Disable AD Account Question

Hello Experts!

Looking for a way to disable a new account if the user has not signed on within 10 days. I can't find any MS setting within Active Directory. Maybe someone knows of a powershell script I can run or third-party utility that can do this for us?

I would imagine the script would look something like: if the account option for "user must change password at next logon" is checked and the user hasn't done so within 10 days, disable account.

Is this possible? We are running a Windows 2012 domain.

Thanks!!
nreichAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Patrick BogersDatacenter platform engineer LindowsCommented:
Hi

You could run a powershell script to check if users havent logged in for say 10 days.
ADAccount -AccountInactive -TimeSpan ([timespan]10d) -UsersOnly | Set-ADUser -Enabled $false

If you want to test and see what would be disabled add   -WhatIf  to the above line.

This is offcourse applicable on all your users.
Workaround would be creating a special newby OU and point that script only to this OU by adding.
-SearchBase string
nreichAuthor Commented:
Those suggestions are a start! However, I need it to explicitly look to see if the account option for "user must change password at next logon" is set. Is there a script setting that checks for this?
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Patrick BogersDatacenter platform engineer LindowsCommented:
Hi

Then you would alter the script to look for users which have the pwdLastSet attribute set to 0. Example is to be found here.
Will SzymkowskiSenior Solution ArchitectCommented:
You should be able to accomplish this using the below script...

import-module activedirectory
$date = get-date
Get-ADUser -Filter * -Properties * | ? {$_.pwdLastSet -eq 0 -and $_.whenCreated -lt $date.adddays(-10)} | Set-ADUser -Enabled $false

Open in new window


The above should do it.

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaheshArchitectCommented:
You could download Bulk AD users, a freeware from wisesoft to do that

The tool is having user friendly GUI and do not require PowerShell and can be run on Windows 2003 \ 2008 \ 2012 (all versions of AD)

http://www.wisesoft.co.uk/software/bulkadusers/default.aspx

There is option in tool call "Properties to Load" where practically you can load any attribute (pwdLastSet in your case) for user list \ users from OU \ users in Entire domain
http://msdn.microsoft.com/en-us/library/windows/desktop/aa746510(v=vs.85).aspx

Only you need to know Attribute name in order to add it
Also you can export output to csv \ excel format if wanted to

Mahesh
Subash SundharanIT Infrastructure Architect Commented:
Following command will give you the inactive accounts with "user must change password at next logon" is set.. You can pipe this result to Disable-ADAccount to disable the accounts.. Or You can use Export-csv to export the result to a csv file and then disable it using the csv file..
Search-ADAccount -AccountInactive -TimeSpan 10 -UsersOnly | Get-ADUser -Properties pwdLastSet,Enabled | ?{$_.pwdLastSet -eq "0" -and $_.Enabled -eq $True}

Open in new window

Detlef001Commented:
For scripts its like look try this.

create a scheduled task

dsmod user "CN=John Doe,OU=Users,DC=example,DC=com" -disabled no

For an application please have a look at AD management tool.

Please click on the given link to know more.'

Thanks.
nreichAuthor Commented:
This is perfect Will. Exactly what I was looking for. Thanks!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.