Difference between revisions of "Inactive AD accounts"
Jump to navigation
Jump to search
| (3 intermediate revisions by the same user not shown) | |||
| Line 32: | Line 32: | ||
# Delete account and associated resources from AD | # Delete account and associated resources from AD | ||
``` | ``` | ||
| − | + | param ( | |
| − | $ | + | [Parameter(Mandatory=$true)] |
| + | [string]$UserName | ||
| + | ) | ||
| + | |||
| + | Import-Module ActiveDirectory | ||
| − | + | try { | |
| − | $user = Get-ADUser -Identity $ | + | $user = Get-ADUser -Identity $UserName -Properties MemberOf, HomeDirectory |
| − | if ($user) { | + | if ($user) { |
| − | + | $groups = $user.MemberOf | |
| − | + | foreach ($group in $groups) { | |
| − | + | $groupObj = Get-ADGroup -Identity $group | |
| − | + | Remove-ADGroupMember -Identity $groupObj -Members $user -Confirm:$false | |
| + | } | ||
| − | + | if ($user.HomeDirectory -and (Test-Path $user.HomeDirectory)) { | |
| − | + | Remove-Item -Path $user.HomeDirectory -Recurse -Force | |
| − | + | Write-Output "Home directory $($user.HomeDirectory) has been removed." | |
| − | + | } | |
| − | + | Remove-ADUser -Identity $UserName -Confirm:$false | |
| − | + | Write-Output "User $UserName has been removed from all groups and deleted from AD." | |
| − | } else { | + | } else { |
| − | + | Write-Output "User $UserName not found in AD." | |
| + | } | ||
| + | } catch { | ||
| + | Write-Error "An error occurred: $_" | ||
| + | exit 1 | ||
} | } | ||
``` | ``` | ||
| Line 80: | Line 89: | ||
} else { | } else { | ||
Write-Output "User $username not found in AD." | Write-Output "User $username not found in AD." | ||
| + | } | ||
| + | ``` | ||
| + | |||
| + | # Time windowing by UTC time | ||
| + | ``` | ||
| + | Import-Module ActiveDirectory | ||
| + | $ouPath = "OU=Some Accounts,DC=example,DC=com" | ||
| + | $usersNoPasswordReset = Get-ADUser -Filter { | ||
| + | PasswordLastSet -gt "3/12/2022 03:05:00 AM" -and | ||
| + | PasswordLastSet -le "3/12/2022 03:30:00 AM" -and | ||
| + | LastLogonDate -lt "3/12/2022 03:30:00 AM" -and | ||
| + | SamAccountName -like "test-*" -and | ||
| + | Enabled -eq $true | ||
| + | } -Properties PasswordLastSet, LastLogonDate, Enabled | | ||
| + | # Where-Object { $_.Name -match '(?i)dev|-d$|-de$|qa|-q$|stage|stag$|stg|-st$|-s$' } | | ||
| + | Where-Object { $_.Name -notmatch '(?i)dev|-d$|-de$|qa|-q$|stage|stag$|stg|-st$|-s$' } | | ||
| + | Select-Object Name, SamAccountName, PasswordLastSet, LastLogonDate, Enabled | ||
| + | # $usersNoPasswordReset | Export-Csv -Path "lower.csv" -NoTypeInformation | ||
| + | $usersNoPasswordReset | Export-Csv -Path "nonlower.csv" -NoTypeInformation | ||
| + | # $usersNoPasswordReset | Format-Table -AutoSize | ||
| + | ``` | ||
| + | |||
| + | Remove/Delete list of users in file | ||
| + | ``` | ||
| + | Import-Module ActiveDirectory | ||
| + | $ErrorActionPreference = "Stop" | ||
| + | $textFilePath = "users.txt" | ||
| + | $usernames = Get-Content -Path $textFilePath | ||
| + | |||
| + | foreach ($username in $usernames) { | ||
| + | try { | ||
| + | $user = Get-ADUser -Identity $username | ||
| + | Write-Output "$username"; Start-Sleep -Milliseconds 500 | ||
| + | if ( $user -and $user.Enabled -eq $false) { | ||
| + | $groups = Get-ADUser -Identity $username -Property MemberOf | Select-Object -ExpandProperty MemberOf | ||
| + | if ($groups) { | ||
| + | foreach ($group in $groups) { | ||
| + | Write-Output "Removing user $user from group $group." | ||
| + | Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false | ||
| + | } | ||
| + | Remove-ADUser -Identity $username -Confirm:$false | ||
| + | Write-Output "User $username has been removed from all groups and deleted from AD." | ||
| + | } | ||
| + | } else { | ||
| + | Write-Output "E: Usename: $username must be disabled before delete. Skipping." | ||
| + | } | ||
| + | } catch { | ||
| + | Write-Output "E: Failed to delete account: $username. Error: $_" | ||
| + | } | ||
} | } | ||
``` | ``` | ||
Latest revision as of 17:39, 9 September 2024
Get inactive accounts
