Move-DisabledUsers

1. ###########################################################
2. #
3. # AUTHOR  : PowerMonkey500
4. #
5. # WARNING: THIS SCRIPT WILL OVERWRITE EXTENSIONATTRIBUTE3, MAKE SURE YOU ARE NOT USING IT FOR ANYTHING ELSE
6. #
7. # Make sure you create the OU structure as detailed in the "declarations" section. This script will not create the OUs for you.
8. #
9. ###########################################################
10.  
11. #LOGGING FUNCTION - starts transcript and cleans logs older than specified retention date.
12. Function Start-Logging{
13.     param (
14.         [Parameter(Mandatory=$true)][String]$LogDirectory,
15.         [Parameter(Mandatory=$true)][String]$LogName,
16.         [Parameter(Mandatory=$true)][Int]$LogRetentionDays
17.         )
18.  
19.     #Sets screen buffer from 120 width to 500 width. This stops truncation in the log.
20.     $ErrorActionPreference = 'SilentlyContinue'
21.     $pshost = get-host
22.     $pswindow = $pshost.ui.rawui
23.  
24.     $newsize = $pswindow.buffersize
25.     $newsize.height = 3000
26.     $newsize.width = 500
27.     $pswindow.buffersize = $newsize
28.  
29.     $newsize = $pswindow.windowsize
30.     $newsize.height = 50
31.     $newsize.width = 500
32.     $pswindow.windowsize = $newsize
33.     $ErrorActionPreference = 'Continue'
34.  
35.     #Create log directory if it does not exist already
36.     If (!(Test-Path $LogDirectory)){mkdir $LogDirectory}
37.  
38.     #Starts logging.
39.     New-Item -ItemType directory -Path $LogDirectory -Force | Out-Null
40.     $Today = Get-Date -Format M-d-y
41.     Start-Transcript -Append -Path ($LogDirectory + "\" + $LogName + "." + $Today + ".log") | Out-Null
42.  
43.     #Shows proper date in log.
44.     Write-Output ("Start time: " + (Get-Date))
45.  
46.     #Purges log files older than X days
47.     $RetentionDate = (Get-Date).AddDays(-$LogRetentionDays)
48.     Get-ChildItem -Path $LogDirectory -Recurse -Force | Where-Object { !$_.PSIsContainer -and $_.CreationTime -lt $RetentionDate } | Remove-Item -Force
49. }
50.  
51. #DECLARATIONS
52.     #Declares misc variables.
53.     $LogDirectory = "C:\Logs\Disable-InactiveADAccountsLog" #No trailing slash
54.     $LogName = "Disable-InactiveADAccountsLog"
55.     $MovedUsers = 0 #Leave at 0.
56.     $MovedComputers = 0 #Leave at 0.
57.  
58.     $ParentOU = "OU=Disabled Objects,DC=domain,DC=local"
59.  
60.     #CREATE AN OU STRUCTURE UNDER YOUR PARENT OU AS FOLLOWS:
61.     #
62.     # Parent OU (specified above)
63.     # -> Users
64.     # --> 0-30 Days
65.     # --> 30-180 Days
66.     # --> Over 180 Days
67.     #
68.     # -> Computers
69.     # --> 0-30 Days
70.     # --> 30-180 Days
71.     # --> Over 180 Days
72.  
73. #START LOGGING
74. Start-Logging -logdirectory $LogDirectory -logname $LogName -LogRetentionDays 30
75.  
76. #MOVE NEWLY DISABLED USERS
77.     Write-Host ""
78.     Write-Output "NEWLY DISABLED MOVE:"
79.     #Gets all newly users. msExchRecipientTypeDetails makes sure we are excluding things like shared mailboxes.
80.     Write-Output "Getting newly disabled users..."
81.     $DisabledUsers = Search-ADAccount -AccountDisabled -UsersOnly | Get-ADUser -Properties msExchRecipientTypeDetails,info,Enabled,distinguishedName,ExtensionAttribute3 | Where {@(1,128,65536,2097152,2147483648,$null) -contains $_.msExchRecipientTypeDetails -and $_.DistinguishedName -notlike "*Builtin*"}
82.  
83.     Write-Output ($DisabledUsers.Count.toString() + " newly disabled user objects were found.")
84.  
85.     #Loops through the newly disabled users found.
86.     ForEach ($DisabledUser in $DisabledUsers){
87.         #Moves the user.
88.         Write-Output ("Moving user: " + $DisabledUser.SamAccountName + "...")
89.         Move-ADObject -Identity $DisabledUser.DistinguishedName -TargetPath "OU=0-30 Days,OU=Users,$ParentOU"
90.         $MovedUsers++
91.  
