User Account Management Sample scripts for carrying out Active Directory user account management tasks such as creating and deleting accounts. User Account Status Sample scripts for carrying out such tasks as enabling and disabling Active Directory user accounts and working with account expiration properties.
Active Directory Account Types
Inactive Active Directory (AD) user accounts can pose a security risk to organizations, in situations such as when former employees still have active accounts months after leaving the company because HR failed to inform IT, or accounts might be created for a particular purpose but never deleted after the event. Whatever the reason for the existence of such accounts, Active Directory can quickly get out of control, in turn making your systems harder to audit and less secure.
Active Directory Module for PowerShell
- The below script will disable a list of Active Directory user accounts provided in a text file, the script could easily be modified to change any other properties for the list of users.
- VBscript for Account expires box in Active Directory. Guys, Please help I am trying torun a script for the Account Expires box in Active Directory but am having all sorts of issues trying to get my script to run can you give me an example or any help at all. I am a novice at scripting and not having much success with.
- Disable or enable an Active Directory account on a schedule. This is the start of your batch script file that you'll schedule later on. Right-click your.bat file and select Edit. This should open the file in notepad so you can enter your command Enter dsmod user USER_DN -disabled (yes|no) into your batch file.
- The main functions in this script are based off of ADSI and using the an LDAP object to query Active Directory. Since LDAP queries will only access a single Organizational Unit (OU), you have to recursively search all sub-folders in order to find all of the users. First off, you need to set up a number of variables based off of your AD.
The PowerShell module for Active Directory allows system administrators to query Active Directory and generate reports using the resulting data. The AD module for PowerShell is installed by default on Windows Server 2012 domain controllers, or alternatively you can download the Remote Server Administration Tools (RSAT) for Windows 8.1 and install the module using the command below.
Log in as a local administrator, open a PowerShell prompt, type the code below and press ENTER to install the AD module for PowerShell:
Search Active Directory for Inactive Accounts
The Search-ADAccount cmdlet provides an easy way to query Active Directory for inactive user accounts:
Figure 1
The above command returns all inactive accounts. To narrow down the results to a specific time range, you can add the –TimeSpanparameter to Search-ADAccount. In the example below, a variable defines the value for the –TimeSpan parameter, using the New-Timespan cmdlet to simplify the input:
Alternatively, you can specify the –DateTime parameter to return accounts that have been inactive since a given date. In the command that follows, accounts not active since May 5th 2014 are returned:
To get more user-friendly information about the accounts, pipe the results to the Get-ADUser cmdlet and then choose the columns to display in the output using Select:
Figure 2
The results can also be sorted by a specified field, in this example by the LastLogOnDate attribute, which is derived from the LastLogonTimestamp and converted into a readable format:
It’s worth noting that unlike the LastLogOn attribute, LastLogonTimestamp is synchronized between domain controllers, but can be 9 to 14 days out-of-date, so you should bear this in mind when processing your results.
Another way to simplify the output and count the number of inactive users is to pipe the results to the Measure cmdlet:
As with any other PowerShell cmdlets, the results can be piped to Out-GridView, or to a comma-delimited file so that the results can be imported into Excel.
Disable Inactive Accounts
Active Directory Disabled Expired Accounts Vbscript
Once you’ve got the set of results you’re looking for, all you need to do is pipe them to the Disable-ADAccount cmdlet as shown here to disable the accounts:
Netwrix Auditor includes the ability to detect and disable inactive user accounts across all supported versions of Windows, and the results are integrated into the database, reporting and notification features of the product so that additional scripts don’t need to be run and maintained separately. Netwrix Auditor can disable inactive accounts, set a random password, move accounts to a designated Organizational Unit (OU), or delete the accounts.
Now it’s time to leave your opinion in the poll below. Keep in mind that there’s only one correct answer!