Automatically Disabling Inactive User Accounts in Active Directory | Information Technology from Valdemar

This article is written for those who were searching for a detailed and simple for the understanding guide on how to automatically disable inactive user accounts in Active Directory.

I present to you a script in the Windows PowerShell scripting language that will allow you to not only disable user accounts that are inactive for a certain number of days but also add a description to them with the date when the disconnect was performed. In addition, disabled user accounts will be transferred to the appropriate organizational unit, and a log file will be created with a list of disabled user accounts.

You can download the script by clicking on the link.

Next, you need to open the script in a text editor or in Windows PowerShell ISE and change several values so that the script runs correctly in your organization.

  • In the variable “LogFolder” you must specify the path to the folder where the log files will be created with a list of disabled user accounts.
  • In the “OU” variable, you must specify the path to the organizational unit where the user accounts in your organization are stored.
  • In the “InactiveUserOU” variable, you must specify the path to the organizational unit where disabled user accounts in your organization will be transferred.
  • In the variable “UnusedDays” you must specify the number of days after which inactive user accounts will be disabled.

Automate script execution through the task scheduler. To do this, you need to create a service account under which the task will be launched, and also delegate to this account the necessary permissions to the organizational unit where user accounts are stored.

Create a service account.

On the domain controller, log into the system under an account with domain administrator rights.

Open Server Manager, click on the “Tools” button in the upper right corner of the screen and select “Active Directory Users and Computers”.

In this manual, the script will be executed on the domain controller under the service account. As the service account, the “Disable Users” account with the username “dusers” will be used.

Right-click on the organizational unit where the service accounts are stored and select “New”, then “User”.

Specify the name, surname, and login for the new service account.

Click on the “Next” button.

Next, you must specify the password for the new service account.

Uncheck the box “User must change password at next logon”.

Check the box “User cannot change password”.

Check the box “Password never expires”.

Click on the “Next” button.

Click the “Finish” button.

The service account successfully created.

Now you need to add the service account to the Backup Operators group so that under this account you can perform tasks in the task scheduler.

Right-click on the previously created service account and select “Add to a group”.

Specify the “Backup Operators” group and click on the “Check Names” button.

The group is found, click on the “OK” button.

The service account has been successfully added to the Backup Operators group.

Now you need to delegate the permissions of the service account to the organizational unit where user accounts are stored.

Delegation of permissions is necessary so that the service account under which the task will be launched has the right to disable accounts and move them to the organizational unit where disabled user accounts are stored.

Right-click on the organizational unit where user accounts are stored, and select “Delegate Control”.

Click on the “Next” button.

Next, you need to specify the account to which you want to delegate permissions.

Click on the “Add” button.

Specify the login of the previously created service account and click on the “Check Names” button.

The account is found, click on the “OK” button.

The account to which delegated rights is indicated.

Click on the “Next” button.

In the “Delegate the following common tasks” section, check the “Create, delete, and manage user accounts” box.

Click on the “Next” button.

Rights for the service account have been successfully delegated to the organizational unit where user accounts are stored.

Click on the “Finish” button.

In this guide, the script will run as scheduled on the domain controller.

Copy the script to the domain controller in a folder prepared in advance for it.

Now in the task scheduler, you need to create a task that will run the script on a schedule, under the previously created service account.

In Server Manager, click on the “Tools” button in the upper right corner of the screen and select “Task Scheduler”.

In the “Actions” menu, select “Create Task”.

On the “General” tab, in the “Name” field, specify the name for the new task.

Next, in the “Security options” section, find the item “When running the task, use the following user account” and click on the “Change User or Group” button to specify the service account under which the task will be performed.

Specify the login of the previously created service account and click on the “Check Names” button.

The account is found, click on the “OK” button.

Next, in the “Security options” section, select “Run whether user is logged on or not”.

In the “Configure for” item, select “Windows Server 2012 R2”.

On the “Triggers” tab, click on the “New” button to create a schedule according to which the task will be performed.

In this manual, the task will be performed every day at 17:00 (5 P.M.).

Specify the schedule suitable for you to complete the task.

Check the box “Stop task if it runs longer than” and select “3 days”.

Put a tick on the item “Enabled” and click on the button “OK”.

Put a tick on the item “Enabled” and click on the button “OK”.

In the “Actions” item, select “Start a program”.

In the “Program/script” field, you must specify the path to “powershell.exe”.

Click on the “Browse” button.

The path to “powershell.exe” looks like this:

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

In the “Add arguments (optional)” field, specify the path to the script and click on the “OK” button.

Click on the “OK” button.

Specify the username and password from the previously created service account and click on the “OK” button.

The creation of a task that will execute the scheduled script under the previously created service account has been completed successfully.

Now let’s check the work of the task and the script.

Select the previously created task and select “Run” in the “Actions” menu.

The task completed successfully.

The script worked successfully.

The inactive user account has been successfully disabled and transferred to the organizational unit where disabled user accounts are stored.

Author

Hi, I’m Vladimir Mikhalev, but my friends call me Valdemar. I have a lot of experience in the design and maintenance of various information systems. On my website, you will find detailed and clear guides for setting up IT solutions. Dive into the ocean, full of positive and technology! For cooperation: callvaldemar@gmail.com

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.