Hey everyone! I'm working for a small outsourcing company with about 1,000 users, but only around 20-30 log in daily. My boss is worried about security because many users go months without logging in. He wants to establish a process to disable user accounts after 90 days of inactivity and move them to an "archive" OU after 12 months, also stripping their group memberships and logging that for records. Is there a good way to automate this, preferably with a PowerShell script? Any tips for someone who's more familiar with installing software than managing user accounts would be greatly appreciated!
1 Answer
You can set up a scheduled task in PowerShell to handle this. You'd define your inactivity threshold (like 90 days) and query for users who haven't logged in since then. If you find any, you can disable their accounts and log the necessary info as part of your process. Here's a simple outline:
```powershell
$InactivityThreshold = 90
$CurrentDate = Get-Date
$CutoffDate = $CurrentDate.AddDays(-$InactivityThreshold)
$InactiveUsers = Get-ADUser -Filter {LastLogonDate -lt $CutoffDate} -Properties LastLogonDate
foreach ($user in $InactiveUsers) {
Disable-ADAccount -Identity $user.SamAccountName
Set-ADUser -Identity $user.SamAccountName -Description "Disabled due to inactivity for $InactivityThreshold days"
}
Write-Host "Finished disabling inactive users."
```
This is a basic example; just ensure you test it properly to avoid any issues with service accounts or newly created accounts that haven’t logged in yet!
Good advice! Just make sure not to accidentally disable new accounts that haven't logged in yet. You might want to include some filters in your query to prevent that from happening.