• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 761
  • Last Modified:

Disable AD Account Question

Hello Experts!

Looking for a way to disable a new account if the user has not signed on within 10 days. I can't find any MS setting within Active Directory. Maybe someone knows of a powershell script I can run or third-party utility that can do this for us?

I would imagine the script would look something like: if the account option for "user must change password at next logon" is checked and the user hasn't done so within 10 days, disable account.

Is this possible? We are running a Windows 2012 domain.

Thanks!!
0
nreich
Asked:
nreich
  • 2
  • 2
  • 2
  • +3
1 Solution
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi

You could run a powershell script to check if users havent logged in for say 10 days.
ADAccount -AccountInactive -TimeSpan ([timespan]10d) -UsersOnly | Set-ADUser -Enabled $false

If you want to test and see what would be disabled add   -WhatIf  to the above line.

This is offcourse applicable on all your users.
Workaround would be creating a special newby OU and point that script only to this OU by adding.
-SearchBase string
0
 
nreichAuthor Commented:
Those suggestions are a start! However, I need it to explicitly look to see if the account option for "user must change password at next logon" is set. Is there a script setting that checks for this?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi

Then you would alter the script to look for users which have the pwdLastSet attribute set to 0. Example is to be found here.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
You should be able to accomplish this using the below script...

import-module activedirectory
$date = get-date
Get-ADUser -Filter * -Properties * | ? {$_.pwdLastSet -eq 0 -and $_.whenCreated -lt $date.adddays(-10)} | Set-ADUser -Enabled $false

Open in new window


The above should do it.

Will.
0
 
MaheshArchitectCommented:
You could download Bulk AD users, a freeware from wisesoft to do that

The tool is having user friendly GUI and do not require PowerShell and can be run on Windows 2003 \ 2008 \ 2012 (all versions of AD)

http://www.wisesoft.co.uk/software/bulkadusers/default.aspx

There is option in tool call "Properties to Load" where practically you can load any attribute (pwdLastSet in your case) for user list \ users from OU \ users in Entire domain
http://msdn.microsoft.com/en-us/library/windows/desktop/aa746510(v=vs.85).aspx

Only you need to know Attribute name in order to add it
Also you can export output to csv \ excel format if wanted to

Mahesh
0
 
SubsunCommented:
Following command will give you the inactive accounts with "user must change password at next logon" is set.. You can pipe this result to Disable-ADAccount to disable the accounts.. Or You can use Export-csv to export the result to a csv file and then disable it using the csv file..
Search-ADAccount -AccountInactive -TimeSpan 10 -UsersOnly | Get-ADUser -Properties pwdLastSet,Enabled | ?{$_.pwdLastSet -eq "0" -and $_.Enabled -eq $True}

Open in new window

0
 
Detlef001Commented:
For scripts its like look try this.

create a scheduled task

dsmod user "CN=John Doe,OU=Users,DC=example,DC=com" -disabled no

For an application please have a look at AD management tool.

Please click on the given link to know more.'

Thanks.
0
 
nreichAuthor Commented:
This is perfect Will. Exactly what I was looking for. Thanks!!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 2
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now