AD user Management

adminofthings · 2023-04-10T11:05:03.000Z

There’s no need to use -Properties * as that will pull a lot of unnecessary data per user. You can use -Properties LastLogonDate. DistinguishedName and SamAccountName will be part of the default property set regardless of what you pass to -Properties.

I think you want $user.lastlogondate -lt ($date.AddDays(-30)) because older dates are less than newer dates.

tkam44 · 2023-04-10T11:12:26.000Z

@adminofthings Yes obviously i need to use lt instead of gt. As i’am in my test env, i accidentally used gt and it disabled my domain admin account. Big Issue.

Now i am asking you, how can i recover my admin accounts to continue with my tests ?

adminofthings · 2023-04-10T11:21:40.000Z

tka44:

AdminOfThings Yes obviously i need to use lt instead of gt. As i’am in my test env, i accidentally used gt and it disabled my domain admin account. Big Issue.

Now i am asking you, how can i recover my admin accounts to continue with my tests ?

You need another domain admin to reenable your domain admin account.

tkam44 · 2023-04-10T11:23:28.000Z

i’m on ws2012 r2, and i actually don’t know another built-in account i can use to connect and enable it.

saidbrandon · 2023-04-10T11:25:15.000Z

Hopefully you have another “admin” that can resolve your access. When learning PowerShell, it’s best to get familiar with the -WhatIf parameter. It will show you what it’s going to do before it actually does it. You’ll also want to work with smaller scopes and then fan out where possible. This will help keep your “collateral damage” down. Imagine if you were trying to delete inactive accounts only, and you deleted EVERY account… Be VERY careful, otherwise your task will be a reason to update your resume.

That said, take a look at this post to get more familiar with the “Filter” parameter. This will be much quicker than iterating every user twice, once to retrieve all and the second to check their last logon date. Just ensure that you use “LastLogonDate” and not “Created”. Since you’re 30 days out it will have replicated to all domain controllers.

tkam44 · 2023-04-10T11:34:32.000Z

Thank you for your link, I just forgot to use the -whatif parameter, a colleague always adviced me to use it, for my test i just forgot; i was sure it would work.
Anyway,
I am afraid i will have to build a whole AD for my test env. as i can’t even connect to my DC anymore.

adminofthings · 2023-04-10T11:50:22.000Z

tka44:

Thank you for your link, I just forgot to use the -whatif parameter, a colleague always adviced me to use it, for my test i just forgot; i was sure it would work.
Anyway,
I am afraid i will have to build a whole AD for my test env. as i can’t even connect to my DC anymore.

Maybe you could add additional checks like making sure isCriticalSystemObject attribute is not set to TRUE for accounts you are going to change. Or ignore users that are in domain admins and have a separate process that analyzes those accounts.

tkam44 · 2023-04-10T11:52:43.000Z

I will try this.

what i learned today:

1- Always use the -whatif parameter, even if you are sure

2- Always have a recovery account domain Admin account to be able to access the Dc when this kind of issue occurs.

3- Keep a snaphot of your DC somewhere to be able to roll back easily

saidbrandon · 2023-04-10T12:00:03.000Z

tka44:

I will try this.

what i learned today:

1- Always use the -whatif parameter, even if you are sure

2- Always have a recovery account domain Admin account to be able to access the Dc when this kind of issue occurs.

3- Keep a snaphot of your DC somewhere to be able to roll back easily

Skip #3 as it COULD cause more problems than fix. If it’s a single DC test environment, you’re probably pretty safe, but still forget step 3 and refer to #1 and 2.

aunrau · 2023-04-10T12:37:49.000Z

$users = Get-ADUser -Filter "lastLogonDate -lt '$((Get-Date).addDays(-30))'" -Properties LastLogonDate

foreach ($user in $users) {
    Write-Host $user
}

You also don’t need to create a ‘date’ variable, you can just call ‘Get-Date’ in the statement.

