0 votes

Hello,

I'm trying to create a daily scheduled task that runs that automatically disables users AD accounts who havent logged in to the domain in 45 days. At the same time, I want to send out emails to those users 7 days and 24 hours prior to their accounts being disabled in order to give them a chance to log in and reset the 45 day timer.

Thus far I've come up with a scheduled task that looks like the following. Is this the best way to handle this use-case?

image.png

I'd appreciate any guidance around best-practices or ways I can make this task more resilient. For instance, how could i make sure that I catch all accounts that have last logon dates earlier than the 45 day cutoff?

I noticed that Adaxes already provides a built-in condition that checks the users inactivity period but it appears to only allow me to select weeks instead of days.

by (1.7k points)

1 Answer

0 votes
by (177k points)

Hello,

As long as you need to check user logins, it is recommended to validate both the Last Logon and Last-Logon-Timestamp properties. The thing is that the Last Logon property is not replicated and thus contains different values on domain controllers. At the same time, Last-Logon-Timestamp is replicated but can still contain a value which is in the past comparing to that of the Last Logon property. To check whether the dates in the properties match a specific date in the past, the equality comparison of the If <property> <relation> <value> condition cannot be used as it takes into account the time part of the values compared (up to seconds) which will probably never be met. To achieve the desired, you need to use the below script in the If PowerShell script returns true condition. In the script, the $days variable specifies the number of days to be added to the current date for comparison. To deduct days, specify the number with a leading minus character (e.g. -45).

$days = -14 # TODO: modify me

# Get Last Logon date
try
{
    $lastLogonValue = $Context.TargetObject.Get("lastLogon")
    $lastLogonTime = [DateTime]::FromFiletimeUtc([Int64]::Parse($lastLogonValue))
}
catch
{
    $lastLogonTime = [DateTime]::MinValue
}

$lastLogonDate = $lastLogonTime.Date

# Get Last Logon Timestamp date
try
{
    $lastLogonTimestampValue = $Context.TargetObject.Get("lastLogonTimestamp")
    $lastLogonTimestampTime = [DateTime]::FromFiletimeUtc([Int64]::Parse($lastLogonTimestampValue))
}
catch
{
    $lastLogonTimestampTime = [DateTime]::MinValue
}

$lastLogonTimestampDate = $lastLogonTimestampTime.Date

# Compare dates
$compareDate = (([System.DateTime]::UtcNow).AddDays($days)).Date
$Context.ConditionIsMet = ($lastLogonTimestampDate -eq $compareDate) -or ($lastLogonDate -eq $compareDate)

Finally, your Scheduled Task will look like the following: image.png In each of the script conditions, the $days variable will have a corresponding value (e.g. -38, -44 and -45).

0

Thank you! This script appears to be working now.

One final question. How could i modify the final condition to ensure that all accounts with login dates of 45 days OR BEFORE are also disabled?

0

Hello,

It can be done by updating the comparison parameters in the script. Here is the exact script you will need to use in the last condition.

$days = -45 # TODO: modify me

# Get Last Logon date
try
{
    $lastLogonValue = $Context.TargetObject.Get("lastLogon")
    $lastLogonTime = [DateTime]::FromFiletimeUtc([Int64]::Parse($lastLogonValue))
}
catch
{
    $lastLogonTime = [DateTime]::MinValue
}

$lastLogonDate = $lastLogonTime.Date

# Get Last Logon Timestamp date
try
{
    $lastLogonTimestampValue = $Context.TargetObject.Get("lastLogonTimestamp")
    $lastLogonTimestampTime = [DateTime]::FromFiletimeUtc([Int64]::Parse($lastLogonTimestampValue))
}
catch
{
    $lastLogonTimestampTime = [DateTime]::MinValue
}

$lastLogonTimestampDate = $lastLogonTimestampTime.Date

# Compare dates
$compareDate = (([System.DateTime]::UtcNow).AddDays($days)).Date
$Context.ConditionIsMet = ($lastLogonTimestampDate -le $compareDate) -or ($lastLogonDate -le $compareDate)
0

Works perfectly. Thank you!

Related questions

0 votes
0 answers

I have a deprovision task that our desktop support staff uses to terminate a user and want to setup a scheduled task that goes through and looks for users who are past their ... to the current date it is still applied to ALL users in the organization. Why?

asked May 16, 2013 by trscott (850 points)
0 votes
1 answer

Hello, I have my OUs structured so each department we're working with has an OU for their service accounts under their department OU. e.g. OU=Service Accounts,OU=Sales,OU= ... add each new OU to the scheduled task but I was hoping for something more hands off.

asked Oct 19, 2015 by drew.tittle (4.5k points)
0 votes
1 answer

Is it possible to disable then re-enable a Business Rule from a Scheduled Task? For example, when the Scheduled tasks starts, it disables a Business Rule, runs the Task(s), then re-enables the Business Rule when done.

asked May 11, 2016 by Kikaida (4.8k points)
0 votes
0 answers

Good Afternoon, I've created a scheduled task to run once that a day that goes through and disables accounts older than 12 weeks and sends a ticket to the helpdesk to see ... to figure out how or why this happened when looking at the task and custom command.

asked Feb 24, 2016 by jhair (2.6k points)
0 votes
1 answer

Hi, I need to start Adaxes scheduled task from Powershell console running on another host. How can I do that?

asked May 21 by KIT (2.6k points)
2,183 questions
1,948 answers
5,392 comments
5,257 users