0

A colleague has reached out to me to create a PowerShell script to do the following:

The script would read the lastlogondate of an AD security group called “Temp Associates”, disable the accounts with lastlogondate > or = 29 days from current date and move to Disabled OU. When it disables it will also change the descripton to the date it was disabled on. Then create a report listing disabled users and email to our global helpdesk.

I've compiled some things together that seem like they should work, but do not. When I run the script I receive no error message and the log file is generated with no data populated. In order to remain SOX compliant I should be able to manipultate the value in $PasswordAge = (Get-Date).adddays(-29) for testing purposes as I'm not sure we have any accounts that meet the requirements currently.

E-mail is working now, just had to create PSCredential to use in send-mailmessage -credential parameter.

I am definitley new to PowerShell and can use all the help I can get. Any suggestions to either improve the existing code or use a different method are welcome, but I'd like to utilize what I already have if possible.

Code Below:

#import the ActiveDirectory Module
Import-Module ActiveDirectory

#Create a variable for the date stamp in the log file
$LogDate = get-date -f yyyyMMddhhmm

#Sets the OU to do the base search for all user accounts, change for your env.
$SearchBase = "CN=Temp Associates,OU=Res Accounts,DC=our,DC=domain,DC=org"

#Create an empty array for the log file
$LogArray = @()

#Sets the number of days to disable user accounts based on lastlogontimestamp and pwdlastset.
$PasswordAge = (Get-Date).adddays(-29)

#Use ForEach to loop through all users with pwdlastset and lastlogontimestamp greater than date set. Also added users with no lastlogon date set. Disables the accounts and adds to log array.
#Add the properties you will be using to ensure they are available.
$DisabledUsers = (Get-ADUser -searchbase $SearchBase -Properties samaccountname, name, distinguishedname -filter {((lastlogondate -notlike "*") -OR (lastlogondate -le $Passwordage)) -AND (enabled -eq $True) -AND (whencreated -le $Passwordage)} )

if ($DisabledUsers -ne $null -and $DisabledUsers.Count > 0) {
    ForEach ($DisabledUser in $DisabledUsers) {

        #Sets the user objects description attribute to a date stamp. Example "11/13/2011"
        set-aduser $DisabledUser -Description ((get-date).toshortdatestring()) -whatif

        #Disabled user object. To log only add "-whatif"
        Disable-ADAccount $DisabledUser -whatif

        #Create new object for logging
        $obj = New-Object PSObject
        $obj | Add-Member -MemberType NoteProperty -Name "Name" -Value $DisabledUser.name
        $obj | Add-Member -MemberType NoteProperty -Name "samAccountName" -Value $DisabledUser.samaccountname
        $obj | Add-Member -MemberType NoteProperty -Name "DistinguishedName" -Value $DisabledUser.DistinguishedName
        $obj | Add-Member -MemberType NoteProperty -Name "Status" -Value 'Disabled'

        #Adds object to the log array
        $LogArray += $obj

    }

    # Move disabled users in Temp Associates group to Disabled OU 
    Search-ADAccount –AccountDisabled –UsersOnly –SearchBase “CN=Temp Associates,OU=Res Accounts,DC=our,DC=domain,DC=org”  | 
    Move-ADObject –TargetPath “OU=Disabled,DC=our,DC=domain,DC=org” -WhatIf

    #Exports log array to CSV file in the temp directory with a date and time stamp in the file name.
    $logArray | Export-Csv "C:\Temp\User_Report_$logDate.csv" -NoTypeInformation

    #Create PSCredential for use in e-mail -credential parameter
    $secpasswd = ConvertTo-SecureString "PasswordHere" -AsPlainText -Force
    $mycreds = New-Object System.Management.Automation.PSCredential ("UserHere", $secpasswd)

    #Send e-mail to Global Helpdesk with report generated
    $emailFrom = "smtp@address.com"
    $emailTo = "User@address.com" 
    $subject = "NA Disabled Temp Users to be deleted" 
    $smtpServer = "smtp.address.com"
    $attachment = "C:\Temp\User_Report_$logDate.csv"


    Send-MailMessage -To $emailTo -From $emailFrom -Subject $subject -SmtpServer $smtpServer -attachment $attachment -credential $mycreds
}else {
    Write-Output "No disabled users to process for $PasswordAge."

    #Create PSCredential for use in e-mail -credential parameter
    $secpasswd = ConvertTo-SecureString "PasswordHere" -AsPlainText -Force
    $mycreds = New-Object System.Management.Automation.PSCredential ("UserHere", $secpasswd)

    #Send e-mail to Global Helpdesk with report generated
    $emailFrom = "smtp@address.com"
    $emailTo = "User@address.com" 
    $subject = "NA Disabled Temp Users to be deleted" 
    $smtpServer = "smtp.address.com"
    $attachment = "C:\Temp\User_Report_$logDate.csv"
    Send-MailMessage -To $emailTo -From $emailFrom -Subject $subject -Body "No disabled users to process for $PasswordAge." -SmtpServer $smtpServer -credential $mycreds
}
brent0324
  • 3
  • 1
  • 4
  • So the test account was created. I changed $PasswordAge = (Get-Date).adddays(-29) to $PasswordAge = (Get-Date).adddays(-1) but still get "No disable users to process". I'm going to look into the filter a little closer, but everything looks logically sound. I'm not sure if there also may be an issue with specifying the $searchbase as a group. If anyone has any ideas why this yields no results even when I drop the $Passwordage to 1 please let me know. Any suggestions are welcome. – brent0324 Aug 19 '14 at 17:51
  • Does anyone have any ideas / suggestions? I get small intervals of time to look at this but haven't been able to figure out where my logic is messed up. Appreciate any and all help with this. – brent0324 Sep 02 '14 at 19:57
  • So I had some more time to work on this and it looks like the problem is that the $searchbase either isn't working correctly or the Get-ADUser command is not working. The container I am trying to specify in $Searchbase is a Security Group ... I'm starting to wonder if Get-ADUser will not work with a security group? Will keep working on resolving and hopefully figure something out. As always any comments are appreciated. – brent0324 Sep 03 '14 at 16:40

2 Answers2

0

Putting it as an answer, even though it is not a direct answer.

