Solved

Disable AD Account Question

Posted on 2014-01-08
9
732 Views
Last Modified: 2014-01-10
Hello Experts!

Looking for a way to disable a new account if the user has not signed on within 10 days. I can't find any MS setting within Active Directory. Maybe someone knows of a powershell script I can run or third-party utility that can do this for us?

I would imagine the script would look something like: if the account option for "user must change password at next logon" is checked and the user hasn't done so within 10 days, disable account.

Is this possible? We are running a Windows 2012 domain.

Thanks!!
0
Comment
Question by:nreich
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 39766330
0
 
LVL 20

Expert Comment

by:Patrick Bogers
ID: 39766333
Hi

You could run a powershell script to check if users havent logged in for say 10 days.
ADAccount -AccountInactive -TimeSpan ([timespan]10d) -UsersOnly | Set-ADUser -Enabled $false

If you want to test and see what would be disabled add   -WhatIf  to the above line.

This is offcourse applicable on all your users.
Workaround would be creating a special newby OU and point that script only to this OU by adding.
-SearchBase string
0
 

Author Comment

by:nreich
ID: 39766347
Those suggestions are a start! However, I need it to explicitly look to see if the account option for "user must change password at next logon" is set. Is there a script setting that checks for this?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 20

Expert Comment

by:Patrick Bogers
ID: 39766369
Hi

Then you would alter the script to look for users which have the pwdLastSet attribute set to 0. Example is to be found here.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 39766838
You should be able to accomplish this using the below script...

import-module activedirectory
$date = get-date
Get-ADUser -Filter * -Properties * | ? {$_.pwdLastSet -eq 0 -and $_.whenCreated -lt $date.adddays(-10)} | Set-ADUser -Enabled $false

Open in new window


The above should do it.

Will.
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39767237
You could download Bulk AD users, a freeware from wisesoft to do that

The tool is having user friendly GUI and do not require PowerShell and can be run on Windows 2003 \ 2008 \ 2012 (all versions of AD)

http://www.wisesoft.co.uk/software/bulkadusers/default.aspx

There is option in tool call "Properties to Load" where practically you can load any attribute (pwdLastSet in your case) for user list \ users from OU \ users in Entire domain
http://msdn.microsoft.com/en-us/library/windows/desktop/aa746510(v=vs.85).aspx

Only you need to know Attribute name in order to add it
Also you can export output to csv \ excel format if wanted to

Mahesh
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39769123
Following command will give you the inactive accounts with "user must change password at next logon" is set.. You can pipe this result to Disable-ADAccount to disable the accounts.. Or You can use Export-csv to export the result to a csv file and then disable it using the csv file..
Search-ADAccount -AccountInactive -TimeSpan 10 -UsersOnly | Get-ADUser -Properties pwdLastSet,Enabled | ?{$_.pwdLastSet -eq "0" -and $_.Enabled -eq $True}

Open in new window

0
 
LVL 3

Expert Comment

by:Detlef001
ID: 39770828
For scripts its like look try this.

create a scheduled task

dsmod user "CN=John Doe,OU=Users,DC=example,DC=com" -disabled no

For an application please have a look at AD management tool.

Please click on the given link to know more.'

Thanks.
0
 

Author Closing Comment

by:nreich
ID: 39770999
This is perfect Will. Exactly what I was looking for. Thanks!!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question