Difference between revisions of "Inactive AD accounts"

From UVOO Tech Wiki
Jump to navigation Jump to search
(Created page with "# Get inactive accounts ``` # Import the Active Directory module Import-Module ActiveDirectory # Define the OU path $ouPath = "OU=Example Foo Accounts,DC=example,DC=com" # D...")
 
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
# Get inactive accounts
 
# Get inactive accounts
 
```
 
```
# Import the Active Directory module
 
 
Import-Module ActiveDirectory
 
Import-Module ActiveDirectory
 +
$ouPath = "OU=Some Accounts,DC=example,DC=com"
 +
$usersNoPasswordReset = Get-ADUser -Filter {
 +
    PasswordLastSet -gt "7/11/2023 00:00:00 AM" -and
 +
    LastLogonDate -lt "7/11/2023 00:00:00 AM" -and
 +
    SamAccountName -like "somesvc-*" -and
 +
    Enabled -eq $true
 +
} -SearchBase $ouPath -Properties PasswordLastSet, LastLogonDate, Enabled |
 +
    Select-Object Name, SamAccountName, PasswordLastSet, LastLogonDate, Enabled
 +
$usersNoPasswordReset | Format-Table -AutoSize
 +
```
  
# Define the OU path
+
# Disable Account
$ouPath = "OU=Example Foo Accounts,DC=example,DC=com"
+
```
 +
Import-Module ActiveDirectory
  
# Define the date thresholds
+
$textFilePath = "users.txt"
$PasswordLastSetDateThreshold = Get-Date -Date "July 11, 2023"
+
$usernames = Get-Content -Path $textFilePath
$logonDateThreshold = Get-Date -Date "July 11, 2023"
+
foreach ($username in $usernames) {
 +
    try {
 +
        Disable-ADAccount -Identity $username -ErrorAction Stop
 +
        # Remove-ADUser -Identity $username -Confirm:$false -ErrorAction Stop
 +
        Write-Output "Disabled account: $username"
 +
    } catch {
 +
        Write-Error "Failed to disable account: $username. Error: $_"
 +
    }
 +
}
 +
```
  
# Get all user accounts in the specified OU that haven't had their passwords reset since the date threshold,
+
# Delete account and associated resources from AD
# whose SamAccountName starts with "svc-", have logged in after the logon date threshold, and are active
+
```
 +
param (
 +
    [Parameter(Mandatory=$true)]
 +
    [string]$UserName
 +
)
 +
 
 +
Import-Module ActiveDirectory
 +
 
 +
try {
 +
    $user = Get-ADUser -Identity $UserName -Properties MemberOf, HomeDirectory
 +
 
 +
    if ($user) {
 +
        $groups = $user.MemberOf
 +
 
 +
        foreach ($group in $groups) {
 +
            $groupObj = Get-ADGroup -Identity $group
 +
            Remove-ADGroupMember -Identity $groupObj -Members $user -Confirm:$false
 +
        }
 +
 
 +
        if ($user.HomeDirectory -and (Test-Path $user.HomeDirectory)) {
 +
            Remove-Item -Path $user.HomeDirectory -Recurse -Force
 +
            Write-Output "Home directory $($user.HomeDirectory) has been removed."
 +
        }
 +
 
 +
        Remove-ADUser -Identity $UserName -Confirm:$false
 +
 
 +
        Write-Output "User $UserName has been removed from all groups and deleted from AD."
 +
    } else {
 +
        Write-Output "User $UserName not found in AD."
 +
    }
 +
} catch {
 +
    Write-Error "An error occurred: $_"
 +
    exit 1
 +
}
 +
```
 +
 
 +
# more
 +
 
 +
# Remove user and remove SID from all AD Groups
 +
```
 +
# Define the username of the account to be removed
 +
$username = "username_to_remove"
 +
 
 +
# Get the user account
 +
$user = Get-ADUser -Identity $username
 +
 
 +
if ($user) {
 +
    $groups = Get-ADUser -Identity $username -Property MemberOf | Select-Object -ExpandProperty MemberOf
 +
 
 +
    foreach ($group in $groups) {
 +
        Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
 +
    }
 +
 