92.         #Sets the info (notes) field with the old OU.
93.         #Formats the new info field (notes). Retains old info if any exists.
94.         Write-Output ("Setting info field for user: " + $DisabledUser.SamAccountName + "...")
95.         #Gets the parent OU.
96.         $OU = $DisabledUser.DistinguishedName.Split(',',2)[1]
97.         If ($DisabledUser.Info -eq $null -or $DisabledUser.Info -eq ""){$NewInfo = "OLD OU: " + $OU}
98.         Else{$NewInfo = "OLD OU: " + $OU + "`n" + $DisabledUser.Info}
99.         Set-ADUser -Identity $DisabledUser.SamAccountName -Replace @{info=$NewInfo}
100.  
101.         #Sets ExtensionAttribute3 for the date of disablement if not already set.
102.         If ($DisabledUser.ExtensionAttribute3 -notlike "*DISABLED*" -and $DisabledUser.ExtensionAttribute3 -notlike "*INACTIVE*"){
103.             $Date = "DISABLED ON " + (Get-Date)
104.             Write-Output ("Setting ExtensionAttribute3 for user: " + $DisabledUser.SamAccountName + "...")
105.             Set-ADUser -Identity $DisabledUser.SamAccountName -Replace @{ExtensionAttribute3=$Date}
106.         }
107.     }
108.  
109. #MOVE NEWLY DISABLED COMPUTERS
110.     #Get disabled computer accounts.
111.     Write-Output "Getting disabled computers..."
112.     $DisabledComputers =  Get-ADComputer -Filter * -Properties Enabled,Description,distinguishedName,ExtensionAttribute3 | Where {`
113.         $_.Enabled -eq $False -and `
114.         $_.DistinguishedName -notlike "*$ParentOU"
115.     }
116.  
117.     Write-Output ($DisabledComputers.Count.toString() + " newly disabled computer objects were found.")
118.  
119.     ForEach ($DisabledComputer in $DisabledComputers){
120.     #Moves the Computer.
121.         Write-Output ("Moving computer: " + $DisabledComputer.SamAccountName + "...")
122.         Move-ADObject -Identity $DisabledComputer.DistinguishedName -TargetPath "OU=0-30 Days,OU=Computers,$ParentOU"
123.         $MovedComputers++
124.  
125.         #Sets the description (notes) field with the old OU.
126.         #Formats the new description field (notes). Retains old Description if any exists.
127.         Write-Output ("Setting Description field for computer: " + $DisabledComputer.SamAccountName + "...")
128.         #Gets the parent OU.
129.         $OU = $DisabledComputer.DistinguishedName.Split(',',2)[1]
130.         If ($DisabledComputer.Description -eq $null -or $DisabledComputer.Description -eq ""){$NewDescription = "OLD OU: " + $OU}
131.         Else{$NewDescription = "OLD OU: " + $OU + " | " + $DisabledComputer.Description}
132.         Set-ADComputer -Identity $DisabledComputer.SamAccountName -Replace @{Description=$NewDescription}
133.  
134.         #Sets ExtensionAttribute3 for the date of disablement if not already set.
135.         If ($DisabledComputer.ExtensionAttribute3 -notlike "*DISABLED*" -and $DisabledComputer.ExtensionAttribute3 -notlike "*INACTIVE*"){
136.             $Date = "DISABLED ON " + (Get-Date)
137.             Write-Output ("Setting ExtensionAttribute3 for computer: " + $DisabledComputer.SamAccountName + "...")
138.             Set-ADComputer -Identity $DisabledComputer.SamAccountName -Replace @{ExtensionAttribute3=$Date}
139.         }
140.     }
141.  
142. #INCREMENT THROUGH OUS BASED ON AGE
143.     Write-Host ""
144.     Write-Output "OU INCREMENTATION:"
145.     #Gets objects in the disabled OU
146.     $DisabledOUUsers = Get-ADUser -Filter * -SearchBase "$ParentOU" -Properties ExtensionAttribute3,DistinguishedName,SamAccountName
147.     $DisabledOUComputers = Get-ADComputer -Filter * -SearchBase "$ParentOU" -Properties ExtensionAttribute3,DistinguishedName,SamAccountName
148.  
149.     #USERS
150.         #Declares counts for output.
151.         $30to180DayMovedUsers = 0
152.         $180DayMovedUsers = 0
153.  
154.         #Loops through users and checks if older than 30 days.
