0 votes

Hello,

I'm trying to create a daily scheduled task that runs that automatically disables users AD accounts who havent logged in to the domain in 45 days. At the same time, I want to send out emails to those users 7 days and 24 hours prior to their accounts being disabled in order to give them a chance to log in and reset the 45 day timer.

Thus far I've come up with a scheduled task that looks like the following. Is this the best way to handle this use-case?

image.png

I'd appreciate any guidance around best-practices or ways I can make this task more resilient. For instance, how could i make sure that I catch all accounts that have last logon dates earlier than the 45 day cutoff?

I noticed that Adaxes already provides a built-in condition that checks the users inactivity period but it appears to only allow me to select weeks instead of days.

by (480 points)

1 Answer

0 votes
by (289k points)

Hello,

As long as you need to check user logins, it is recommended to validate both the Last Logon and Last-Logon-Timestamp properties. The thing is that the Last Logon property is not replicated and thus contains different values on domain controllers. At the same time, Last-Logon-Timestamp is replicated but can still contain a value which is in the past comparing to that of the Last Logon property. To check whether the dates in the properties match a specific date in the past, the equality comparison of the If <property> <relation> <value> condition cannot be used as it takes into account the time part of the values compared (up to seconds) which will probably never be met. To achieve the desired, you need to use the below script in the If PowerShell script returns true condition. In the script, the $days variable specifies the number of days to be added to the current date for comparison. To deduct days, specify the number with a leading minus character (e.g. -45).

$days = -14 # TODO: modify me

# Get Last Logon date
try
{
    $lastLogonValue = $Context.TargetObject.Get("lastLogon")
    $lastLogonTime = [DateTime]::FromFiletimeUtc([Int64]::Parse($lastLogonValue))
}
catch
{
    $lastLogonTime = [DateTime]::MinValue
}

$lastLogonDate = $lastLogonTime.Date

# Get Last Logon Timestamp date
try
{
    $lastLogonTimestampValue = $Context.TargetObject.Get("lastLogonTimestamp")
    $lastLogonTimestampTime = [DateTime]::FromFiletimeUtc([Int64]::Parse($lastLogonTimestampValue))
}
catch
{
    $lastLogonTimestampTime = [DateTime]::MinValue
}

$lastLogonTimestampDate = $lastLogonTimestampTime.Date

# Compare dates
$compareDate = (([System.DateTime]::UtcNow).AddDays($days)).Date
$Context.ConditionIsMet = ($lastLogonTimestampDate -eq $compareDate) -or ($lastLogonDate -eq $compareDate)

Finally, your Scheduled Task will look like the following: image.png In each of the script conditions, the $days variable will have a corresponding value (e.g. -38, -44 and -45).

0

Thank you! This script appears to be working now.

One final question. How could i modify the final condition to ensure that all accounts with login dates of 45 days OR BEFORE are also disabled?

0

Hello,

It can be done by updating the comparison parameters in the script. Here is the exact script you will need to use in the last condition.

$days = -45 # TODO: modify me

# Get Last Logon date
try
{
    $lastLogonValue = $Context.TargetObject.Get("lastLogon")
    $lastLogonTime = [DateTime]::FromFiletimeUtc([Int64]::Parse($lastLogonValue))
}
catch
{
    $lastLogonTime = [DateTime]::MinValue
}

$lastLogonDate = $lastLogonTime.Date

# Get Last Logon Timestamp date
try
{
    $lastLogonTimestampValue = $Context.TargetObject.Get("lastLogonTimestamp")
    $lastLogonTimestampTime = [DateTime]::FromFiletimeUtc([Int64]::Parse($lastLogonTimestampValue))
}
catch
{
    $lastLogonTimestampTime = [DateTime]::MinValue
}

$lastLogonTimestampDate = $lastLogonTimestampTime.Date

# Compare dates
$compareDate = (([System.DateTime]::UtcNow).AddDays($days)).Date
$Context.ConditionIsMet = ($lastLogonTimestampDate -le $compareDate) -or ($lastLogonDate -le $compareDate)
0

Works perfectly. Thank you!

0

Hello - we are testing this script and are finding that it is sending new users an email because the LastLogon or LastLogonTimeStamp is still set to "<not set>". How can this script be modified to omit those users?

