Added grace period for newly created accounts

Accounts which have not yet signed in will have a null `lastLogon` We do want to disable accounts which have never logged in, but want to allow IT to create accounts before the user starts.
The added `$MinAccountAge` is the minimum age of the account based on the lastCreated attribute before the script will include them to disable.

ad/Disable-InactiveAdUser.ps1

@@ -2,20 +2,22 @@
 # Disable-InactiveAdUser
 # 
 
+$UsersOU = "OU=Users,OU=Default-First-Site-Name,DC=CONTOSO,DC=COM"
 $MaxAccountAge = 45
-$UsersOU = "OU=Users - Synced,OU=_Quantum Leap,DC=QLCOM,DC=COM"
+# Allow a grace period for newly created accounts which have not yet logged in
+$MinAccountAge = 7
 
-$SmtpServer = 'qlmi-com.mail.protection.outlook.com'
+$SmtpServer = 'contoso-com.mail.protection.outlook.com'
 $SmtpPort = 25
-$SmtpFrom = 'Quantum Leap Security <security@qlmi.com>'
+$SmtpFrom = 'Contoso SOC <security@contoso.com>'
 $SmtpTo = @(
-    'security@qlmi.com'
+    'security@contoso.com'
 )
-$SmtpSubject = "Disabled inactive AD accounts over max age $MaxAccountAge days"
+$SmtpSubject = "Contoso, Inc.: Disabled inactive AD accounts over $MaxAccountAge days"
 
 # Get a list of enabled AD users who have not logged in in $MaxAccountAge days
 $Users = Get-ADUser -SearchBase "$UsersOU" -Filter * -Properties * `
-   | where { $_.Enabled -eq $true -and [DateTime]::FromFileTime($_.lastLogon) -lt (Get-Date).AddDays(-$MaxAccountAge) } `
+   | where { $_.Enabled -eq $true -and [DateTime]::FromFileTime($_.lastLogon) -lt (Get-Date).AddDays(-$MaxAccountAge) -and $_.whenCreated -lt (Get-Date).AddDays(-$MinAccountAge) } `
    | select DisplayName,userPrincipalName,lastLogon,distinguishedName | % { $_.lastLogon = [DateTime]::FromFileTime($_.lastLogon); $_ }
 
 # Disable the accounts