Solved

Script to Disable User accounts in AD

Posted on 2011-09-08
6
785 Views
Last Modified: 2012-05-12
looking for a Script to Disable the user accounts listed in a text file and then create a schedule task on the server to delete the same accounts on 30th day from disabling date.
0
Comment
Question by:getazhar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 36502472
Since you have 2003 I would recommend downloading the Quest AD CMDLETS.

Foreach ($user in (Get-content c:\temp\users.txt)){
get-qaduser $user | Disable-qaduser}
0
 

Author Comment

by:getazhar
ID: 36502484
Thanks for your response Ken..

Disabling part is fine with that.. how about deletion of same user account after 30 days ?

~Ameer
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 500 total points
ID: 36502673
The easiest way would be to add the date the account was disabled to an AD attribute.

So something like this may work for you

Foreach ($user in (Get-content c:\temp\users.txt)){
get-qaduser $user | set-qaduser -description (get-date -f MM/dd/yyy) | Disable-qaduser}


Then to delete

get-qaduser |  Where {(get-date $($_.description)) -le ((get-date).adddays(-30))} | remove-qadobject


These have not been tested so please test before running in any prod environment.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 26

Expert Comment

by:MidnightOne
ID: 36503913
I would highly recommend NOT auto-deleting accounts in AD if only because of the loss of data access this can cause. Auto-disable, sure.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 36526488
Some things to consider:

OLDCMP utility from JoeWare.net can make your scripting/process easier.

Moving disabled accounts to a specific OU can help easily determine how long after the account was disabled and moved to your "disabled Users" OU.  There is no real way to determine how long an account has been disabled.  You delete the account if the "whenChanged" is 30 days after it's moved to the new OU.

Accounts that have never been used may be be included, be sure to watch out for those.
0
 

Author Closing Comment

by:getazhar
ID: 36527348
Powershell script provided needs to be tested. anyways, thanks for your efforts.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question