Solved

Disable AD Account Question

Posted on 2014-01-08
9
747 Views
Last Modified: 2014-01-10
Hello Experts!

Looking for a way to disable a new account if the user has not signed on within 10 days. I can't find any MS setting within Active Directory. Maybe someone knows of a powershell script I can run or third-party utility that can do this for us?

I would imagine the script would look something like: if the account option for "user must change password at next logon" is checked and the user hasn't done so within 10 days, disable account.

Is this possible? We are running a Windows 2012 domain.

Thanks!!
0
Comment
Question by:nreich
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39766330
0
 
LVL 23

Expert Comment

by:Patrick Bogers
ID: 39766333
Hi

You could run a powershell script to check if users havent logged in for say 10 days.
ADAccount -AccountInactive -TimeSpan ([timespan]10d) -UsersOnly | Set-ADUser -Enabled $false

If you want to test and see what would be disabled add   -WhatIf  to the above line.

This is offcourse applicable on all your users.
Workaround would be creating a special newby OU and point that script only to this OU by adding.
-SearchBase string
0
 

Author Comment

by:nreich
ID: 39766347
Those suggestions are a start! However, I need it to explicitly look to see if the account option for "user must change password at next logon" is set. Is there a script setting that checks for this?
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 23

Expert Comment

by:Patrick Bogers
ID: 39766369
Hi

Then you would alter the script to look for users which have the pwdLastSet attribute set to 0. Example is to be found here.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 39766838
You should be able to accomplish this using the below script...

import-module activedirectory
$date = get-date
Get-ADUser -Filter * -Properties * | ? {$_.pwdLastSet -eq 0 -and $_.whenCreated -lt $date.adddays(-10)} | Set-ADUser -Enabled $false

Open in new window


The above should do it.

Will.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39767237
You could download Bulk AD users, a freeware from wisesoft to do that

The tool is having user friendly GUI and do not require PowerShell and can be run on Windows 2003 \ 2008 \ 2012 (all versions of AD)

http://www.wisesoft.co.uk/software/bulkadusers/default.aspx

There is option in tool call "Properties to Load" where practically you can load any attribute (pwdLastSet in your case) for user list \ users from OU \ users in Entire domain
http://msdn.microsoft.com/en-us/library/windows/desktop/aa746510(v=vs.85).aspx

Only you need to know Attribute name in order to add it
Also you can export output to csv \ excel format if wanted to

Mahesh
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39769123
Following command will give you the inactive accounts with "user must change password at next logon" is set.. You can pipe this result to Disable-ADAccount to disable the accounts.. Or You can use Export-csv to export the result to a csv file and then disable it using the csv file..
Search-ADAccount -AccountInactive -TimeSpan 10 -UsersOnly | Get-ADUser -Properties pwdLastSet,Enabled | ?{$_.pwdLastSet -eq "0" -and $_.Enabled -eq $True}

Open in new window

0
 
LVL 3

Expert Comment

by:Detlef001
ID: 39770828
For scripts its like look try this.

create a scheduled task

dsmod user "CN=John Doe,OU=Users,DC=example,DC=com" -disabled no

For an application please have a look at AD management tool.

Please click on the given link to know more.'

Thanks.
0
 

Author Closing Comment

by:nreich
ID: 39770999
This is perfect Will. Exactly what I was looking for. Thanks!!
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question