coredotbin/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Refactor user search and filtering, disabling. Include DisplayName

Browse Source
This commit is contained in:
Corbin 2024-05-13 12:16:47 -04:00
parent 1ca15e5130
commit 779d2ad2dd
1 changed files with 12 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
ad/Disable-InactiveAdUser.ps1
View File

@ -2,50 +2,36 @@
# Disable-InactiveAdUser # Disable-InactiveAdUser
# #
$MaxAccountAge = 45
$UsersOU = "OU=Users - Synced,OU=_Quantum Leap,DC=QLCOM,DC=COM"
$SmtpServer = 'qlmi-com.mail.protection.outlook.com' $SmtpServer = 'qlmi-com.mail.protection.outlook.com'
$SmtpPort = 25 $SmtpPort = 25
$SmtpFrom = 'Quantum Leap Security <security@qlmi.com>' $SmtpFrom = 'Quantum Leap Security <security@qlmi.com>'
$SmtpTo = @( $SmtpTo = @(
'security@qlmi.com' 'security@qlmi.com'
) )
$SmtpSubject = "Disabled inactive AD accounts over max age $MaxAccountAge days"
$MaxAccountAge = 45
$UsersOU = "OU=Users - Synced,OU=_Quantum Leap,DC=QLCOM,DC=COM"
# Get a list of enabled AD users who have not logged in in $MaxAccountAge days # Get a list of enabled AD users who have not logged in in $MaxAccountAge days
$Users = Get-ADUser -Filter 'enabled -eq $true' -SearchBase "$UsersOU" | % { $Users = Get-ADUser -SearchBase "$UsersOU" -Filter * -Properties * `
New-Object PSObject -Property @{ | where { $_.Enabled -eq $true -and [DateTime]::FromFileTime($_.lastLogon) -lt (Get-Date).AddDays(-$MaxAccountAge) } `
"userPrincipalName" = $_.userPrincipalName | select DisplayName,userPrincipalName,lastLogon,distinguishedName | % { $_.lastLogon = [DateTime]::FromFileTime($_.lastLogon); $_ }
"Enabled" = $_.Enabled
"lastLogon" = [DateTime]::FromFileTime(($_ | Get-ADObject -Properties lastLogon).LastLogon)
"distinguishedName" = $_.distinguishedName
}
} | Where-Object -FilterScript { $_.lastLogon -lt (Get-Date).AddDays(-$MaxAccountAge) }
# Export a report of the users
if (!(Test-Path -Path 'C:\temp')) {
New-Item -Path 'C:\temp' -ItemType Directory -ErrorAction SilentlyContinue
}
$ReportPath = Join-Path -Path 'C:\temp' -ChildPath "disabled_users_$(Get-Date -UFormat '%s').csv"
$Users | Export-Csv -NoTypeInformation -Path $ReportPath
# Disable the accounts # Disable the accounts
foreach ($User in $Users) { $Users | Disable-ADAccount
Disable-ADAccount -Identity $User.distinguishedName
}
# Email the report # Email a report
if (($Users.Enabled).Count -gt 0) { if (($Users.distinguishedName).Count -gt 0) {
$EmailBody = @" $EmailBody = @"
<h2>Users Disabled</h2><br/> <h2>Users Disabled</h2><br/>
<p>The following user accounts have been disabled:</p> <p>The following user accounts have been disabled:</p>
<ul> <ul>
$($Users | % { "<li>$($_.userPrincipalName), not logged in since $($_.lastLogon)</li>" }) $($Users | % { "<li>$($_.DisplayName) &lt;$($_.userPrincipalName)&gt;, not logged in since $($_.lastLogon)</li>" })
</ul><br/> </ul><br/>
<p>This email was sent automatically. Please do not reply.</p> <p>This email was sent automatically. Please do not reply.</p>
"@ "@
Send-MailMessage -SmtpServer $SmtpServer -Port $SmtpPort -UseSsl -From $SmtpFrom -To $SmtpTo ` Send-MailMessage -SmtpServer $SmtpServer -Port $SmtpPort -UseSsl -From $SmtpFrom -To $SmtpTo `
-Subject "Disabled inactive AD accounts over max age $MaxAccountAge days" ` -Subject $SmtpSubject -Body "$EmailBody" -BodyAsHtml
-Body "$EmailBody" -BodyAsHtml
} }