Quite a few companies don’t have proper account management software to maintain their users in Active Directory . Accounts that remain active while the employees already left the company can be a security risk. This little script will disable and remove inactive accounts.
<#
.SYNOPSIS
Disable and remove inactive user accounts from Active Directory
.DESCRIPTION
This script queries active directory to locate user accounts that have not been active for x days.
Currently the script is wired to do the following:
a) Disable user accounts that have been inactive for x days
b) Remove user accounts that have been disabled for x days
To get this to work, you need to do the following:
- Run the script as a domain administrator, or with an account that has the privilege to disable and remove accounts
- PowerShell needs to run as administrator
.EXAMPLE
.\Cleanup-ActiveDirectory.ps1 -DisableDays 90 -RemoveDays 180
.NOTES
Version: 0.1
Author: Peter The Automator
Website: https://petertheautomator.com
#>
Param (
[parameter(Mandatory)][ValidateRange(90,365)][int]$DisableDays,
[parameter(Mandatory)][ValidateRange(90,365)][int]$RemoveDays
)
#Get dates for current date minus a bunch of days
[datetime]$DisableDate = (get-date).AddDays(-$DisableDays)
[datetime]$RemoveDate = (get-date).AddDays(-$RemoveDays)
#Get all the users and service accounts
[array]$ExcludedAccounts = "Administrator","Guest","krbtgt","HelpAssistant" #Excluded accounts
Try {
$Users = Get-ADUser -Filter * -Properties Name,SamAccountName,LastLogonDate,Enabled,WhenChanged
} Catch {
Write-Error "Failed to find AD accounts. Error: '$($_.Exception.Message)'."
exit 1
}
#Disable all accounts that have not ben used during the last x days
Try {
$DisableUsers = $Users | Where-Object {($_.lastlogonDate -le $DisableDate) -and ($_.Enabled -eq $True) -and ($ExcludedAccounts -notcontains $_.SamAccountName)} | Sort-Object Name
If ($DisableUsers) {
Write-Host "Disabling $($DisableUsers.Count) users:"
$DisableUsers | Select-Object Name,SamAccountName,LastLogonDate,WhenChanged
$DisableUsers | Disable-ADAccount
}
} Catch {
Write-Error "Failed to disable the accounts. Error: '$($_.Exception.Message)'."
exit 1
}
#Remove users that have been disabled for x days
Try {
$RemoveUsers = $Users | Where-Object {($_.WhenChanged -le $RemoveDate) -and ($_.Enabled -eq $False) -and ($ExcludedAccounts -notcontains $_.SamAccountName)} | Sort-Object Name
If ($RemoveUsers) {
Write-Host "Removing $($RemoveUsers.Count) users:"
$RemoveUsers | Select-Object Name,SamAccountName,LastLogonDate,WhenChanged
$RemoveUsers | Remove-ADUser
}
} Catch {
Write-Error "Failed to remove the accounts. Error: '$($_.Exception.Message)'."
exit 1
}
The script performs the following actions:
– Disable accounts that have not been active for x days.
– Remove accounts that have been disabled and untouched for x days.
I have added an exclusion list for accounts that are default within Active Directory. It can be extended by custom accounts if needed.
Disclaimer: This script is capable of doing serious harm to your environment. Using this script is your own responsibility.