[Scripts] tìm và khoá user không hoạt động trong vòng 90 ngày trên active directiory
Script tìm và disable các account không đăng nhập trong vòng 90 ngày trên AD
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
# disableUsers.ps1 # Set msDS-LogonTimeSyncInterval (days) to a sane number. By # default lastLogonDate only replicates between DCs every 9-14 # days unless this attribute is set to a shorter interval. # Also, make sure to create the EventLog source before running, or # comment out the Write-EventLog lines if no event logging is # needed. Only needed once on each machine running this script. # New-EventLog -LogName Application -Source "DisableUsers.ps1" # Remove "-WhatIf"s before putting into production. Import-Module ActiveDirectory $inactiveDays = 90 $neverLoggedInDays = 90 $disableDaysInactive=(Get-Date).AddDays(-($inactiveDays)) $disableDaysNeverLoggedIn=(Get-Date).AddDays(-($neverLoggedInDays)) # Identify and disable users who have not logged in in x days $disableUsers1 = Get-ADUser -Filter {Enabled -eq $TRUE} -Properties lastLogonDate, whenCreated, distinguishedName | Where-Object {($_.lastLogonDate -lt $disableDaysInactive) -and ($_.lastLogonDate -ne $NULL)} $disableUsers1 | ForEach-Object { Disable-ADAccount $_ #Write-EventLog -Source "DisableUsers.ps1" -EventId 9090 -LogName Application -Message "Attempted to disable user $_ because the last login was more than $inactiveDays ago." } # Identify and disable users who were created x days ago and never logged in. $disableUsers2 = Get-ADUser -Filter {Enabled -eq $TRUE} -Properties lastLogonDate, whenCreated, distinguishedName | Where-Object {($_.whenCreated -lt $disableDaysNeverLoggedIn) -and (-not ($_.lastLogonDate -ne $NULL))} $disableUsers2 | ForEach-Object { Disable-ADAccount $_ #Write-EventLog -Source "DisableUsers.ps1" -EventId 9091 -LogName Application -Message "Attempted to disable user $_ because user has never logged in and $neverLoggedInDays days have passed." } |