public/Get-InactiveAccounts.ps1
|
function Get-InactiveAccounts { [cmdletbinding(SupportsShouldProcess=$True)] Param( [int] $DaysInactive = 30, [Parameter(Mandatory)] [ValidateSet('Users','Computers')] $Object, [switch] $Disable ) $domain = (Get-ADDomain).DistinguishedName $oucheckname = "_DISABLED" $oucheck = [adsi]::Exists("LDAP://OU=$oucheckname,$domain") if ($oucheck -eq $false) { New-ADOrganizationalUnit -Name _DISABLED } $DisabledOU = (Get-ADOrganizationalUnit -Filter 'Name -Like "*_DISABLED*"').DistinguishedName if ($Object -eq 'Users') { $InactiveObjects = Search-ADAccount -UsersOnly -AccountInactive -TimeSpan "30.00:00:00" | Where-Object { ($_.Enabled -eq $true) -and ($_.lastlogondate -ne $null) -and ($_.name -notlike "*admin*")} $InactiveObjects | Sort-Object LastLogonDate | Select-Object Name,LastLogonDate if ($Disable) { foreach ($Item in $InactiveObjects) { Set-ADUser -Identity $Item.DistinguishedName -Description "Account Disabled on $(get-date -UFormat %d/%m/%y)" -Enabled $false Move-ADObject -Identity $Item.DistinguishedName -TargetPath $DisabledOU Write-Verbose "Successfully disabled $($Item.Name)" } } } if ($Object -eq 'Computers') { $InactiveObjects = Search-ADAccount -ComputersOnly -AccountInactive -TimeSpan "$DaysInactive.00:00:00" | Where-Object {$_.Enabled -eq $true} $InactiveObjects | Sort-Object LastLogonDate | Select-Object Name,LastLogonDate if ($Disable) { foreach ($Item in $InactiveObjects) { Set-ADComputer -Identity $Item.DistinguishedName -Description "Computer Disabled on $(get-date -UFormat %d/%m/%y)" -Enabled $false Move-ADObject -Identity $Item.DistinguishedName -TargetPath $DisabledOU Write-Verbose "Successfully disabled $($Item.Name)" } } } } |