I encountered a challenge today that was fun to fix. There’s an Organizational Unit in my AD setup that has historically been used to store disabled AD objects instead of deleting them.
When an employee leaves the organization, our standard procedure is as followed:
- Disable User Object
- Move to separate OU (IE AD://internal.msd/disabled/users)
- Update Description field with something like: Disabled by [username] on [date]
- Retain user object for x amount of days, then tombstone it.
Best laid plans of mice and men… yada yada…
I was able to go through all of these user objects that didn’t get their description updated with the one liner below. I’ll explain this beginning with script line 3 below:
- (Line 3) Find all users in the OU: ‘OU=Users,OU=Disabled,DC=internal,DC=msd’ – customize this to your environment
- (Line 4) Exclude objects where the description does not contain the word “disabled”.
- (Lines 5-7) Loop through each object that remains and update the description with the same object’s last login date.
FYI – this script requires the Quest ActiveRoles Powershell Toolkit (http://www.quest.com/powershell/activeroles-server.aspx)
1 2 3 4 5 6 7 8 9 |
#This script requires Quest AD Tools add-pssnapin Quest.ActiveRoles.ADManagement #Everything below this is on one line get-QADUser -searchroot 'OU=Users,OU=Disabled,DC=internal,DC=msd' | Where-Object { $_.Description -notlike "*disabled*" } | ForEach-Object { set-qaduser -identity (get-qaduser $_.samaccountname) -description ("Last Login: " + (get-qaduser $_.samaccountname).lastlogon}) |
I’m sure there’s a more elegant way to handle this, but in 30 minutes I created this one liner, and updated a lot of user objects.
Cheers!