自90天以来根据自定义属性值删除已禁用的帐户 [英] Delete the disabled accounts since 90 days based on custom attribute value
问题描述
我会自动移动OU中所有已禁用广告的帐户,并使用以下脚本在 extensionattribute4
中添加停用日期:
I move automatically all ad disabled accounts in OU adding the date of deactivation in extensionattribute4
with this the script :
import-module activedirectory
$timer = (Get-Date)
$TargetOU = "OU=Disabled Accounts,DC=domain,DC=lan"
$DisabledAccounts = get-aduser -filter { enabled -eq $false } -SearchBase "OU=Test,OU=EMEA,DC=domain,DC=lan"
ForEach ($account in $DisabledAccounts) {
set-aduser -Identity $account.distinguishedName -add @{extensionAttribute4="$timer"}
}
ForEach ($account in $DisabledAccounts) {
Move-ADObject -Identity $account.distinguishedName -TargetPath $TargetOU
但是,当我想删除带有参考号的禁用广告的帐户时,使用脚本将extensionattribute4的日期减少90天:
But when I want to remove the ad disabled accounts with the reference the date of extensionattribute4 less 90 days with the script :
import-module activedirectory
$DaysInactive = 90
$time = (Get-Date).Adddays(-($DaysInactive))
$DisabledAccounts = get-aduser -filter { extensionattribute4 -lt $time -and enabled -eq $false } -SearchBase "OU=Disabled Accounts,DC=domain,DC=lan"
ForEach ($account in $DisabledAccounts) {
Remove-ADObject -Identity $account.distinguishedName
}
我有一个错误:
get-aduser : Invalid type 'System.DateTime'.
Parameter name: extensionattribute4
At C:\removedisabledadaccounts.ps1:4 char:21
+ $DisabledAccounts = get-aduser -filter { extensionattribute4 -lt $time -and enab ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADUser], ArgumentException
+ FullyQualifiedErrorId : Invalid type 'System.DateTime'.
Parameter name: extensionattribute4,Microsoft.ActiveDirectory.Management.Commands.GetADUser
推荐答案
该错误表明您正在尝试执行该属性不接受的操作.当您在较早的操作中填充该字段时,将日期转换为带有 @ {extensionAttribute4 ="$ timer"}
的字符串.我无法想象那些属性无论如何都存储为字符串以外的任何其他内容.实际上,尝试存储日期对象会以类似的失败告终.
The error indicates you are trying to do an operation that the attribute does not accept. When you populated the field in your earlier operation you converted the date to a string with @{extensionAttribute4="$timer"}
. I can't imagine those attributes are stored as anything other than strings anyway. In fact trying to store the date object ends in similar failure.
使用 -Filter
的荣誉,但是我敢肯定这是 -Filter
/ -LDAPFilter
以外的东西,因此您只需要做一些后期处理.
Kudos for using -Filter
but I am sure this is something beyond the -Filter
/-LDAPFilter
so you should just have to do some post processing.
Get-ADUser -Filter {enabled -eq $false} -SearchBase "OU=Disabled Accounts,DC=domain,DC=lan" -Properties extensionattribute4 |
Where-Object{$time -ge $_.extensionattribute4}
由于我们需要使用该属性,因此需要确保在 -Properties
列表中返回该属性.
Since we need to work with that attribute we need to be sure it is returned in the -Properties
list.
这篇关于自90天以来根据自定义属性值删除已禁用的帐户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!