It is really hard to say what is wrong especially when you are not implementing any checks along the way. A basic debugging strategy would be to add a few outputs along the way to see if the script is hitting sections. Such was: write-output "Entering Foreach" and write-output "Looping user $($DisabledUser.samaccountname)" to ensure that your script is executing properly. This will help determine where your hiccup is.

Alternatively, where I would first look is in your Get-ADUser query. Run that alone and make sure it returns users. If not get it to where it returns expected results.

Here is a revised version of your code that has an error check if there are no users returned. 

#import the ActiveDirectory Module
Import-Module ActiveDirectory

#Create a variable for the date stamp in the log file
$LogDate = get-date -f yyyyMMddhhmm

#Sets the OU to do the base search for all user accounts, change for your env.
$SearchBase = "CN=Temp Associates,OU=Res Accounts,DC=our,DC=domain,DC=org"

#Create an empty array for the log file
$LogArray = @()

#Sets the number of days to disable user accounts based on lastlogontimestamp and pwdlastset.
$PasswordAge = (Get-Date).adddays(-29)

#Use ForEach to loop through all users with pwdlastset and lastlogontimestamp greater than date set. Also added users with no lastlogon date set. Disables the accounts and adds to log array.
#Add the properties you will be using to ensure they are available.
$DisabledUsers = (Get-ADUser -searchbase $SearchBase -Properties samaccountname, name, distinguishedname -filter {((lastlogondate -notlike "*") -OR (lastlogondate -le $Passwordage)) -AND (enabled -eq $True) -AND (whencreated -le $Passwordage)} )

if ($DisabledUsers -ne $null -and $DisabledUsers.Count > 0) {
    ForEach ($DisabledUser in $DisabledUsers) {

        #Sets the user objects description attribute to a date stamp. Example "11/13/2011"
        set-aduser $DisabledUser -Description ((get-date).toshortdatestring()) -whatif

        #Disabled user object. To log only add "-whatif"
        Disable-ADAccount $DisabledUser -whatif

        #Create new object for logging
        $obj = New-Object PSObject
        $obj | Add-Member -MemberType NoteProperty -Name "Name" -Value $DisabledUser.name
        $obj | Add-Member -MemberType NoteProperty -Name "samAccountName" -Value $DisabledUser.samaccountname
        $obj | Add-Member -MemberType NoteProperty -Name "DistinguishedName" -Value $DisabledUser.DistinguishedName
        $obj | Add-Member -MemberType NoteProperty -Name "Status" -Value 'Disabled'

        #Adds object to the log array
        $LogArray += $obj

    }

    # Move disabled users in Temp Associates group to Disabled OU 
    Search-ADAccount –AccountDisabled –UsersOnly –SearchBase “CN=Temp Associates,OU=Res Accounts,DC=our,DC=domain,DC=org”  | 
    Move-ADObject –TargetPath “OU=Disabled,DC=our,DC=domain,DC=org” -WhatIf

    #Exports log array to CSV file in the temp directory with a date and time stamp in the file name.
    $logArray | Export-Csv "C:\Temp\User_Report_$logDate.csv" -NoTypeInformation

    #Send e-mail to Global Helpdesk with report generated
    $emailFrom = "sender@mail.com" 
    $emailTo = "recipient@mail.com" 
    $subject = "NA Disabled Temp Users to be deleted" 
    $smtpServer = "smtp.server.com"
    $attachment = "C:\Temp\User_Report_$logDate.csv"


    Send-MailMessage -To $emailTo -From $emailFrom -Subject $subject -SmtpServer $smtpServer -attachment $attachment
}else {
    Write-Output "No disabled users to process for $PasswordAge."
}
Jim
  • 18,673
  • 5
  • 49
  • 65
  • Sound advice. I tend to use `write-verbose` which enables the extra output to be enabled or disabled by the `-verbose` switch. – andyb Aug 08 '14 at 23:42
  • @andyb Yea, I generally use that too but in a script context like this, I do not think `-verbose` works. It would need to be inside of a function with `[CmdletBinding()]`. Correct me if I am wrong, however. – Jim Aug 08 '14 at 23:46
  • It will work. Just need to add the `[CmdletBinding()]` and an empty `Param()` line. – andyb Aug 08 '14 at 23:49
  • I thought I already posted a reply thanking you for your quick response, but I'm not seeing it. Anyway, thanks again. I have made the changes you described to add some error checking. I'm currently waiting on a test account to be created and then I will know for sure whether it is fully functional or not. Appreciate your detailed and quick response. – brent0324 Aug 12 '14 at 23:58
0

i found that the code in the if is never executed. You must replace $DisabledUsers.Count > 0 with $DisabledUsers.Count -gt 0

Francesco
  • 1