I realized many test AD accounts were going unchecked in my AD environment and decided to delete the ones which have not been used in last 90 days. I created following scripts to complete this task.
Using this single line powershell command you can find all such accounts which needs deletion.
1 | Get-ADUser -SearchBase "DC=Domain,DC=net" -Filter {samaccountname -like "*test*"} -properties * | ? { $_.enabled -like "true" -and $_lastlogontimestamp -lt (get-date).AddDays(-90) } | select samaccountname,enabled,whencreated,@{n="lastlogontimestamp";e={([datetime]::FromFileTime($_.LastLogonTimeStamp))}} | Export-Csv C:\temp\StaleTestUsers.csv -NoTypeInformation |
Using below script these accounts can be disabled and moved to another OU.
1 2 3 4 5 6 7 | $testusers = Get-ADUser -SearchBase "DC=Domain,DC=net" -Filter {samaccountname -like "*test*"} -properties * | ? { $_.enabled -like "true" } foreach ($testuser in $testusers){ if($_.lastlogontimestamp -lt (get-date).AddDays(-90)){ Disable-ADAccount -Identity $testuser Move-ADObject -Identity $testuser -TargetPath "OU=DisabledAccounts,DC=Domain,DC=net" } } |
Leave a Reply