Hey everyone,
I work at a small outsourcing company where we have around 1,000 users, but only about 20–30 log in daily since we operate on an as-needed basis. My boss is concerned about security due to the low log-in frequency and wants to implement a process that automatically manages inactive accounts.
Here's the idea:
- If a user hasn't logged in for 90 days, their account should be disabled in Active Directory (AD) and the reason for the disablement added to their description.
- After 12 months of inactivity, I'd like to move these accounts to a separate "archive" organizational unit (OU). As part of this process, the accounts should also lose all group memberships, with the details of removed groups logged in a text file, and their description updated to show when they were decommissioned.
I'm looking for a quick and efficient way to execute this without having to touch each account manually. Would a PowerShell script work for this, or is there a better method to manage this regularly? Any insights would be appreciated!
5 Answers
You can use a PowerShell script for this! Here's a quick example for disabling accounts after 90 days of inactivity:
```powershell
$inactiveDays = 90
$cutoffDate = (Get-Date).AddDays(-$inactiveDays)
$inactiveUsers = Get-ADUser -Filter {LastLogonTimeStamp -lt $cutoffDate -and enabled -eq $true} -Properties LastLogonTimeStamp
foreach ($user in $inactiveUsers) {
Write-Host "Disabling account for user: $($user.Name)"
Disable-ADAccount $user
}
```
You can adjust it to include logging group changes and archive processes as needed!
Sure! You can use `Set-ADUser` right after disabling the account to update the description.
It's smart to directly query each domain controller for lastLogon. The lastLogon attribute isn't replicated, so you'll get the most current data. Also, don’t forget to log any group memberships before you make changes, especially if you're dealing with active users.
Disabling accounts can indeed affect email access. You might want to consider just expiring them instead, especially if email is a big part of user access, but if your boss is set on disabling, just be clear on what that means.
That makes sense, but we already use expiry for training purposes. Disabling is a must as per management's directive.
Here's a PowerShell template you can adapt:
```powershell
$monthsToArchive = 12
$daysToDisable = 90
$today = Get-Date
$disableCutoff = $today.AddDays(-$daysToDisable)
$archiveCutoff = $today.AddMonths(-$monthsToArchive)
# Add your source OU paths and archive paths
```
Make sure to test thoroughly before rolling it out!
Just a heads up, you really need to be cautious when running scripts against active domains. I’ve seen mistakes lead to mass account disabling, which can be a total disaster! Always test in a safe environment first before applying anything to production.
Thanks for the script! Do you know how I can modify it to update the user's description at the same time?