 +
    Remove-ADUser -Identity $username -Confirm:$false
 +
 
 +
    Write-Output "User $username has been removed from all groups and deleted from AD."
 +
} else {
 +
    Write-Output "User $username not found in AD."
 +
}
 +
```
 +
 
 +
# Time windowing by UTC time
 +
```
 +
Import-Module ActiveDirectory
 +
$ouPath = "OU=Some Accounts,DC=example,DC=com"
 
$usersNoPasswordReset = Get-ADUser -Filter {
 
$usersNoPasswordReset = Get-ADUser -Filter {
     PasswordLastSet -gt $PasswordLastSetDateThreshold -and
+
     PasswordLastSet -gt "3/12/2022 03:05:00 AM" -and
     SamAccountName -like "svc-*" -and
+
     PasswordLastSet -le "3/12/2022 03:30:00 AM" -and
     LastLogonDate -lt $logonDateThreshold -and
+
     LastLogonDate -lt "3/12/2022 03:30:00 AM" -and
 +
    SamAccountName -like "test-*" -and
 
     Enabled -eq $true
 
     Enabled -eq $true
} -SearchBase $ouPath -Properties PasswordLastSet, LastLogonDate, Enabled |  
+
} -Properties PasswordLastSet, LastLogonDate, Enabled |
 +
    # Where-Object { $_.Name -match '(?i)dev|-d$|-de$|qa|-q$|stage|stag$|stg|-st$|-s$' } |
 +
    Where-Object { $_.Name -notmatch '(?i)dev|-d$|-de$|qa|-q$|stage|stag$|stg|-st$|-s$' } |
 
     Select-Object Name, SamAccountName, PasswordLastSet, LastLogonDate, Enabled
 
     Select-Object Name, SamAccountName, PasswordLastSet, LastLogonDate, Enabled
 +
# $usersNoPasswordReset | Export-Csv -Path "lower.csv" -NoTypeInformation
 +
$usersNoPasswordReset | Export-Csv -Path "nonlower.csv" -NoTypeInformation
 +
# $usersNoPasswordReset | Format-Table -AutoSize
 +
```
 +
 +
Remove/Delete list of users in file
 +
```
 +
Import-Module ActiveDirectory
 +
$ErrorActionPreference = "Stop"
 +
$textFilePath = "users.txt"
 +
$usernames = Get-Content -Path $textFilePath
  
# Output the list of users
+
foreach ($username in $usernames) {
$usersNoPasswordReset | Format-Table -AutoSize
+
  try {
 +
    $user = Get-ADUser -Identity $username
 +
    Write-Output "$username"; Start-Sleep -Milliseconds 500
 +
    if ( $user -and $user.Enabled -eq $false) {
 +
      $groups = Get-ADUser -Identity $username -Property MemberOf | Select-Object -ExpandProperty MemberOf
 +
      if ($groups) {
 +
        foreach ($group in $groups) {
 +
            Write-Output "Removing user $user from group $group."
 +
            Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
 +
        }
 +
        Remove-ADUser -Identity $username -Confirm:$false
 +
        Write-Output "User $username has been removed from all groups and deleted from AD."
 +
      }
 +
    } else {
 +
        Write-Output "E: Usename: $username must be disabled before delete. Skipping."
 +
    }
 +
  } catch {
 +
    Write-Output "E: Failed to delete account: $username. Error: $_"
 +
  }
 +
}
 
```
 
```

Latest revision as of 17:39, 9 September 2024

Get inactive accounts

Import-Module ActiveDirectory
$ouPath = "OU=Some Accounts,DC=example,DC=com"
$usersNoPasswordReset = Get-ADUser -Filter {
    PasswordLastSet -gt "7/11/2023 00:00:00 AM" -and
    LastLogonDate -lt "7/11/2023 00:00:00 AM" -and
    SamAccountName -like "somesvc-*" -and
    Enabled -eq $true
} -SearchBase $ouPath -Properties PasswordLastSet, LastLogonDate, Enabled |
    Select-Object Name, SamAccountName, PasswordLastSet, LastLogonDate, Enabled
$usersNoPasswordReset | Format-Table -AutoSize

