From 6db794ce28d03f37523a2dead8a6f7034dfd4a3c Mon Sep 17 00:00:00 2001
From: Corbin <corbin@cbarts.net>
Date: Fri, 21 Jun 2024 08:57:35 -0400
Subject: [PATCH] Added grace period for newly created accounts Accounts which
 have not yet signed in will have a null `lastLogon` We do want to disable
 accounts which have never logged in, but want to allow IT to create accounts
 before the user starts. The added `$MinAccountAge` is the minimum age of the
 account based on the lastCreated attribute before the script will include
 them to disable.

---
 ad/Disable-InactiveAdUser.ps1 | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/ad/Disable-InactiveAdUser.ps1 b/ad/Disable-InactiveAdUser.ps1
index 4c8e6dc..1d009cf 100644
--- a/ad/Disable-InactiveAdUser.ps1
+++ b/ad/Disable-InactiveAdUser.ps1
@@ -2,20 +2,22 @@
 # Disable-InactiveAdUser
 # 
 
+$UsersOU = "OU=Users,OU=Default-First-Site-Name,DC=CONTOSO,DC=COM"
 $MaxAccountAge = 45
-$UsersOU = "OU=Users - Synced,OU=_Quantum Leap,DC=QLCOM,DC=COM"
+# Allow a grace period for newly created accounts which have not yet logged in
+$MinAccountAge = 7
 
-$SmtpServer = 'qlmi-com.mail.protection.outlook.com'
+$SmtpServer = 'contoso-com.mail.protection.outlook.com'
 $SmtpPort = 25
-$SmtpFrom = 'Quantum Leap Security <security@qlmi.com>'
+$SmtpFrom = 'Contoso SOC <security@contoso.com>'
 $SmtpTo = @(
-    'security@qlmi.com'
+    'security@contoso.com'
 )
-$SmtpSubject = "Disabled inactive AD accounts over max age $MaxAccountAge days"
+$SmtpSubject = "Contoso, Inc.: Disabled inactive AD accounts over $MaxAccountAge days"
 
 # Get a list of enabled AD users who have not logged in in $MaxAccountAge days
 $Users = Get-ADUser -SearchBase "$UsersOU" -Filter * -Properties * `
-   | where { $_.Enabled -eq $true -and [DateTime]::FromFileTime($_.lastLogon) -lt (Get-Date).AddDays(-$MaxAccountAge) } `
+   | where { $_.Enabled -eq $true -and [DateTime]::FromFileTime($_.lastLogon) -lt (Get-Date).AddDays(-$MaxAccountAge) -and $_.whenCreated -lt (Get-Date).AddDays(-$MinAccountAge) } `
    | select DisplayName,userPrincipalName,lastLogon,distinguishedName | % { $_.lastLogon = [DateTime]::FromFileTime($_.lastLogon); $_ }
 
 # Disable the accounts