?
Solved

Disable AD Account Question

Posted on 2014-01-08
9
Medium Priority
?
754 Views
Last Modified: 2014-01-10
Hello Experts!

Looking for a way to disable a new account if the user has not signed on within 10 days. I can't find any MS setting within Active Directory. Maybe someone knows of a powershell script I can run or third-party utility that can do this for us?

I would imagine the script would look something like: if the account option for "user must change password at next logon" is checked and the user hasn't done so within 10 days, disable account.

Is this possible? We are running a Windows 2012 domain.

Thanks!!
0
Comment
Question by:nreich
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39766330
0
 
LVL 23

Expert Comment

by:Patrick Bogers
ID: 39766333
Hi

You could run a powershell script to check if users havent logged in for say 10 days.
ADAccount -AccountInactive -TimeSpan ([timespan]10d) -UsersOnly | Set-ADUser -Enabled $false

If you want to test and see what would be disabled add   -WhatIf  to the above line.

This is offcourse applicable on all your users.
Workaround would be creating a special newby OU and point that script only to this OU by adding.
-SearchBase string
0
 

Author Comment

by:nreich
ID: 39766347
Those suggestions are a start! However, I need it to explicitly look to see if the account option for "user must change password at next logon" is set. Is there a script setting that checks for this?
0
WordPress Tutorial 3: Plugins, Themes, and Widgets

The three most common changes you will make to your website involve the look (themes), the functionality (plugins), and modular elements (widgets).

In this article we will briefly define each again, and give you directions on how to install them.

 
LVL 23

Expert Comment

by:Patrick Bogers
ID: 39766369
Hi

Then you would alter the script to look for users which have the pwdLastSet attribute set to 0. Example is to be found here.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 39766838
You should be able to accomplish this using the below script...

import-module activedirectory
$date = get-date
Get-ADUser -Filter * -Properties * | ? {$_.pwdLastSet -eq 0 -and $_.whenCreated -lt $date.adddays(-10)} | Set-ADUser -Enabled $false

Open in new window


The above should do it.

Will.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39767237
You could download Bulk AD users, a freeware from wisesoft to do that

The tool is having user friendly GUI and do not require PowerShell and can be run on Windows 2003 \ 2008 \ 2012 (all versions of AD)

http://www.wisesoft.co.uk/software/bulkadusers/default.aspx

There is option in tool call "Properties to Load" where practically you can load any attribute (pwdLastSet in your case) for user list \ users from OU \ users in Entire domain
http://msdn.microsoft.com/en-us/library/windows/desktop/aa746510(v=vs.85).aspx

Only you need to know Attribute name in order to add it
Also you can export output to csv \ excel format if wanted to

Mahesh
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39769123
Following command will give you the inactive accounts with "user must change password at next logon" is set.. You can pipe this result to Disable-ADAccount to disable the accounts.. Or You can use Export-csv to export the result to a csv file and then disable it using the csv file..
Search-ADAccount -AccountInactive -TimeSpan 10 -UsersOnly | Get-ADUser -Properties pwdLastSet,Enabled | ?{$_.pwdLastSet -eq "0" -and $_.Enabled -eq $True}

Open in new window

0
 
LVL 3

Expert Comment

by:Detlef001
ID: 39770828
For scripts its like look try this.

create a scheduled task

dsmod user "CN=John Doe,OU=Users,DC=example,DC=com" -disabled no

For an application please have a look at AD management tool.

Please click on the given link to know more.'

Thanks.
0
 

Author Closing Comment

by:nreich
ID: 39770999
This is perfect Will. Exactly what I was looking for. Thanks!!
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question