Import-Module ActiveDirectory
$ouPath = "OU=Some Accounts,DC=example,DC=com"
$usersNoPasswordReset = Get-ADUser -Filter {
PasswordLastSet -gt "7/11/2023 00:00:00 AM" -and
LastLogonDate -lt "7/11/2023 00:00:00 AM" -and
SamAccountName -like "somesvc-*" -and
Enabled -eq $true
} -SearchBase $ouPath -Properties PasswordLastSet, LastLogonDate, Enabled |
Select-Object Name, SamAccountName, PasswordLastSet, LastLogonDate, Enabled
$usersNoPasswordReset | Format-Table -AutoSize
Disable Account
Import-Module ActiveDirectory
$textFilePath = "users.txt"
$usernames = Get-Content -Path $textFilePath
foreach ($username in $usernames) {
try {
Disable-ADAccount -Identity $username -ErrorAction Stop
# Remove-ADUser -Identity $username -Confirm:$false -ErrorAction Stop
Write-Output "Disabled account: $username"
} catch {
Write-Error "Failed to disable account: $username. Error: $_"
}
}
Delete account and associated resources from AD
param (
[Parameter(Mandatory=$true)]
[string]$UserName
)
Import-Module ActiveDirectory
try {
$user = Get-ADUser -Identity $UserName -Properties MemberOf, HomeDirectory
if ($user) {
$groups = $user.MemberOf
foreach ($group in $groups) {
$groupObj = Get-ADGroup -Identity $group
Remove-ADGroupMember -Identity $groupObj -Members $user -Confirm:$false
}
if ($user.HomeDirectory -and (Test-Path $user.HomeDirectory)) {
Remove-Item -Path $user.HomeDirectory -Recurse -Force
Write-Output "Home directory $($user.HomeDirectory) has been removed."
}
Remove-ADUser -Identity $UserName -Confirm:$false
Write-Output "User $UserName has been removed from all groups and deleted from AD."
} else {
Write-Output "User $UserName not found in AD."
}
} catch {
Write-Error "An error occurred: $_"
exit 1
}
more
Remove user and remove SID from all AD Groups
# Define the username of the account to be removed
$username = "username_to_remove"
# Get the user account
$user = Get-ADUser -Identity $username
if ($user) {
$groups = Get-ADUser -Identity $username -Property MemberOf | Select-Object -ExpandProperty MemberOf
foreach ($group in $groups) {
Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
}
Remove-ADUser -Identity $username -Confirm:$false
Write-Output "User $username has been removed from all groups and deleted from AD."
} else {
Write-Output "User $username not found in AD."
}
Time windowing by UTC time
Import-Module ActiveDirectory
$ouPath = "OU=Some Accounts,DC=example,DC=com"
$usersNoPasswordReset = Get-ADUser -Filter {
PasswordLastSet -gt "3/12/2022 03:05:00 AM" -and
PasswordLastSet -le "3/12/2022 03:30:00 AM" -and
LastLogonDate -lt "3/12/2022 03:30:00 AM" -and
SamAccountName -like "test-*" -and
Enabled -eq $true
} -Properties PasswordLastSet, LastLogonDate, Enabled |
# Where-Object { $_.Name -match '(?i)dev|-d$|-de$|qa|-q$|stage|stag$|stg|-st$|-s$' } |
Where-Object { $_.Name -notmatch '(?i)dev|-d$|-de$|qa|-q$|stage|stag$|stg|-st$|-s$' } |
Select-Object Name, SamAccountName, PasswordLastSet, LastLogonDate, Enabled
# $usersNoPasswordReset | Export-Csv -Path "lower.csv" -NoTypeInformation
$usersNoPasswordReset | Export-Csv -Path "nonlower.csv" -NoTypeInformation
# $usersNoPasswordReset | Format-Table -AutoSize
Remove/Delete list of users in file
Import-Module ActiveDirectory
$ErrorActionPreference = "Stop"
$textFilePath = "users.txt"
$usernames = Get-Content -Path $textFilePath
foreach ($username in $usernames) {
try {
$user = Get-ADUser -Identity $username
Write-Output "$username"; Start-Sleep -Milliseconds 500
if ( $user -and $user.Enabled -eq $false) {
$groups = Get-ADUser -Identity $username -Property MemberOf | Select-Object -ExpandProperty MemberOf
if ($groups) {
foreach ($group in $groups) {
Write-Output "Removing user $user from group $group."
Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
}
Remove-ADUser -Identity $username -Confirm:$false
Write-Output "User $username has been removed from all groups and deleted from AD."
}
} else {
Write-Output "E: Usename: $username must be disabled before delete. Skipping."
}
} catch {
Write-Output "E: Failed to delete account: $username. Error: $_"
}
}