Difference between revisions of "Inactive AD accounts"

From UVOO Tech Wiki
Jump to navigation Jump to search
 
(5 intermediate revisions by the same user not shown)
Line 13: Line 13:
 
```
 
```
  
 +
# Disable Account
 
```
 
```
 
Import-Module ActiveDirectory
 
Import-Module ActiveDirectory
Line 28: Line 29:
 
}
 
}
 
```
 
```
 +
 +
# Delete account and associated resources from AD
 +
```
 +
param (
 +
    [Parameter(Mandatory=$true)]
 +
    [string]$UserName
 +
)
 +
 +
Import-Module ActiveDirectory
 +
 +
try {
 +
    $user = Get-ADUser -Identity $UserName -Properties MemberOf, HomeDirectory
 +
 +
    if ($user) {
 +
        $groups = $user.MemberOf
 +
 +
        foreach ($group in $groups) {
 +
            $groupObj = Get-ADGroup -Identity $group
 +
            Remove-ADGroupMember -Identity $groupObj -Members $user -Confirm:$false
 +
        }
 +
 +
        if ($user.HomeDirectory -and (Test-Path $user.HomeDirectory)) {
 +
            Remove-Item -Path $user.HomeDirectory -Recurse -Force
 +
            Write-Output "Home directory $($user.HomeDirectory) has been removed."
 +
        }
 +
 +
        Remove-ADUser -Identity $UserName -Confirm:$false
 +
 +
        Write-Output "User $UserName has been removed from all groups and deleted from AD."
 +
    } else {
 +
        Write-Output "User $UserName not found in AD."
 +
    }
 +
} catch {
 +
    Write-Error "An error occurred: $_"
 +
    exit 1
 +
}
 +
```
 +
 +
# more
  
 
# Remove user and remove SID from all AD Groups
 
# Remove user and remove SID from all AD Groups
Line 38: Line 78:
  
 
if ($user) {
 
if ($user) {
    # Get all groups the user is a member of
 
 
     $groups = Get-ADUser -Identity $username -Property MemberOf | Select-Object -ExpandProperty MemberOf
 
     $groups = Get-ADUser -Identity $username -Property MemberOf | Select-Object -ExpandProperty MemberOf
  
    # Remove the user from each group
 
 
     foreach ($group in $groups) {
 
     foreach ($group in $groups) {
 
         Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
 
         Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
 
     }
 
     }
  
    # Remove the user account from AD
 
 
     Remove-ADUser -Identity $username -Confirm:$false
 
     Remove-ADUser -Identity $username -Confirm:$false
  
Line 52: Line 89:
 
} else {
 
} else {
 
     Write-Output "User $username not found in AD."
 
     Write-Output "User $username not found in AD."
 +
}
 +
```
 +
 +
# Time windowing by UTC time
 +
```
 +
Import-Module ActiveDirectory
 +
$ouPath = "OU=Some Accounts,DC=example,DC=com"
 +
$usersNoPasswordReset = Get-ADUser -Filter {
 +
    PasswordLastSet -gt "3/12/2022 03:05:00 AM" -and
 +
    PasswordLastSet -le "3/12/2022 03:30:00 AM" -and
 +
    LastLogonDate -lt "3/12/2022 03:30:00 AM" -and
 +
    SamAccountName -like "test-*" -and
 +
    Enabled -eq $true
 +
} -Properties PasswordLastSet, LastLogonDate, Enabled |
 +
    # Where-Object { $_.Name -match '(?i)dev|-d$|-de$|qa|-q$|stage|stag$|stg|-st$|-s$' } |
 +
    Where-Object { $_.Name -notmatch '(?i)dev|-d$|-de$|qa|-q$|stage|stag$|stg|-st$|-s$' } |
 +
    Select-Object Name, SamAccountName, PasswordLastSet, LastLogonDate, Enabled
 +
# $usersNoPasswordReset | Export-Csv -Path "lower.csv" -NoTypeInformation
 +
$usersNoPasswordReset | Export-Csv -Path "nonlower.csv" -NoTypeInformation
 +
# $usersNoPasswordReset | Format-Table -AutoSize
 +
```
 +
 +
Remove/Delete list of users in file
 +
```
 +
Import-Module ActiveDirectory
 +
$ErrorActionPreference = "Stop"
 +
$textFilePath = "users.txt"
 +
$usernames = Get-Content -Path $textFilePath
 +
 +
foreach ($username in $usernames) {
 +
  try {
 +
    $user = Get-ADUser -Identity $username
 +
    Write-Output "$username"; Start-Sleep -Milliseconds 500
 +
    if ( $user -and $user.Enabled -eq $false) {
 +
      $groups = Get-ADUser -Identity $username -Property MemberOf | Select-Object -ExpandProperty MemberOf
 +
      if ($groups) {
 +
        foreach ($group in $groups) {
 +
            Write-Output "Removing user $user from group $group."
 +
            Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
 +
        }
 +
        Remove-ADUser -Identity $username -Confirm:$false
 +
        Write-Output "User $username has been removed from all groups and deleted from AD."
 +
      }
 +
    } else {
 +
        Write-Output "E: Usename: $username must be disabled before delete. Skipping."
 +
    }
 +
  } catch {
 +
    Write-Output "E: Failed to delete account: $username. Error: $_"
 +
  }
 
