ActiveDirectory

How to delete active directory user accounts with powergui and lastlogontimestamp

One of the best new tools at the system administrator or network administrator’s fingertips is powershell.  Powershell was introduced with Windows 2008 and is also standard with Windows 2008 R2 and Windows 7.  Powershell provides many cool powerful new features that make sometimes difficult system administration tasks much much easier.  One of the coolest free utilities that can also be utilized with powershell is  Powergui.  Powergui provides a graphical interface to allow the use of many great “powerpacks” that can be used to control everything from network configuration settings across the network, to VMware, Exchange 2003, 2007, and 2010, managing user accounts, Active Directory and you can also create your own custom powerpacks and scripts.

I don’t want to delve deeply into the ins and outs of using Powergui as there are a lot of great articles out there about the functionality of Powergui and how to use it to manage many aspects of your network.  Specifically we are going to look at using Powergui to query active directory using a custom query to pull users based on the lastlogontimestamp and then using the built in filters and account attributes we can filter the scope of accounts down even further.

First the script below is used to query active directory using the Get-QADUser commandlet which is part of the Active Roles Management Shell for Active Directory from Quest Software.

 

# calculate a deadline date. (now minus 60 days)
$deadline = (Get-Date).AddDays(-360).ToFileTimeUtc()

#construct a ldap query
$ldapQuery = '(|(!(lastLogonTimeStamp=*))(lastLogonTimeStamp<=' + $deadline + '))'

#run this query
Get-QADUser -Enabled -SizeLimit 0 -LdapFilter $ldapQuery

The above script gets the current date and then subtracts the number that you specify in the “AddDays” section of code on line 2.  So in the example above, we have selected to query for logon accounts that have not had the “lastLogonTimeStamp” updated in 360 days.  There are a lot of great detailed explanations of this attribute, but in short if you are running at least a domain functional level of Windows 2003, then this attribute is a replicated attribute that is synced up every 14 days between domain controllers.  So it isn’t that great at up to the minute determinations of logon time stamps but it is a great way to look for super old accounts that have not been accessed in quite some time.

A client that I have worked with was looking to find student accounts that were older than a year old and had certain other attributes.  Using the script above we were able to pull a list of students that met a certain criteria.  With Powergui, you can filter your results from a certain script based on just about any attribute that is related to a user.  In the screenshot below, you will see that we setup a filter to look for accounts with a certain description, a creation date of a certain time period and prior, and criteria based on the lastlogontimestamp as well.

logonfilters

Powergui Options:

Take a look at the options that we have available to work with user accounts in Powergui:

pguioptions

As you can see above, there is a myriad of actions that you can perform on a user account that you have queried with Powergui and utilizing the filters, you can make the scope of your query even more fine tuned and granular.

With our query above we were able to delete user accounts that were queried with the ldap query as well as results that met a certain criteria.  This is truly a powerful tool for administrators to use to manage user accounts which can work wonders to keep your active directory purged from stale user accounts as well as mailboxes if you are running Exchange as your email system.

Powergui is definitely worth its weight in gold and it is free!  Check it out.  www.powergui.org

Back to top button