So I'm trying to get a PowerShell script that will search and disable all accounts that have been inactive for x amount of days. But I want it to skip over 1 OU where it doesn't search and disable any of the users in the OU. and then move all the disabled users to 1 single OU

This is the code I currently have. I am missing the exclude portion.

Use this code to disable accounts that have been inactive for X amount of days

Search-ADAccount -SearchBase “OU=example,DC=example,DC=com” -AccountInactive -TimeSpan (\[timespan\]0d) -UsersOnly | Set-ADUser -Enabled $false

Use this code to move users

Get-ADuser -SearchBase “OU=example,DC=example,DC=com” -filter {Enabled -eq $false} | Move-ADObject -TargetPath “OU=Computers,OU=example,DC=example,DC=com”

I'm not 100% sure how to use the exclude command and i tried googling and finding other scripts that could potentially work, but nothing has so far

CodePudding user response：

In theory you could do all the process in a single pipeline, however I have not personally tested it. This is not an efficient method to exclude a specific Organizational Unit however, as you have mentioned in comments, this process takes only seconds for you so it should be Ok.

$ouToExclude = 'OU=example123,DC=example,DC=com'

Search-ADAccount -SearchBase "OU=example,DC=example,DC=com" -AccountInactive -TimeSpan ([timespan]0d) -UsersOnly |
    Group-Object { $_.DistinguishedName -replace '^CN=.*(?=OU=)' } |
    Where-Object Name -NE $ouToExclude | ForEach-Object Group |
    Set-ADUser -Enabled $false -PassThru |
    Move-ADObject -TargetPath "OU=Computers,OU=example,DC=example,DC=com"

1. Search for all inactive user objects
2. Group the users by their parent OU. This is done with Group-Object and a calculated expression script block
3. Filter the results where the parent OU is not equal to the $ouToExclude
4. Pass the group of objects to Set-ADUser to disable them and then with -PassThru we can pass those disabled objects to Move-ADObject

CodePudding user response：

Without seeing the real Distinguished names of the OU's, I believe it is better to use the non-regex -like operator here to test if a user is in (sub) OU defined in the $exclude variable or not.

Try

$searchBase  = "OU=example,DC=example,DC=com"                   # DN of the OU to search in
$exclude     = 'OU=example123,DC=example,DC=com'                # DN of the OU to exclude
$destination = 'OU=InactiveUsers,OU=example,DC=example,DC=com'  # DN of the OU to move inactive users to

Search-ADAccount -SearchBase $searchBase -AccountInactive -TimeSpan ([timespan]0d) -UsersOnly |
Where-Object {$_.DistinguishedName -notlike "*$exclude"} |
ForEach-Object { 
    $_ | Set-ADUser -Enabled $false
    $_ | Move-ADObject -TargetPath $destination
}

CodePudding user response：

$excludedOU = ‘OU=skip,OU=example,DC=example,DC=com’ 
Search-ADAccount -SearchBase "OU=example,DC=example,DC=com" -AccountInactive -TimeSpan ([timespan]0d) -UsersOnly | 
Group-Object { $_.DistinguishedName -replace '^CN=.*(?=OU=)' } | Get-ADuser -Filter * | ? { $_.DistinguishedName -notmatch $excludedOU -and $_.DistinguishedName -notmatch ‘CN=Admin,OU=Users,OU=example,DC=example,DC=com’}| 
Set-ADUser -Enabled $false -PassThru | 
Move-ADObject -TargetPath "OU=Computers,OU=example,DC=example,DC=com"