AD user disabled date is in extensionAttribute, need to delete users based on that

Question

We have a third party LDAP system managing people. AD users that represent actual employees are created and maintained by a feed from this LDAP system. We would like the date that a user is disabled in the LDAP system to be sent to a particular AD user attribute, for example extentionAttribute9.

From there I would try get-aduser to search extentionAttribute9 for ones with a date older than 90 days. The problem of course is that this extended attribute would contain a string value and I can't seem to get that read as a date.

I can do this to get users created more than 90 days ago and I wish I could do the same for the extension attribute populated with the date:

$Date = [DateTime]::Today.AddDays(-90)

get-aduser -filter {created -lt $Date} -SearchBase "OU=User_Test,DC=foo,DC=com"

I've tried a few things, including with outside help, but probably nothing worth posting here as nothing has really come close.

If I can't get this to work, I'll search for users who are disabled and haven't logged in for more than 90 days, but doing it based on a disabled date would be more definitive.

Answer 1

Thanks for providing the format.

Since that format won't work with just a simple cast to datetime. We need to parse it as is and convert it to datetime. From there cast it to string with 'yyyy-MM-dd' as the format.

EDIT: The error code in the comment is due to ':' in .Trim. As the variable being trimmed does not contain ':' it is throwing the error.

Changed from using '.Trim()' (this would only remove white space) to '-replace '\W' '. Doing this allows us to more easily remove non-alphanumeric characters from the variable.

Let me know if this works for you.

$Date = [DateTime]::Today.AddDays(-90)
$Pattern = '[^a-zA-Z]'
Get-ADUser -Filter * -SearchBase "OU=User_Test,DC=foo,DC=com" | 
   Where {([datetime]::ParseExact($($_.extensionAttribute9 -replace '\W'), 'yyyyMMdd', $null).ToString('yyyy-MM-dd')) -lt $Date}