Neally · 2023-04-10T13:29:06.000Z

Keep in mind , if you have multiple domain controllers that lastlogondate can be up to 14 days off.

tulioarends · 2023-04-10T17:53:10.000Z

Be careful with lastlogon. It is not a replicated attribute, its unique to each DC.

Lastlogondate is calculated from lastlogontimestamp by Get-AdUser, which is replicated. Be aware that by default the replication window is 14 days, anything shorter may not be accurate.

holdmybeer · 2023-04-11T15:22:00.000Z

You could try this, once you are happy with it, remove the both the -whatif:

$users = @(Get-ADUser -filter * -SearchBase ‘DC=TEST,DC=NET’ -Properties * | select samaccountname,lastlogondate,whencreated,lastlogontimestamp,distinguishedname)

$date = $null

$date = (Get-Date).AddDays(-30)

$RemoveTime1 = $date -replace “…$”

foreach ($user in $users)

{

$SAM = $user.samaccountname
$UserLastLogin = $User.lastlogondate
$created= $User.whencreated
$Dis = $User.distinguishedname

if ($UserLastLogin)

{

if($user.lastlogondate -lt $RemoveTime1)

{

Write-Host -ForegroundColor Red “$SAM has been disabled and moved as they have not logged in since $UserLastLogin”

Move-ADObject -Identity $Dis -TargetPath ‘OU=Disabled Accounts,DC=TEST,DC=NET’ -WhatIf

Disable-ADAccount $user.samaccountname -WhatIf

}

Else

{

Write-Host -ForegroundColor Green “$SAM was connected on $UserLastLogin”
}

}
else {

Write-Host -ForegroundColor Yellow “$SAM has never logged on, the account was created $created”

}
pause
Clear-Variable SAM,UserLastLogin,Created
}

Neally · 2023-04-11T16:08:03.000Z

@holdmybeer

If you post code, please use the ‘Insert Code’ button. Please and thank you!

PLEASE READ BEFORE POSTING! Read if you're new to the PowerShell forum! Programming & Development

Hi, and welcome to the PowerShell forum! Don’t apologize for being a “noob” or “newbie” or “n00b.” There’s just no need – nobody will think you’re stupid, and the forums are all about asking questions. Just ask! Use a descriptive subject. Don't say "Need help" or "PowerShell Help", actually summarize what the problem is. It helps the rest of us keep track of which problem is which. Don’t post massive scripts. We’re all volunteers and we don’t have time to read all that, nor will we copy, past…

holdmybeer · 2023-04-11T18:26:52.000Z

OK will do.
You could try this, just remove the -whatif once you are happy all is working ok, you could also use the same logic for the accounts have have never been logged on, and have a creation date of 30 days or more in the past.

$users = @(Get-ADUser -filter * -SearchBase 'DC=TEST,DC=NET' -Properties * | select samaccountname,lastlogondate,whencreated,lastlogontimestamp,distinguishedname)

$date = $null

$date = (Get-Date).AddDays(-30)

$RemoveTime1 = $date -replace ".........$"

foreach ($user in $users)

{

$SAM = $user.samaccountname
$UserLastLogin = $User.lastlogondate
$created= $User.whencreated
$Dis = $User.distinguishedname

if ($UserLastLogin)

   {

  if($user.lastlogondate -lt $RemoveTime1)

    {
   
        Write-Host -ForegroundColor Red "$SAM has been disabled and moved as they have not logged in since $UserLastLogin"
     
        Move-ADObject -Identity $Dis -TargetPath 'OU=Disabled Accounts,DC=TEST,DC=NET' -WhatIf

        Disable-ADAccount $user.samaccountname -WhatIf
   
    }
   
   
    Else

    {
   
   
        Write-Host -ForegroundColor Green "$SAM was connected on $UserLastLogin"
    }

    }
    else {

        Write-Host -ForegroundColor Yellow "$SAM has never logged on, the account was created $created"

