Solved

Script to Disable User accounts in AD

Posted on 2011-09-08
6
776 Views
Last Modified: 2012-05-12
looking for a Script to Disable the user accounts listed in a text file and then create a schedule task on the server to delete the same accounts on 30th day from disabling date.
0
Comment
Question by:getazhar
6 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 36502472
Since you have 2003 I would recommend downloading the Quest AD CMDLETS.

Foreach ($user in (Get-content c:\temp\users.txt)){
get-qaduser $user | Disable-qaduser}
0
 

Author Comment

by:getazhar
ID: 36502484
Thanks for your response Ken..

Disabling part is fine with that.. how about deletion of same user account after 30 days ?

~Ameer
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 500 total points
ID: 36502673
The easiest way would be to add the date the account was disabled to an AD attribute.

So something like this may work for you

Foreach ($user in (Get-content c:\temp\users.txt)){
get-qaduser $user | set-qaduser -description (get-date -f MM/dd/yyy) | Disable-qaduser}


Then to delete

get-qaduser |  Where {(get-date $($_.description)) -le ((get-date).adddays(-30))} | remove-qadobject


These have not been tested so please test before running in any prod environment.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 26

Expert Comment

by:MidnightOne
ID: 36503913
I would highly recommend NOT auto-deleting accounts in AD if only because of the loss of data access this can cause. Auto-disable, sure.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 36526488
Some things to consider:

OLDCMP utility from JoeWare.net can make your scripting/process easier.

Moving disabled accounts to a specific OU can help easily determine how long after the account was disabled and moved to your "disabled Users" OU.  There is no real way to determine how long an account has been disabled.  You delete the account if the "whenChanged" is 30 days after it's moved to the new OU.

Accounts that have never been used may be be included, be sure to watch out for those.
0
 

Author Closing Comment

by:getazhar
ID: 36527348
Powershell script provided needs to be tested. anyways, thanks for your efforts.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This article will help you understand what HashTables are and how to use them in PowerShell.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question