Home > other >  How to find users who were disabled specific dates
How to find users who were disabled specific dates

Time:02-03

Could someone help me find disabled accounts from AD within a specific timeframe?

For example, I can run a script that shows me the last 30 days, 60 , 90 whatever

Search-ADAccount -SearchBase "DC=corp,DC=ad,DC=iata,DC=org" -AccountDisabled -UsersOnly | Get-ADUser -Properties whenChanged | Where whenChanged -gt (Get-Date).AddDays(-60) | Export-CSV “C:\Disabledusers60.CSV” –NoTypeInformation

The problem is that this way I would see the present ones from January 2022 as well, and my idea is to be able to run a specific date, so in the end of February to have a list of disabled users between 1st of December- 31th of Dec. Then on March to have the list from 1st of January till 31th January and so on.

That way will not pull out from AD last 60 days including the disabled accounts from the current month.

Sorry for the big thread explanation, hopefully, someone could bring some light here.

CodePudding user response:

This should give you a list of AD Users which are Disabled and their WhenChanged attribute is between the first and last day of the Month.

$today = [datetime]::Today
$firstDay = [datetime]::new($today.Year, $today.Month, 1, 0, 0, 0).ToString('yyyyMMddHHmmss.0Z')
$lastDay = [datetime]::new($today.Year, $today.Month   1, 1, 0, 0, 0).AddSeconds(-1).ToString('yyyyMMddHHmmss.0Z')

$params = @{
    SearchBase = "DC=corp,DC=ad,DC=iata,DC=org"
    Properties = "whenChanged"
    LDAPFilter = "(&(userAccountControl:1.2.840.113556.1.4.803:=2)(whenChanged>=$firstDay)(whenChanged<=$lastDay))"
}

Get-ADUser @params | Export-Csv ...

CodePudding user response:

As commented, the whenChanged attribute does not necessarily be the date and time a user was disabled, because there could have been other modifications to the user account afterwards.

How about probing the windows Event log for event 4725 (==> a user account was disabled) ?

# example timeframe December 2021
$startTime = [datetime]'12/1/2021'
$endTime   = $startTime.AddMonths(1).AddDays(-1)
$filter = @{LogName='Security';ProviderName='Microsoft-Windows-Security-Auditing';ID=4725;StartTime=$startTime;EndTime=$endTime }
$result = Get-WinEvent -FilterHashtable $filter -ComputerName <YourDC> | ForEach-Object {
    # convert the event to XML and grab the Event node
    $eventXml   = ([xml]$_.ToXml()).Event
    $userName   = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'TargetUserName' }).'#text'
    $userSID    = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'TargetSid' }).'#text'
    $userDomain = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'TargetDomainName' }).'#text'
    # output the properties you need
    [PSCustomObject]@{
        UserName   = $userName
        UserSID    = $userSID
        UserDomain = $userDomain
        Disabled   = [DateTime]$eventXml.System.TimeCreated.SystemTime
    }
}

# output on screen
$result

# output to CSV file
$outFile = 'X:\DisabledUsers_{0:MMM-yyyy}.csv' -f $startTime
$result | Export-Csv -Path $outFile -NoTypeInformation

Page link:https//www.codepudding.com/other/286303.html

Prev:Want to create an Event Listener for System.Window.Form.Button
Next:Input string was not in a correct format in powershell
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding