So I was tasked with running a powershell script that reports back all inactive accounts that are 90 days old.  I know how to disable these accounts however some of them are system accounts that are used for various things that don't need to be deleted.

If you have Exchange, use one of the extension attributes.

If you don't have Exchange, you can extend your schema to include a new attribute.
See http://www.informit.com/articles/ar...0&seqNum=3

Karl

I could assign the "new attribute" to all the accounts that I didn't want disabled correct?

Then do an exclusion on that attribute when disabling the accounts correct?

Right

What command would I use if I wanted to exclude members of a specified security group?

If all your Service accounts have a common naming convention you could exclude names starting with " xxx " in your script ??

I have 2 specific accounts (owners of the company) who are using Macs and don't often log onto the domain. In my inactive accounts script I'd like to exclude those two accounts based on each of their SamAccountName. What specific coding/command/filter can I use to make sure their accounts don't get disabled? Below is the script I'm currently using check for inactive accounts, disable them and move them to another OU:

# Search for 90 day inactive accounts, write log file, disable those users and move to another OU
$Users = Get-QADUser -SearchRoot 'domain/employees' -Notloggedonfor 90
If (!$Users) { Write-Host "variable is null" }
If ($Users){$file = "c:\users\username\Documents\Inactive.csv"}
If ($Users){$Users | Select displayname, samaccountname, lastlogontimestamp | Export-csv $file -NoTypeInformation}
If ($Users){$users | Foreach-object {Disable-QADUser -identity $_
Move-QADObject $_ -to 'domain/Employees Inactive Accounts'}}

Any help?

I don't want to edit the schema and add an attribute. I just want to set a filter on my search, but I'm not sure how to do that.

Any help?