155.         ForEach ($DisabledOUUser in $DisabledOUUsers){
156.             #Sets the date disabled if not already set
157.             If ($DisabledOUUser.ExtensionAttribute3 -eq "" -or $DisabledOUUser.ExtensionAttribute3 -eq $null){
158.                 Write-Output ("Setting ExtensionAttribute 3 for user: " + $DisabledOUUser.SamAccountName + " (user was in disabled objects OU but did not have a disabled date.)")
159.  
160.                 $Date = "DISABLED ON " + (Get-Date)
161.                 Set-ADUser -Identity $DisabledOUUser.SamAccountName -Replace @{ExtensionAttribute3=$Date}
162.  
163.                 #Sets the variable for comparison in the rest of the loop. It was null.
164.                 $DisabledOUUser.ExtensionAttribute3 = $Date
165.             }
166.  
167.             #Extracts the date disabled for comparison.
168.             #If disabled by hand, count from the disable date
169.             If ($DisabledOUUser.ExtensionAttribute3 -like "DISABLED ON*"){
170.                 $DateDisabled = [datetime]($DisabledOUUser.ExtensionAttribute3.Replace('DISABLED ON ',''))
171.                 $DaysDisabled = (New-TimeSpan -Start $DateDisabled -End (Get-Date)).Days
172.             }
173.             #If auto-disabled because of inactivity, add an extra 30 days to account for that so that we are counting from date disabled rather than last activity date.
174.             ElseIf ($DisabledOUUser.ExtensionAttribute3 -like "INACTIVE SINCE*"){
175.                 $DateDisabled = [datetime]($DisabledOUUser.ExtensionAttribute3.Replace('INACTIVE SINCE ',''))
176.                 $DaysDisabled = (New-TimeSpan -Start $DateDisabled.AddDays(30) -End (Get-Date)).Days
177.             }
178.             Else {Write-Error ($DisabledOUUser.SamAccountName + " has an invalid disable date in ExtensionAttribute3.")}
179.  
180.             #Increment through OUs
181.             If ($DaysDisabled -ge 30 -and $DaysDisabled -le 180 -and $DisabledOUUser.DistinguishedName -notlike "*OU=30-180 Days,OU=Users,$ParentOU"){
182.                 Write-Output ("Moving user to the 30-180 Days OU: " + $DisabledOUUser.SamAccountName)
183.                 Move-ADObject -Identity $DisabledOUUser.DistinguishedName -TargetPath "OU=30-180 Days,OU=Users,$ParentOU"
184.                 $30to180DayMovedUsers++
185.             }
186.             Else {
187.                 If ($DaysDisabled -gt 180 -and $DisabledOUUser.DistinguishedName -notlike "*OU=Over 180 Days,OU=Users,$ParentOU"){
188.                     Write-Output ("Moving user to the Over 180 Days OU: " + $DisabledOUUser.SamAccountName)
189.                     Move-ADObject -Identity $DisabledOUUser.DistinguishedName -TargetPath "OU=Over 180 Days,OU=Users,$ParentOU"
190.                     $180DayMovedUsers++
191.                 }
192.             }
193.         }
194.  
195.     #COMPUTERS
196.         #Declares counts for output.
197.         $30to180DayMovedComputers = 0
198.         $180DayMovedComputers = 0
199.  
200.  
201.         #Loops through computers and checks if older than 90 days.
202.         ForEach ($DisabledOUComputer in $DisabledOUComputers){
203.             #Sets the date disabled if not already set
204.             If ($DisabledOUComputer.ExtensionAttribute3 -eq "" -or $DisabledOUComputer.ExtensionAttribute3 -eq $null){
205.                 Write-Output ("Setting ExtensionAttribute 3 for Computer: " + $DisabledOUComputer.SamAccountName + " (computer was in disabled objects OU but did not have a disabled date.)")
206.  
207.                 $Date = "DISABLED ON " + (Get-Date)
208.                 Set-ADComputer -Identity $DisabledOUComputer.SamAccountName -Replace @{ExtensionAttribute3=$Date}
209.  
210.                 #Sets the variable for comparison in the rest of the loop. It was null.
211.                 $DisabledOUComputer.ExtensionAttribute3 = $Date
212.             }
213.  
214.             #Extracts the date disabled for comparison.
215.             $DateDisabled = [datetime]($DisabledOUComputer.ExtensionAttribute3.Replace('DISABLED ON ',''))
216.             $DaysDisabled = (New-TimeSpan -Start $DateDisabled -End (Get-Date)).Days
217.  
