I'm looking to automate some aspects of account management within our on-premise Active Directory. Specifically, we have a policy that states any user account that hasn't been logged into for 30 days should be disabled, and those inactive for 60 days should be deleted. We also send email notifications to both the user and their supervisor whenever these changes occur. Has anyone implemented a similar process, and what tools or scripts did you use?
9 Answers
Honestly, this is an easy automation opportunity! You can run a basic PowerShell script daily. Here’s a rough idea:
Get-AdUser like $AllActive = Get-AdUser -filter {enabled -eq $true}...
Then you can check the last login date and disable accounts accordingly while sending notifications. Just remember, add logging and error handling for real-world use!
Automating this is pretty straightforward! We use scripts that run daily on our domain controllers. They check for accounts in the users OU that haven’t been logged into for over 30 days. We even integrate with our access control system to check for badge activity. Sure, there are third-party tools, but I prefer to keep it simple and do it with a few lines of PowerShell!
If you’re leveraging Azure, consider using Azure Runbooks with a hybrid worker to set this up. We have similar solutions for account creation as well, or you can stick to a local script with Task Scheduler to run daily checks.
A scheduled task with a PowerShell script does the trick. Just ensure you add checks to avoid accidentally disabling too many accounts at once; I learned that the hard way! A while back, a script mishap disabled thousands of accounts in one go, which was an adventure, to say the least!
Yes, using scheduled scripts is the way to go! We also automatically populate certain groups based on department and location along with this. While third-party tools exist, they're not necessary unless you really need complex features.
Generating a CSV via PowerShell can also work well. Then you can have another process that uses that CSV for notifications or account management tasks. It’s pretty flexible!
There are plenty of solutions depending on whether you need HR integration. If your focus is just on AD management, scripting it might be the best route.
You can definitely use PowerShell with Task Scheduler. It’s effective, but managing scripts can be a bit of a chore. If you’d rather use software, give AdminDroid Active Directory Management Tool a shot. It has plenty of built-in templates for automating tasks and a free version with over 200 report options.
Check out ManageEngine AD Manager; it provides built-in workflows that align perfectly with what you’re aiming to do, plus it handles around 50 other scenarios. Let me know if you want detailed assistance setting it up!
I can relate! I’ve set up a similar script that syncs with our HR database to create and manage accounts. Had a rough patch when the server was down, and it wiped out the entire employee group; nobody had access for a bit. Now I always check the database connection first before running the script!