?
Solved

Script to Disable User accounts in AD

Posted on 2011-09-08
6
Medium Priority
?
792 Views
Last Modified: 2012-05-12
looking for a Script to Disable the user accounts listed in a text file and then create a schedule task on the server to delete the same accounts on 30th day from disabling date.
0
Comment
Question by:getazhar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 36502472
Since you have 2003 I would recommend downloading the Quest AD CMDLETS.

Foreach ($user in (Get-content c:\temp\users.txt)){
get-qaduser $user | Disable-qaduser}
0
 

Author Comment

by:getazhar
ID: 36502484
Thanks for your response Ken..

Disabling part is fine with that.. how about deletion of same user account after 30 days ?

~Ameer
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 1500 total points
ID: 36502673
The easiest way would be to add the date the account was disabled to an AD attribute.

So something like this may work for you

Foreach ($user in (Get-content c:\temp\users.txt)){
get-qaduser $user | set-qaduser -description (get-date -f MM/dd/yyy) | Disable-qaduser}


Then to delete

get-qaduser |  Where {(get-date $($_.description)) -le ((get-date).adddays(-30))} | remove-qadobject


These have not been tested so please test before running in any prod environment.
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 
LVL 26

Expert Comment

by:MidnightOne
ID: 36503913
I would highly recommend NOT auto-deleting accounts in AD if only because of the loss of data access this can cause. Auto-disable, sure.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 36526488
Some things to consider:

OLDCMP utility from JoeWare.net can make your scripting/process easier.

Moving disabled accounts to a specific OU can help easily determine how long after the account was disabled and moved to your "disabled Users" OU.  There is no real way to determine how long an account has been disabled.  You delete the account if the "whenChanged" is 30 days after it's moved to the new OU.

Accounts that have never been used may be be included, be sure to watch out for those.
0
 

Author Closing Comment

by:getazhar
ID: 36527348
Powershell script provided needs to be tested. anyways, thanks for your efforts.
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question