asked on Disable AD Account Question
Hello Experts!
Looking for a way to disable a new account if the user has not signed on within 10 days. I can't find any MS setting within Active Directory. Maybe someone knows of a powershell script I can run or third-party utility that can do this for us?
I would imagine the script would look something like: if the account option for "user must change password at next logon" is checked and the user hasn't done so within 10 days, disable account.
Is this possible? We are running a Windows 2012 domain.
Thanks!!
Looking for a way to disable a new account if the user has not signed on within 10 days. I can't find any MS setting within Active Directory. Maybe someone knows of a powershell script I can run or third-party utility that can do this for us?
I would imagine the script would look something like: if the account option for "user must change password at next logon" is checked and the user hasn't done so within 10 days, disable account.
Is this possible? We are running a Windows 2012 domain.
Thanks!!
Active DirectoryWindows Server 2012
Last Comment
nreich
Hi
You could run a powershell script to check if users havent logged in for say 10 days.
ADAccount -AccountInactive -TimeSpan ([timespan]10d) -UsersOnly | Set-ADUser -Enabled $false
If you want to test and see what would be disabled add -WhatIf to the above line.
This is offcourse applicable on all your users.
Workaround would be creating a special newby OU and point that script only to this OU by adding.
-SearchBase string
You could run a powershell script to check if users havent logged in for say 10 days.
ADAccount -AccountInactive -TimeSpan ([timespan]10d) -UsersOnly | Set-ADUser -Enabled $false
If you want to test and see what would be disabled add -WhatIf to the above line.
This is offcourse applicable on all your users.
Workaround would be creating a special newby OU and point that script only to this OU by adding.
-SearchBase string
ASKER
Those suggestions are a start! However, I need it to explicitly look to see if the account option for "user must change password at next logon" is set. Is there a script setting that checks for this?
Hi
Then you would alter the script to look for users which have the pwdLastSet attribute set to 0. Example is to be found here.
Then you would alter the script to look for users which have the pwdLastSet attribute set to 0. Example is to be found here.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
You could download Bulk AD users, a freeware from wisesoft to do that
The tool is having user friendly GUI and do not require PowerShell and can be run on Windows 2003 \ 2008 \ 2012 (all versions of AD)
http://www.wisesoft.co.uk/software/bulkadusers/default.aspx
There is option in tool call "Properties to Load" where practically you can load any attribute (pwdLastSet in your case) for user list \ users from OU \ users in Entire domain
http://msdn.microsoft.com/en-us/library/windows/desktop/aa746510(v=vs.85).aspx
Only you need to know Attribute name in order to add it
Also you can export output to csv \ excel format if wanted to
Mahesh
The tool is having user friendly GUI and do not require PowerShell and can be run on Windows 2003 \ 2008 \ 2012 (all versions of AD)
http://www.wisesoft.co.uk/software/bulkadusers/default.aspx
There is option in tool call "Properties to Load" where practically you can load any attribute (pwdLastSet in your case) for user list \ users from OU \ users in Entire domain
http://msdn.microsoft.com/en-us/library/windows/desktop/aa746510(v=vs.85).aspx
Only you need to know Attribute name in order to add it
Also you can export output to csv \ excel format if wanted to
Mahesh
Following command will give you the inactive accounts with "user must change password at next logon" is set.. You can pipe this result to Disable-ADAccount to disable the accounts.. Or You can use Export-csv to export the result to a csv file and then disable it using the csv file..
Search-ADAccount -AccountInactive -TimeSpan 10 -UsersOnly | Get-ADUser -Properties pwdLastSet,Enabled | ?{$_.pwdLastSet -eq "0" -and $_.Enabled -eq $True}
For scripts its like look try this.
create a scheduled task
dsmod user "CN=John Doe,OU=Users,DC=example,DC
For an application please have a look at AD management tool.
Please click on the given link to know more.'
Thanks.
create a scheduled task
dsmod user "CN=John Doe,OU=Users,DC=example,DC
For an application please have a look at AD management tool.
Please click on the given link to know more.'
Thanks.
ASKER
This is perfect Will. Exactly what I was looking for. Thanks!!
http://social.technet.microsoft.com/Forums/windowsserver/en-US/e21e61c7-4c79-490e-b136-69bbef9e328e/powershell-that-disables-active-directory-users-that-have-not-logged-on-for-x-number-of-days?forum=winserverDS
Mahesh