Disabling Users - Active Directory - Logging

Spammeh

Spammeh

Spammeh

Associate
Joined
2 Aug 2005
Posts
589
Hi All,

I've written the following script to disable accounts that haven't logged onto in X number of days. It works a treat but I'm just adding some log output for when we have auditors / queries but I'm struggling to add the date that each account is disabled

Can anyone help:

Code: 
Import-Module ActiveDirectory
 
function Get-ADUsersLastLogon()
{
  $numberOfDays = (Get-Date).AddDays(-435)
  $logDate = Get-Date -F dd-MM-yyyy
  $logPath = "c:\DisabledUsers.csv"
  $searchbase = "DC=company,DC=com"
  $DisabledOU = "OU=Disabled Objects,DC=mystagecoach,DC=com"
  $logArray = @()

  $dcs = Get-ADDomainController -Filter {Name -like "*"}
  $users = Get-ADUser -searchbase $SearchBase -Filter {((lastlogondate -le $numberOfDays) -AND (enabled -eq $True))}
  $time = 0
  

  foreach($user in $users)
  {
    foreach($dc in $dcs)
    { 
      $hostname = $dc.HostName
      $currentUser = Get-ADUser $user.SamAccountName | Get-ADObject -Server $hostname -Properties lastLogon
      
      if($currentUser.LastLogon -gt $time) 
      {
        $time = $currentUser.LastLogon
      }
    }
    $time = 0

    Disable-ADAccount $currentUser

    Set-ADUser $currentUser -Description "Account disabled on $logDate"

    Move-ADObject $currentUser -TargetPath $DisabledOU
    
    #Create array for logfile output
    $obj = $currentUser | Select Name,distinguishedname,@{n="status";e={'Disabled User'}}

    #Output to Log
    $logArray += $obj     

  }
    #Export contents of logArray to .csv
    $logArray | Export-Csv $logPath -NoTypeInformation 
}
 
 Get-ADUsersLastLogon

This script is going to run on a daily basis, and I would like it to output to one file, in this case C:\disabledusers.csv. What I would like it to do however, before it writes the array to the csv, is to write todays date so I know from looking at the CSV, which accounts were disabled on that day.

ie.

Code: 
21/08/15
Joe Bloggs	| CN=Joe Bloggs,OU=Users,DC=company ,DC=com | Disabled User 
Tom Smith	| CN=Tom Smith,OU=Users,DC=company ,DC=com | Disabled User
or have it tagged on each line ie.

Code: 
Name	 distinguishedname	status
Joe Bloggs	| CN=Joe Bloggs,OU=Users,DC=company ,DC=com | Disabled User | 21/08/15
Can anyone help please?
 
I've had to do this in quite a few places, I decided to put a module together that allows it to be called at any point.

Try the following, will keep things standardised and uniform when your come to write logs in general.

Function Write-LogFile
{
[CmdletBinding()]
Param (
[parameter(Mandatory = $true, Position = 0, HelpMessage = "Enter the Logfile path and filename")]
[string]$LogFile,
[parameter(Mandatory = $true, Position = 1, HelpMessage = "Enter the Logfile entry")]
[string]$logstring
)

$DateTime = (Get-Date -Format "dd-MM-yyyy hh:mm")
$ls = $DateTime + ' : ' + $logstring
Add-content $Logfile -value $ls -Force
} #end function
Click to expand...

Output to file should be in the following format

23-08-2015 01:28 : Text here
 
Last edited:
Uhtred said:
Easy. Look at the get-date cmdlet - https://technet.microsoft.com/en-us/library/hh849887.aspx

Edit - after actually looking at your script i realised of course you knew that already.

Would this do?

$logdate = get-date

$obj = $currentUser | Select Name,distinguishedname,@{n="status";e={'Disabled User'}},@{n="date disabled";e={$logdate}}
Click to expand...

Uhred - thats spot on mate. Don't know why I couldn't see that! Thanks again!
 
you could easily add some logic so that if the account description includes the word maternity it gets ignored. Or perhaps you have a protected OU for accounts you want to keep.
 
I have considered it, but initially the purpose of this is to ensure we don't get bent over by auditors and as it stands it does a good job. I have considered putting something to read user account descriptions and also alert specific people based on where their user accounts are located in AD
 
anything I don't mind said:
I'd rather just disable accounts as a part of a leavers process.
Click to expand...

If only every company were like yours :(

@OP this also works
Code: 
$dcs = Get-ADDomainController -Filter *
over
Code: 
$dcs = Get-ADDomainController -Filter {Name -like "*"}

Also, any reason your not just using the replicated LastLogonTimestamp/(Get-ADUser) LastLogonDate rather than querying all your DC's for their version of said users LastLogon?
 
I don't see a problem with disabling accounts for people on longer term absences like maternity - checking email shouldn't be high up their priority list, and they can always put in a request via their line manager for accounts to be turned back on.

I'd be careful about throwing a maternity field into AD since anyone will be able to read it, and it's reasonably personal information.
 
Swarfega said:
If only every company were like yours :(

Also, any reason your not just using the replicated LastLogonTimestamp/(Get-ADUser) LastLogonDate rather than querying all your DC's for their version of said users LastLogon?
Click to expand...

From what i've read that only replicates every 14 days on a 2003 functional level hence me getting the last logon date from each DC
 
You must log in or register to reply here.
Back
Top Bottom