{"id":7115,"date":"2023-06-22T06:02:10","date_gmt":"2023-06-22T06:02:10","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=7115"},"modified":"2023-06-22T06:02:13","modified_gmt":"2023-06-22T06:02:13","slug":"powershell-script-to-disable-inactive-domain-admin-and-enterprise-admin-group-members","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/powershell-script-to-disable-inactive-domain-admin-and-enterprise-admin-group-members","title":{"rendered":"Powershell Script to Disable inactive Domain Admin and Enterprise Admin Group Members"},"content":{"rendered":"\n
# disableUsers.ps1  \r\n# Set msDS-LogonTimeSyncInterval (days) to a sane number.  By\r\n# default lastLogonDate only replicates between DCs every 9-14 \r\n# days unless this attribute is set to a shorter interval.\r\n \r\n# Also, make sure to create the EventLog source before running, or\r\n# comment out the Write-EventLog lines if no event logging is\r\n# needed.  Only needed once on each machine running this script.\r\n# New-EventLog -LogName Application -Source \"DisableUsers.ps1\"\r\n \r\n# Remove \"-WhatIf\"s before putting into production.\r\n \r\nImport-Module ActiveDirectory\r\n \r\n$donotdisableaccount = \"da.administrator\"\r\n$inactiveDays = 45\r\n$neverLoggedInDays = 45\r\n$disableDaysInactive=(Get-Date).AddDays(-($inactiveDays))\r\n$disableDaysNeverLoggedIn=(Get-Date).AddDays(-($neverLoggedInDays))\r\n \r\n# Identify and disable Domain Admin who have not logged in in x days\r\n \r\n$disableInActiveDomainAdmins = Get-ADGroupMember 'Domain Admins' | Where-Object {$_.objectClass -eq \"user\" -and $_.SamAccountName  -notlike $donotdisableaccount}  | Get-ADUser -Properties lastLogonDate, whenCreated, distinguishedName | Where-Object { $_.Enabled -eq 'True' -and $_.lastLogonDate -lt $inactiveDays -and ($_.lastLogonDate -ne $NULL)} \r\n\r\n\r\n $disableInActiveDomainAdmins | ForEach-Object {\r\n#what if\r\n#  Disable-ADAccount $_ -WhatIf\r\n#no what if\r\n   Disable-ADAccount $_\r\n   Write-EventLog -Source \"DisableUsers.ps1\" -EventId 9090 -LogName Application -Message \"Attempted to disable user $_ because the last login was more than $inactiveDays ago.\"\r\n   }\r\n\r\n$disableInActiveEnterpriseAdmins = Get-ADGroupMember 'Enterprise Admins' | Where-Object {$_.objectClass -eq \"user\" -and $_.SamAccountName  -notlike $donotdisableaccount}  | Get-ADUser -Properties lastLogonDate, whenCreated, distinguishedName | Where-Object { $_.Enabled -eq 'True' -and $_.lastLogonDate -lt $inactiveDays -and ($_.lastLogonDate -ne $NULL)} \r\n\r\n $disableInActiveEnterpriseAdmins | ForEach-Object {\r\n#what if\r\n#   Disable-ADAccount $_ -WhatIf\r\n#no what if\r\n   Disable-ADAccount $_\r\n   Write-EventLog -Source \"DisableUsers.ps1\" -EventId 9090 -LogName Application -Message \"Attempted to disable user $_ because the last login was more than $inactiveDays ago.\"\r\n   }\r\n\r\n# Identify and disable users who were created x days ago and never logged in.\r\n \r\n$disableNeverLoggedInEnterpriseAdmins = Get-ADGroupMember 'Enterprise Admins' | Where-Object {$_.objectClass -eq \"user\" -and $_.SamAccountName  -notlike $donotdisableaccount}  | Get-ADUser -Properties lastLogonDate, whenCreated, distinguishedName | Where-Object { $_.Enabled -eq 'True' -and ($_.whenCreated -lt $disableDaysNeverLoggedIn) -and (-not ($_.lastLogonDate -ne $NULL))} \r\n\r\n$disableNeverLoggedInEnterpriseAdmins | ForEach-Object {\r\n#what if\r\n   #Disable-ADAccount $_ -WhatIf\r\n#no what if\r\n   Disable-ADAccount $_\r\n   Write-EventLog -Source \"DisableUsers.ps1\" -EventId 9091 -LogName Application -Message \"Attempted to disable user $_ because user has never logged in and $neverLoggedInDays days have passed.\"\r\n   }\r\n\r\n$disableNeverLoggedInDomainAdmins = Get-ADGroupMember 'Domain Admins' | Where-Object {$_.objectClass -eq \"user\" -and $_.SamAccountName  -notlike $donotdisableaccount}  | Get-ADUser -Properties lastLogonDate, whenCreated, distinguishedName | Where-Object { $_.Enabled -eq 'True' -and ($_.whenCreated -lt $disableDaysNeverLoggedIn) -and (-not ($_.lastLogonDate -ne $NULL))} \r\n\r\n$disableNeverLoggedInDomainAdmins | ForEach-Object {\r\n#what if\r\n   #Disable-ADAccount $_ -WhatIf\r\n#no what if\r\n   Disable-ADAccount $_\r\n   Write-EventLog -Source \"DisableUsers.ps1\" -EventId 9091 -LogName Application -Message \"Attempted to disable user $_ because user has never logged in and $neverLoggedInDays days have passed.\"\r\n   }<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-7115","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t