   
    }
    pause
        Clear-Variable SAM,UserLastLogin,Created
}

holdmybeer · 2023-04-11T18:30:42.000Z

Sorry looks like I missed the Dis variable from the Clear-Variable, third time lucky!!

tkam44 · 2023-05-02T19:12:50.000Z

Hi @holdmybeer ,

Here is the part i do not understad well;

Can you please explain it

$RemoveTime1 = $date -replace ".........$"

tkam44 · 2023-05-02T19:14:48.000Z

@holdmybeer Here is the result when i run your cmd

PS C:\Users\Administrator\PS> C:\Users\Administrator\Documents\Unused Accounts.ps1
Cannot convert null to type "System.DateTime".
At C:\Users\Administrator\Documents\Unused Accounts.ps1:3 char:1
+ $date = $null
+ ~~~~~~~~~~~~~
    + CategoryInfo          : MetadataError: (:) [], ArgumentTransformationMetadataException
    + FullyQualifiedErrorId : RuntimeException
 
Could not compare "05/02/2023 22:19:08" to "22-04-23". Error: "Cannot convert value "22-04-23" to type "System.DateTime". Error: "String was not recognized as a valid DateTime.""
At C:\Users\Administrator\Documents\Unused Accounts.ps1:25 char:6
+   if($user.lastlogondate -lt $RemoveTime1)
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : ComparisonFailure
 
Press Enter to continue...: 
Guest has never logged on, the account was created 04/10/2023 16:44:46
Press Enter to continue...: 
krbtgt has never logged on, the account was created 04/10/2023 16:45:45
Press Enter to continue...:

saidbrandon · 2023-05-03T11:50:43.000Z

As tka44 mentioned, you can’t compare a DateTime with a string. Using the -replace force the date time into a string with the ToString() method. If you remove that line, your datetime will compare. If you want to format it later for output you can do that, but you’re not doing that. So, just remove

$RemoveTime1 = $date -replace ".........$"

or comment out

#$RemoveTime1 = $date -replace ".........$"

and change

 if($user.lastlogondate -lt $RemoveTime1)

to

 if($user.lastlogondate -lt $date)

holdmybeer · 2023-05-05T20:44:26.000Z

Hi

To answer your questions:

$RemoveTime1 = $date -replace “…$”

This takes just the date element from the get-date so it can be compared to the other date, the part that was missing was to convert 01/01/2020 to a date format that powershell can work with.

Try the below.

$users = @(Get-ADUser -filter * -SearchBase 'DC=TEST,DC=NET' -Properties * | select samaccountname,lastlogondate,whencreated,lastlogontimestamp,distinguishedname)

$date = $null

$date = (Get-Date).AddDays(-30)

$RemoveTime1 = $date -replace ".........$"

#How to change a text date entry of 01/01/2020 so it is recognised as a date by powershell
#the Vir must be $string
$string=$RemoveTime1
$string=[Datetime]::ParseExact($string, 'dd/MM/yyyy', $null)

foreach ($user in $users)

{

$SAM = $user.samaccountname
$UserLastLogin = $User.lastlogondate
$created= $User.whencreated
$Dis = $User.distinguishedname

if ($UserLastLogin)

   {

  if($user.lastlogondate -lt $RemoveTime1)

    {
   
        Write-Host -ForegroundColor Red "$SAM has been disabled and moved as they have not logged in since $UserLastLogin"
     
        Move-ADObject -Identity $Dis -TargetPath 'OU=Disabled Accounts,DC=TEST,DC=NET' -WhatIf

        Disable-ADAccount $user.samaccountname -WhatI
   
    }
   
   
    Else

    {
   
   
        Write-Host -ForegroundColor Green "$SAM was connected on $UserLastLogin"
    }

    }
    else {

        Write-Host -ForegroundColor Yellow "$SAM has never logged on, the account was created $created"

   
    }
    pause
        Clear-Variable SAM,UserLastLogin,Created
}