asked on

Disable a User account

Hello Experts, in order to comply with a new requirement we need to modify a few controls on our system. One of the controls we're having difficulty with is "Force AD to disable user accounts with an inactivity period of 90 days"

Does this have to be done using PowerShell of some other third party tool?

Adam Brown

There are no built-in controls to automate the process, so it does need to be done with a script. https://blog.netwrix.com/2015/03/17/how-to-disable-inactive-user-accounts-using-powershell/ has a good explanation of how to set up a script that accomplishes this effectively. You will need to regularly monitor the script to make sure it runs, however.

An alternate possibility would be to configure accounts so they expire along with their passwords, and require users to contact the help desk to reset their account validity and reset passwords. Definitely more work involved here, but it is more "fool proof."

Alan

Hi,

I would suggest implementing both the automation (e.g. what Adam suggests above), and also a monitoring process.

You would run the script above daily, weekly, or whenever required, then also have a task, say, weekly or monthly that someone runs a report of any accounts, not used for more than 90 days, and currently enabled.

If that report never shows anything, then you could move it from a monthly task to two monthly, and so on so that the time impact across a year becomes negligible.

Alan.

ManieyaK_

ASKER

Okay this great guys. We'll give the suggested a try, thanks for the comments.

SOLUTION