Solved

Script to Disable User accounts in AD

Posted on 2011-09-08
6
772 Views
Last Modified: 2012-05-12
looking for a Script to Disable the user accounts listed in a text file and then create a schedule task on the server to delete the same accounts on 30th day from disabling date.
0
Comment
Question by:getazhar
6 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 36502472
Since you have 2003 I would recommend downloading the Quest AD CMDLETS.

Foreach ($user in (Get-content c:\temp\users.txt)){
get-qaduser $user | Disable-qaduser}
0
 

Author Comment

by:getazhar
ID: 36502484
Thanks for your response Ken..

Disabling part is fine with that.. how about deletion of same user account after 30 days ?

~Ameer
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 500 total points
ID: 36502673
The easiest way would be to add the date the account was disabled to an AD attribute.

So something like this may work for you

Foreach ($user in (Get-content c:\temp\users.txt)){
get-qaduser $user | set-qaduser -description (get-date -f MM/dd/yyy) | Disable-qaduser}


Then to delete

get-qaduser |  Where {(get-date $($_.description)) -le ((get-date).adddays(-30))} | remove-qadobject


These have not been tested so please test before running in any prod environment.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 26

Expert Comment

by:MidnightOne
ID: 36503913
I would highly recommend NOT auto-deleting accounts in AD if only because of the loss of data access this can cause. Auto-disable, sure.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 36526488
Some things to consider:

OLDCMP utility from JoeWare.net can make your scripting/process easier.

Moving disabled accounts to a specific OU can help easily determine how long after the account was disabled and moved to your "disabled Users" OU.  There is no real way to determine how long an account has been disabled.  You delete the account if the "whenChanged" is 30 days after it's moved to the new OU.

Accounts that have never been used may be be included, be sure to watch out for those.
0
 

Author Closing Comment

by:getazhar
ID: 36527348
Powershell script provided needs to be tested. anyways, thanks for your efforts.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now