Disabling Users - Active Directory - Logging

Spammeh · 21 Aug 2015 at 17:44

Hi All,

I've written the following script to disable accounts that haven't logged onto in X number of days. It works a treat but I'm just adding some log output for when we have auditors / queries but I'm struggling to add the date that each account is disabled

Can anyone help:

Code:

Import-Module ActiveDirectory
 
function Get-ADUsersLastLogon()
{
  $numberOfDays = (Get-Date).AddDays(-435)
  $logDate = Get-Date -F dd-MM-yyyy
  $logPath = "c:\DisabledUsers.csv"
  $searchbase = "DC=company,DC=com"
  $DisabledOU = "OU=Disabled Objects,DC=mystagecoach,DC=com"
  $logArray = @()

  $dcs = Get-ADDomainController -Filter {Name -like "*"}
  $users = Get-ADUser -searchbase $SearchBase -Filter {((lastlogondate -le $numberOfDays) -AND (enabled -eq $True))}
  $time = 0
  

  foreach($user in $users)
  {
    foreach($dc in $dcs)
    { 
      $hostname = $dc.HostName
      $currentUser = Get-ADUser $user.SamAccountName | Get-ADObject -Server $hostname -Properties lastLogon
      
      if($currentUser.LastLogon -gt $time) 
      {
        $time = $currentUser.LastLogon
      }
    }
    $time = 0

    Disable-ADAccount $currentUser

    Set-ADUser $currentUser -Description "Account disabled on $logDate"

    Move-ADObject $currentUser -TargetPath $DisabledOU
    
    #Create array for logfile output
    $obj = $currentUser | Select Name,distinguishedname,@{n="status";e={'Disabled User'}}

    #Output to Log
    $logArray += $obj     

  }
    #Export contents of logArray to .csv
    $logArray | Export-Csv $logPath -NoTypeInformation 
}
 
 Get-ADUsersLastLogon

This script is going to run on a daily basis, and I would like it to output to one file, in this case C:\disabledusers.csv. What I would like it to do however, before it writes the array to the csv, is to write todays date so I know from looking at the CSV, which accounts were disabled on that day.

ie.

Code:

21/08/15
Joe Bloggs	| CN=Joe Bloggs,OU=Users,DC=company ,DC=com | Disabled User 
Tom Smith	| CN=Tom Smith,OU=Users,DC=company ,DC=com | Disabled User

or have it tagged on each line ie.

Code:

Name	 distinguishedname	status
Joe Bloggs	| CN=Joe Bloggs,OU=Users,DC=company ,DC=com | Disabled User | 21/08/15

Can anyone help please?

Spammeh · 25 Aug 2015 at 10:31

Uhtred said:
Easy. Look at the get-date cmdlet - https://technet.microsoft.com/en-us/library/hh849887.aspx

Edit - after actually looking at your script i realised of course you knew that already.

Would this do?

$logdate = get-date

$obj = $currentUser | Select Name,distinguishedname,@{n="status";e={'Disabled User'}},@{n="date disabled";e={$logdate}}

Uhred - thats spot on mate. Don't know why I couldn't see that! Thanks again!

Spammeh · 25 Aug 2015 at 22:15

I have considered it, but initially the purpose of this is to ensure we don't get bent over by auditors and as it stands it does a good job. I have considered putting something to read user account descriptions and also alert specific people based on where their user accounts are located in AD

Spammeh · 26 Aug 2015 at 09:40

Swarfega said:
If only every company were like yours

Also, any reason your not just using the replicated LastLogonTimestamp/(Get-ADUser) LastLogonDate rather than querying all your DC's for their version of said users LastLogon?

From what i've read that only replicates every 14 days on a 2003 functional level hence me getting the last logon date from each DC

Spammeh · 26 Aug 2015 at 11:43

That was an example during testing, we will be disabling accounts of users who havent logged on in 30 days