# encoding: ascii
# api: powershell
# title: Disable AD Users
# description: This script will disable all Active Directory User accounts that have not logged in within the number of days specified by the $NumDays variable. All accounts that are disabled are logged in the “Disabled-User-Accounts.log” file created in the local directory. The formatting of the log file is very basic, but effective.
# version: 0.1
# type: class
# author: AlphaSun
# license: CC0
# x-poshcode-id: 2937
# x-archived: 2013-01-18T11:54:22
# x-published: 2013-08-31T14:33:00
#
#
$NumDays = 90
$LogDir = ".\Disabled-User-Accounts.log"
$currentDate = [System.DateTime]::Now
$currentDateUtc = $currentDate.ToUniversalTime()
$lltstamplimit = $currentDateUtc.AddDays(- $NumDays)
$lltIntLimit = $lltstampLimit.ToFileTime()
$adobjroot = [adsi]''
$objstalesearcher = New-Object System.DirectoryServices.DirectorySearcher($adobjroot)
$objstalesearcher.filter = "(&(objectCategory=person)(objectClass=user)(lastLogonTimeStamp<=" + $lltIntLimit + "))"
$users = $objstalesearcher.findall()
Write-Output `n`n"----------------------------------------" "ACCOUNTS OLDER THAN "$NumDays" DAYS" "PROCESSED ON:" $currentDate "----------------------------------------" `
| Out-File $LogDir -append
if ($users.Count -eq 0)
{
Write-Output " No account needs to be disabled." | Out-File $LogDir -append
}
else
{
foreach ($user in $users)
{
# Read the user properties
[string]$adsPath = $user.Properties.adspath
[string]$displayName = $user.Properties.displayname
[string]$samAccountName = $user.Properties.samaccountname
[string]$lastLogonInterval = $user.Properties.lastlogontimestamp
# Disable the user
$account=[ADSI]$adsPath
$account.psbase.invokeset("AccountDisabled", "True")
$account.setinfo()
# Convert the date and time to the local time zone
$lastLogon = [System.DateTime]::FromFileTime($lastLogonInterval)
Write-Output " Disabled user " $displayName" | Username: "$samAccountName" | Last Logon: "$lastLogon"`n" `
| Out-File $LogDir -append
}
}