}
 
}
 
```
 
```

Latest revision as of 17:39, 9 September 2024

Get inactive accounts

Import-Module ActiveDirectory
$ouPath = "OU=Some Accounts,DC=example,DC=com"
$usersNoPasswordReset = Get-ADUser -Filter {
    PasswordLastSet -gt "7/11/2023 00:00:00 AM" -and
    LastLogonDate -lt "7/11/2023 00:00:00 AM" -and
    SamAccountName -like "somesvc-*" -and
    Enabled -eq $true
} -SearchBase $ouPath -Properties PasswordLastSet, LastLogonDate, Enabled |
    Select-Object Name, SamAccountName, PasswordLastSet, LastLogonDate, Enabled
$usersNoPasswordReset | Format-Table -AutoSize

Disable Account

Import-Module ActiveDirectory

$textFilePath = "users.txt"
$usernames = Get-Content -Path $textFilePath
foreach ($username in $usernames) {
    try {
        Disable-ADAccount -Identity $username -ErrorAction Stop
        # Remove-ADUser -Identity $username -Confirm:$false -ErrorAction Stop
        Write-Output "Disabled account: $username"
    } catch {
        Write-Error "Failed to disable account: $username. Error: $_"
    }
}

Delete account and associated resources from AD

param (
    [Parameter(Mandatory=$true)]
    [string]$UserName
)

Import-Module ActiveDirectory

try {
    $user = Get-ADUser -Identity $UserName -Properties MemberOf, HomeDirectory

    if ($user) {
        $groups = $user.MemberOf

        foreach ($group in $groups) {
            $groupObj = Get-ADGroup -Identity $group
            Remove-ADGroupMember -Identity $groupObj -Members $user -Confirm:$false
        }

        if ($user.HomeDirectory -and (Test-Path $user.HomeDirectory)) {
            Remove-Item -Path $user.HomeDirectory -Recurse -Force
            Write-Output "Home directory $($user.HomeDirectory) has been removed."
        }

        Remove-ADUser -Identity $UserName -Confirm:$false

        Write-Output "User $UserName has been removed from all groups and deleted from AD."
    } else {
        Write-Output "User $UserName not found in AD."
    }
} catch {
    Write-Error "An error occurred: $_"
    exit 1
}

more

Remove user and remove SID from all AD Groups

# Define the username of the account to be removed
$username = "username_to_remove"

# Get the user account
$user = Get-ADUser -Identity $username

if ($user) {
    $groups = Get-ADUser -Identity $username -Property MemberOf | Select-Object -ExpandProperty MemberOf

    foreach ($group in $groups) {
        Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
    }

    Remove-ADUser -Identity $username -Confirm:$false

    Write-Output "User $username has been removed from all groups and deleted from AD."
} else {
    Write-Output "User $username not found in AD."
}

Time windowing by UTC time

Import-Module ActiveDirectory
$ouPath = "OU=Some Accounts,DC=example,DC=com"
$usersNoPasswordReset = Get-ADUser -Filter {
    PasswordLastSet -gt "3/12/2022 03:05:00 AM" -and
    PasswordLastSet -le "3/12/2022 03:30:00 AM" -and
    LastLogonDate -lt "3/12/2022 03:30:00 AM" -and
    SamAccountName -like "test-*" -and
    Enabled -eq $true
} -Properties PasswordLastSet, LastLogonDate, Enabled |
    # Where-Object { $_.Name -match '(?i)dev|-d$|-de$|qa|-q$|stage|stag$|stg|-st$|-s$' } |
    Where-Object { $_.Name -notmatch '(?i)dev|-d$|-de$|qa|-q$|stage|stag$|stg|-st$|-s$' } |
    Select-Object Name, SamAccountName, PasswordLastSet, LastLogonDate, Enabled
# $usersNoPasswordReset | Export-Csv -Path "lower.csv" -NoTypeInformation
$usersNoPasswordReset | Export-Csv -Path "nonlower.csv" -NoTypeInformation
# $usersNoPasswordReset | Format-Table -AutoSize

Remove/Delete list of users in file

Import-Module ActiveDirectory
$ErrorActionPreference = "Stop"
$textFilePath = "users.txt"
$usernames = Get-Content -Path $textFilePath

foreach ($username in $usernames) {
  try {
    $user = Get-ADUser -Identity $username
    Write-Output "$username"; Start-Sleep -Milliseconds 500
    if ( $user -and $user.Enabled -eq $false) {
      $groups = Get-ADUser -Identity $username -Property MemberOf | Select-Object -ExpandProperty MemberOf
      if ($groups) {
        foreach ($group in $groups) {
            Write-Output "Removing user $user from group $group."
            Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
        }
        Remove-ADUser -Identity $username -Confirm:$false
        Write-Output "User $username has been removed from all groups and deleted from AD."
      }
    } else {
        Write-Output "E: Usename: $username must be disabled before delete. Skipping."
    }
  } catch {
    Write-Output "E: Failed to delete account: $username. Error: $_"
  }
}