Logo_PowerShell

A very good friend I’ve been in contact with on Twitter who is a die hard Mac/Linux guy that works in Windows sent me a message.

“Need a vBscript to Query Active Directory for old accounts and disable them”

At which point I immediately pointed out “Powershell” as the quicker and more direct solution.

He in return sent back the specs to what he needed.

  • Go through and disable accounts over XXX days
  • Go through and delete accounts older than yyy days
  • Accounts which are flagged with key words in the “Description” field should NOT be deleted

This, in Powershell with the Quest Active roles commandlets is like a walk in the park.   Really it IS!

In Active Directory, there is a field for “LogonTime” which is the last time you successfully logged in.  And we can very easily compare that with the CurrentDate.

Quest has a command let built right into disable users.  It’s just

DISABLE-QADUSER identity

Where identity is the name you’re disabling in Active Directory

You can also EASILY remove Objects in Active Directory with the Quest Cmdlets too.  Remember, everything (OU’s, computers, users) is just an Object in A/D so to pull that little miracle off just run a

REMOVE-QADOBJECT identity

Where identity is the name of the object you are removing.  Careful with this CmdLet.  I ALWAYS run it (and any other destructive ones) with a –WHATIF parameter to make sure it’s going to do what I want.  If you mistype, you can delete a LOT of things easily.

In the Active Directory Notes field (Typically under the “Telephones” tab) We’re going to put in the word ***OVERRIDE*** to indicate the account NEVER gets deleted automatically (unless we remove those words from the Notes Field)

Also in Active Directory under the Description we’re adding the words “On Leave Until" to indicate the user is gone for a specified period of time.   This will allow us to have a script that can look and shut things down without us doing anything.  

In this rendition I’ve left in the –WHATIF parameter to cover the bases of “Murphy”

It also echoes to the screen the status of Each account that is potentially going to be deleted or not.  Accounts to be disabled are just disabled without notice

Let me know how this works and be VERY VERY VERY VERY careful using it.  I highly recommend practicing this on a TEST domain or TEST OU at the VERY minimal before going production.

A special shout out goes to my buddy @moldor in Australia for which this script would NOT have existed.  He created the need and the requirements.  If you’re looking for a great Mac/Linux guy who’ll even work with Windows in Australia?  Give him a shout!

Sean
The Energized Tech

———————————————– AutoCleanADUsers-Stale.PS1 ————————————-

# Uses Quest Active Roles
# Free to download http://www.quest.com/powershell/activeroles-server.aspx
#
# Get all users in that have not logged on within
# XXX days in "Active Directory" and Disable them
#
# Get the Current Date
#
$COMPAREDATE=GET-DATE
#
# Number of Days to check back.  90 days
#
$NumberDays=90
#
# Number of Days to check for REALLY Stale accounts
# Our sample here is taking "OldAccounts" and pumping up
# 30 more days.  Therefore 120 days old accounts that haven’t
# logged in should be purged
#
$DeleteDate=$NumberDays+30
#
# We have certain "Override fields" that bypass a delete
# happening.  If the "Notes" field in A/D contains the
# EXACT Override phrase ANYWHERE (in this case it is the
# word ***OVERRIDE*** and it IS case sensitive
# The account will NEVER be deleted (unless of course you remove
# Word from the Notes field
#
#$OverRide=’***OVERRIDE***’
#
# The other override field is if
# the OnLeave details are in the Description
# Field in A/D.  this allows for a User who is
# Not gone (IE: Contractor / Student) but may
# Return to have the account disabled and
# Left alone until they return.  The words here are
# simple On Leave Until and can be ANYWHERE in the
# Description Field in A/D
#
$OnLeave=’On Leave Until’
#
# Organizational Unit to search – This is in the fictional domain of
# ‘Contoso.local’ in the OU of Users under the Business OU on the Root
# of the Contoso A/D
#
$OU=’Contoso.local/Business/Users’
#
# Get all users not active within the specified range and disable the accounts in Active Directory
#
# We store them away as a variable since we’re going to examine the list a few times.
#
$LISTOFACCOUNTS=GET-QADUSER -SearchRoot $OU | where { $_.LastLogon.AddDays($NumberDays) -gt $CURRENTDATE }
#
# Any account not logged in within the short range gets Disabled in AD
#
$LISTOFACCOUNTS | DISABLE-QADUSER -whatif
#
# Pull up a new list.   Really old accounts
#
$LISTOFPOTENTIALDELETES=$LISTOFACCOUNTS | where { $_.LastLogon.AddDays($DeleteDate) –gt $CURRENTDATE }
#
# Secondary compare is more interesting.  If the accounts are VERY stale, they get deleted UNLESS special keywords
# are in place
#
#
#
FOREACH ($USER in $LISTOFPOTENTIALDELETES)
{
    IF (($USER.Notes -notlike ‘*’+$OVERRIDE+’*’) -and ($USER.Description -notlike ‘*’+$OnLeave+’*’))
    {
        REMOVE-QADOBJECT $USER.Name -whatif
        WRITE-HOST $USER.Name ‘Deleted’
    }
    ELSEIF ($USER.Notes -like ‘*’+$OVERRIDE+’*’)
        {
            WRITE-HOST $USER.Name ‘Not removed due to Administrative Override’
        }
        ELSE
        {
            WRITE-HOST $USER.Name ‘Not removed – Presently on Leave’
        }
}

———————————————– AutoCleanADUsers-Stale.PS1 ————————————-

Advertisements