218.             #Increment through OUs
219.             If ($DaysDisabled -ge 30 -and $DaysDisabled -le 180 -and $DisabledOUComputer.DistinguishedName -notlike "*OU=30-180 Days,OU=Computers,$ParentOU"){
220.                 Write-Output ("Moving computer to the 30-180 Days OU: " + $DisabledOUComputer.SamAccountName)
221.                 Move-ADObject -Identity $DisabledOUComputer.DistinguishedName -TargetPath "OU=30-180 Days,OU=Computers,$ParentOU"
222.                 $30to180DayMovedComputers++
223.             }
224.             Else{
225.                 If ($DaysDisabled -gt 180 -and $DisabledOUComputer.DistinguishedName -notlike "*OU=Over 180 Days,OU=Computers,$ParentOU"){
226.                     Write-Output ("Moving computer to the Over 180 Days OU: " + $DisabledOUComputer.SamAccountName)
227.                     Move-ADObject -Identity $DisabledOUComputer.DistinguishedName -TargetPath "OU=Over 180 Days,OU=Computers,$ParentOU"
228.                     $180DayMovedComputers++
229.             }
230.         }
231.     }
232.  
233. #SUMMARY OUTPUT
234.     #Writes the counts of what was modified etc.
235.     Write-Output "TOTALS:"
236.     $MovedUsers = $MovedUsers.tostring()
237.     Write-Output ($MovedUsers + " users were moved to the 0-30 Days OU.")
238.     $MovedComputers = $MovedComputers.tostring()
239.     Write-Output ($MovedComputers + " computers were moved to the 0-30 Days OU.")
240.     Write-Output ""
241.     $30to180DayMovedUsers = $30to180DayMovedUsers.tostring()
242.     Write-Output ($30to180DayMovedUsers + " users were moved to the 30-180 Days OU.")
243.     $30to180DayMovedComputers = $30to180DayMovedComputers.tostring()
244.     Write-Output ($30to180DayMovedComputers + " computers were moved to the 30-180 Days OU.")
245.     Write-Output ""
246.     $180DayMovedUsers = $180DayMovedUsers.tostring()
247.     Write-Output ($180DayMovedUsers + " users were moved to the Over 180 Days OU.")
248.     $180DayMovedComputers = $180DayMovedComputers.tostring()
249.     Write-Output ($180DayMovedComputers + " computers were moved to the Over 180 Days OU.")
250.     Write-Output ""
251.  
252. #ATTRIBUTE CLEANUP
253.     #Gets all AD objects outside of the "disabled objects" OU with ExtensionAttribute3 set and clears it.
254.     Write-Output ""
255.     Write-Output "ATTRIBUTE CLEANUP:"
256.     Write-Output "Getting non-disabled objects with ExtensionAttribute3 set..."
257.     $NonDisabledUsers = Get-ADUser -Filter * -Properties DistinguishedName,ExtensionAttribute3,SamAccountName,Enabled | Where {`
258.         $_.DistinguishedName -NotLike "*$ParentOU" -and `
259.         $_.Enabled -eq $True -and `
260.         $_.ExtensionAttribute3 -ne "" -and `
261.         $_.ExtensionAttribute3 -ne $null `
262.     }
263.     $NonDisabledComputers = Get-ADComputer -Filter * -Properties DistinguishedName,ExtensionAttribute3,SamAccountName,Enabled | Where {`
264.         $_.DistinguishedName -NotLike "*$ParentOU" -and `
265.         $_.Enabled -eq $True -and `
266.         $_.ExtensionAttribute3 -ne "" -and `
267.         $_.ExtensionAttribute3 -ne $null `
268.     }
269.  
270.     Write-Output (($NonDisabledUsers.SamAccountName.Count).ToString() + " users were found.")
271.     Write-Output (($NonDisabledComputers.SamAccountName.Count).ToString() + " computers were found.")
272.  
273.     ForEach ($NonDisabledUser in $NonDisabledUsers){
274.         Write-Output ("Clearing ExtensionAttribute3 for user: " + $NonDisabledUser.SamAccountName)
275.         Set-ADUser -Identity $NonDisabledUser.SamAccountName -Clear ExtensionAttribute3
276.     }
277.  
278.     ForEach ($NonDisabledComputer in $NonDisabledComputers){
279.         Write-Output ("Clearing ExtensionAttribute3 for computer: " + $NonDisabledComputer.SamAccountName)
280.         Set-ADComputer -Identity $NonDisabledComputer.SamAccountName -Clear ExtensionAttribute3
281.     }
282.  
283. Stop-Transcript