0

Hello,

Try using this version of the script:

$days = -45 # TODO: modify me

# Get Last Logon date
try
{
    $lastLogonValue = $Context.TargetObject.Get("lastLogon")
    $lastLogonTime = [DateTime]::FromFiletimeUtc([Int64]::Parse($lastLogonValue))
}
catch
{
    $lastLogonTime = [DateTime]::MinValue
}

$lastLogonDate = $lastLogonTime.Date

# Get Last Logon Timestamp date
try
{
    $lastLogonTimestampValue = $Context.TargetObject.Get("lastLogonTimestamp")
    $lastLogonTimestampTime = [DateTime]::FromFiletimeUtc([Int64]::Parse($lastLogonTimestampValue))
}
catch
{
    $Context.ConditionIsMet = $False
    return
}

$lastLogonTimestampDate = $lastLogonTimestampTime.Date

# Compare dates
$compareDate = (([System.DateTime]::UtcNow).AddDays($days)).Date
$Context.ConditionIsMet = ($lastLogonTimestampDate -le $compareDate) -or ($lastLogonDate -le $compareDate)
0

thank you. it appears this is working as expected.

0

Hi,

Sorry to revive this I know its a couple of years old, Tried using this and for the most part works as expected. However we have an issue where Last Logon is Unspecified, because of this it is disabling accounts that have a last login timestamp of even yesterday. Is there a way to make this return false if Last Logon is Unspecified?

Regards

0

Hello Wayne,

Do we understand correctly that you need the condition to be met when the Last Logon or Last Logon TimeStamp equals the current date minus a certain number of days? If that is correct, no script might be required. In Adaxes version 2021.1 it can be done using built-in conditions. For example: image.png For information on how to check the Adaxes version you are using, see https://www.adaxes.com/help/CheckServiceVersion.

0

Hi,

I will try and set this out a bit clearer as I did not do so properly before.

We have the need to disable inactive accounts after a 60 day period. And also a need to disable accounts that have never logged in after a 60 day period.

We had noticed that even if an account was already disabled the script would still run against them and we dont want that as the email we generate then creates a Jira ticket for User Services to then fully deprovission the account.

o what we have is this:

image.png

We then ran the above for the 1st time this morning and it disabled 29 accounts, some of which was perfectly fine. But other accounts had Last Logon - Unspecified and Last Login Timestap as a recent date like below:

image.png

The accounts like this also got disabled, I believe the Unspecified is due to DC replication.

Maybe I am over thinking it and doing it as per the last responce is a better and easier way of achiving our requirements.

Regards

0

Hello Wayne,

Thank you for clarifying. In your case, the first condition will not be met in most cases even for disabled accounts as it requires the Account Options property to have only a single flag enabled. As you only need to check user inactivity and account status, the scheduled task will look like the following: image.png

0

Thank you

Related questions

0 votes
1 answer

I want to create a scheduled task to disable a user if he is inactive for 30days, the task must check inacivity o AD and Azure.

asked May 16 by johanpr (120 points)
0 votes
0 answers

I have a deprovision task that our desktop support staff uses to terminate a user and want to setup a scheduled task that goes through and looks for users who are past their ... to the current date it is still applied to ALL users in the organization. Why?

asked May 16, 2013 by trscott (80 points)
0 votes
1 answer

Hello, I have my OUs structured so each department we're working with has an OU for their service accounts under their department OU. e.g. OU=Service Accounts,OU=Sales,OU= ... add each new OU to the scheduled task but I was hoping for something more hands off.

asked Oct 19, 2015 by drew.tittle (810 points)
0 votes
1 answer

Is it possible to disable then re-enable a Business Rule from a Scheduled Task? For example, when the Scheduled tasks starts, it disables a Business Rule, runs the Task(s), then re-enables the Business Rule when done.

asked May 11, 2016 by Kikaida (1.1k points)
0 votes
0 answers

Good Afternoon, I've created a scheduled task to run once that a day that goes through and disables accounts older than 12 weeks and sends a ticket to the helpdesk to see ... to figure out how or why this happened when looking at the task and custom command.

asked Feb 24, 2016 by jhair (520 points)
3,547 questions
3,238 answers
8,232 comments
547,809 users