Powershell Script to Disable inactive Domain Admin and Enterprise Admin Group Members

# disableUsers.ps1  
# Set msDS-LogonTimeSyncInterval (days) to a sane number.  By
# default lastLogonDate only replicates between DCs every 9-14 
# days unless this attribute is set to a shorter interval.
 
# Also, make sure to create the EventLog source before running, or
# comment out the Write-EventLog lines if no event logging is
# needed.  Only needed once on each machine running this script.
# New-EventLog -LogName Application -Source "DisableUsers.ps1"
 
# Remove "-WhatIf"s before putting into production.
 
Import-Module ActiveDirectory
 
$donotdisableaccount = "da.administrator"
$inactiveDays = 45
$neverLoggedInDays = 45
$disableDaysInactive=(Get-Date).AddDays(-($inactiveDays))
$disableDaysNeverLoggedIn=(Get-Date).AddDays(-($neverLoggedInDays))
 
# Identify and disable Domain Admin who have not logged in in x days
 
$disableInActiveDomainAdmins = Get-ADGroupMember 'Domain Admins' | Where-Object {$_.objectClass -eq "user" -and $_.SamAccountName  -notlike $donotdisableaccount}  | Get-ADUser -Properties lastLogonDate, whenCreated, distinguishedName | Where-Object { $_.Enabled -eq 'True' -and $_.lastLogonDate -lt $inactiveDays -and ($_.lastLogonDate -ne $NULL)} 


 $disableInActiveDomainAdmins | ForEach-Object {
#what if
#  Disable-ADAccount $_ -WhatIf
#no what if
   Disable-ADAccount $_
   Write-EventLog -Source "DisableUsers.ps1" -EventId 9090 -LogName Application -Message "Attempted to disable user $_ because the last login was more than $inactiveDays ago."
   }

$disableInActiveEnterpriseAdmins = Get-ADGroupMember 'Enterprise Admins' | Where-Object {$_.objectClass -eq "user" -and $_.SamAccountName  -notlike $donotdisableaccount}  | Get-ADUser -Properties lastLogonDate, whenCreated, distinguishedName | Where-Object { $_.Enabled -eq 'True' -and $_.lastLogonDate -lt $inactiveDays -and ($_.lastLogonDate -ne $NULL)} 

 $disableInActiveEnterpriseAdmins | ForEach-Object {
#what if
#   Disable-ADAccount $_ -WhatIf
#no what if
   Disable-ADAccount $_
   Write-EventLog -Source "DisableUsers.ps1" -EventId 9090 -LogName Application -Message "Attempted to disable user $_ because the last login was more than $inactiveDays ago."
   }

# Identify and disable users who were created x days ago and never logged in.
 
$disableNeverLoggedInEnterpriseAdmins = Get-ADGroupMember 'Enterprise Admins' | Where-Object {$_.objectClass -eq "user" -and $_.SamAccountName  -notlike $donotdisableaccount}  | Get-ADUser -Properties lastLogonDate, whenCreated, distinguishedName | Where-Object { $_.Enabled -eq 'True' -and ($_.whenCreated -lt $disableDaysNeverLoggedIn) -and (-not ($_.lastLogonDate -ne $NULL))} 

$disableNeverLoggedInEnterpriseAdmins | ForEach-Object {
#what if
   #Disable-ADAccount $_ -WhatIf
#no what if
   Disable-ADAccount $_
   Write-EventLog -Source "DisableUsers.ps1" -EventId 9091 -LogName Application -Message "Attempted to disable user $_ because user has never logged in and $neverLoggedInDays days have passed."
   }

$disableNeverLoggedInDomainAdmins = Get-ADGroupMember 'Domain Admins' | Where-Object {$_.objectClass -eq "user" -and $_.SamAccountName  -notlike $donotdisableaccount}  | Get-ADUser -Properties lastLogonDate, whenCreated, distinguishedName | Where-Object { $_.Enabled -eq 'True' -and ($_.whenCreated -lt $disableDaysNeverLoggedIn) -and (-not ($_.lastLogonDate -ne $NULL))} 

$disableNeverLoggedInDomainAdmins | ForEach-Object {
#what if
   #Disable-ADAccount $_ -WhatIf
#no what if
   Disable-ADAccount $_
   Write-EventLog -Source "DisableUsers.ps1" -EventId 9091 -LogName Application -Message "Attempted to disable user $_ because user has never logged in and $neverLoggedInDays days have passed."
   }
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Powered by WordPress | Made with ❤ by Themely