have the CreatedBefore solved by:

$inactUsrdraft += @(Get-ADUser -SearchBase $ou -Filter 'enabled -eq $true -and PasswordNeverExpires -eq $False -and whenCreated -le $CreationCutOff' -Properties Name,SamAccountName,LastLogonTimeStamp,Description,passwordneverexpires,canonicalName | Select Name,SamAccountName,@{N='LastLogonTimeStamp'; E={[DateTime]::FromFileTime($_.LastLogonTimeStamp)}},Description,passwordneverexpires,canonicalName | Sort Name)

:)

Now I need only need to filter ID not logon more than 30 days. Any help is appreciated.

Upvotes: 0

Views: 1441

Answers (1)

Bacon Bits
Bacon Bits

Reputation: 32170

How about:

$LastLogonCutoff = (Get-Date).Date.AddDays(-30)

That's midnight 30 days ago. If you want it to the second, use (Get-Date).AddDays(-30).

Followed by changing the -Filter to include:

`-and (LastLogonTimeStamp -lt $LastLogonCutoff)`

Also beware that the LastLogonTimeStamp property is not very accurate. Laptop logins off-network that use saved credentials won't trigger, I believe. If you don't have "Wait for network" enabled, clients might never actually update this value, IIRC.

Upvotes: 1

Related Questions