Disable Account

Import-Module ActiveDirectory

$textFilePath = "users.txt"
$usernames = Get-Content -Path $textFilePath
foreach ($username in $usernames) {
    try {
        Disable-ADAccount -Identity $username -ErrorAction Stop
        # Remove-ADUser -Identity $username -Confirm:$false -ErrorAction Stop
        Write-Output "Disabled account: $username"
    } catch {
        Write-Error "Failed to disable account: $username. Error: $_"
    }
}

Delete account and associated resources from AD

param (
    [Parameter(Mandatory=$true)]
    [string]$UserName
)

Import-Module ActiveDirectory

try {
    $user = Get-ADUser -Identity $UserName -Properties MemberOf, HomeDirectory

    if ($user) {
        $groups = $user.MemberOf

        foreach ($group in $groups) {
            $groupObj = Get-ADGroup -Identity $group
            Remove-ADGroupMember -Identity $groupObj -Members $user -Confirm:$false
        }

        if ($user.HomeDirectory -and (Test-Path $user.HomeDirectory)) {
            Remove-Item -Path $user.HomeDirectory -Recurse -Force
            Write-Output "Home directory $($user.HomeDirectory) has been removed."
        }

        Remove-ADUser -Identity $UserName -Confirm:$false

        Write-Output "User $UserName has been removed from all groups and deleted from AD."
    } else {
        Write-Output "User $UserName not found in AD."
    }
} catch {
    Write-Error "An error occurred: $_"
    exit 1
}

more

Remove user and remove SID from all AD Groups

# Define the username of the account to be removed
$username = "username_to_remove"

# Get the user account
$user = Get-ADUser -Identity $username

if ($user) {
    $groups = Get-ADUser -Identity $username -Property MemberOf | Select-Object -ExpandProperty MemberOf

    foreach ($group in $groups) {
        Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
    }

    Remove-ADUser -Identity $username -Confirm:$false

    Write-Output "User $username has been removed from all groups and deleted from AD."
} else {
    Write-Output "User $username not found in AD."
}

Time windowing by UTC time

Import-Module ActiveDirectory
$ouPath = "OU=Some Accounts,DC=example,DC=com"
$usersNoPasswordReset = Get-ADUser -Filter {
    PasswordLastSet -gt "3/12/2022 03:05:00 AM" -and
    PasswordLastSet -le "3/12/2022 03:30:00 AM" -and
    LastLogonDate -lt "3/12/2022 03:30:00 AM" -and
    SamAccountName -like "test-*" -and
    Enabled -eq $true
} -Properties PasswordLastSet, LastLogonDate, Enabled |
    # Where-Object { $_.Name -match '(?i)dev|-d$|-de$|qa|-q$|stage|stag$|stg|-st$|-s$' } |
    Where-Object { $_.Name -notmatch '(?i)dev|-d$|-de$|qa|-q$|stage|stag$|stg|-st$|-s$' } |
    Select-Object Name, SamAccountName, PasswordLastSet, LastLogonDate, Enabled
# $usersNoPasswordReset | Export-Csv -Path "lower.csv" -NoTypeInformation
$usersNoPasswordReset | Export-Csv -Path "nonlower.csv" -NoTypeInformation
# $usersNoPasswordReset | Format-Table -AutoSize

Remove/Delete list of users in file 

Import-Module ActiveDirectory
$ErrorActionPreference = "Stop"
$textFilePath = "users.txt"
$usernames = Get-Content -Path $textFilePath

foreach ($username in $usernames) {
  try {
    $user = Get-ADUser -Identity $username
    Write-Output "$username"; Start-Sleep -Milliseconds 500
    if ( $user -and $user.Enabled -eq $false) {
      $groups = Get-ADUser -Identity $username -Property MemberOf | Select-Object -ExpandProperty MemberOf
      if ($groups) {
        foreach ($group in $groups) {
            Write-Output "Removing user $user from group $group."
            Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
        }
        Remove-ADUser -Identity $username -Confirm:$false
        Write-Output "User $username has been removed from all groups and deleted from AD."
      }
    } else {
        Write-Output "E: Usename: $username must be disabled before delete. Skipping."
    }
  } catch {
    Write-Output "E: Failed to delete account: $username. Error: $_"
  }
}
Retrieved from "https://tech.uvoo.io/index.php?title=Inactive_AD_accounts&oldid=5366"