自90天以来根据自定义属性值删除已禁用的帐户 [英] Delete the disabled accounts since 90 days based on custom attribute value

问题描述

我会自动移动OU中所有已禁用广告的帐户，并使用以下脚本在 extensionattribute4 中添加停用日期:

I move automatically all ad disabled accounts in OU adding the date of deactivation in extensionattribute4 with this the script :

import-module activedirectory
$timer = (Get-Date)
$TargetOU = "OU=Disabled Accounts,DC=domain,DC=lan"
$DisabledAccounts = get-aduser -filter { enabled -eq $false } -SearchBase "OU=Test,OU=EMEA,DC=domain,DC=lan"

ForEach ($account in $DisabledAccounts) {
set-aduser -Identity $account.distinguishedName -add @{extensionAttribute4="$timer"}
}

ForEach ($account in $DisabledAccounts) {
Move-ADObject -Identity $account.distinguishedName -TargetPath $TargetOU

但是，当我想删除带有参考号的禁用广告的帐户时，使用脚本将extensionattribute4的日期减少90天:

But when I want to remove the ad disabled accounts with the reference the date of extensionattribute4 less 90 days with the script :

import-module activedirectory
$DaysInactive = 90
$time = (Get-Date).Adddays(-($DaysInactive))
$DisabledAccounts = get-aduser -filter { extensionattribute4 -lt $time -and enabled -eq $false } -SearchBase "OU=Disabled Accounts,DC=domain,DC=lan"

ForEach ($account in $DisabledAccounts) {
Remove-ADObject -Identity $account.distinguishedName
}

我有一个错误:

get-aduser : Invalid type 'System.DateTime'.
Parameter name: extensionattribute4
At C:\removedisabledadaccounts.ps1:4 char:21
+ $DisabledAccounts = get-aduser -filter { extensionattribute4 -lt $time -and enab ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-ADUser], ArgumentException
    + FullyQualifiedErrorId : Invalid type 'System.DateTime'.
Parameter name: extensionattribute4,Microsoft.ActiveDirectory.Management.Commands.GetADUser

推荐答案

该错误表明您正在尝试执行该属性不接受的操作.当您在较早的操作中填充该字段时，将日期转换为带有 @ {extensionAttribute4 ="$ timer"} 的字符串.我无法想象那些属性无论如何都存储为字符串以外的任何其他内容.实际上，尝试存储日期对象会以类似的失败告终.

The error indicates you are trying to do an operation that the attribute does not accept. When you populated the field in your earlier operation you converted the date to a string with @{extensionAttribute4="$timer"}. I can't imagine those attributes are stored as anything other than strings anyway. In fact trying to store the date object ends in similar failure.

使用 -Filter 的荣誉，但是我敢肯定这是 -Filter / -LDAPFilter 以外的东西，因此您只需要做一些后期处理.

Kudos for using -Filter but I am sure this is something beyond the -Filter/-LDAPFilter so you should just have to do some post processing.

Get-ADUser -Filter {enabled -eq $false} -SearchBase "OU=Disabled Accounts,DC=domain,DC=lan" -Properties extensionattribute4 | 
    Where-Object{$time -ge $_.extensionattribute4}

由于我们需要使用该属性，因此需要确保在 -Properties 列表中返回该属性.

Since we need to work with that attribute we need to be sure it is returned in the -Properties list.

这篇关于自90天以来根据自定义属性值删除已禁用的帐户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！