I'm looking into automating the deboarding process for user accounts in Active Directory. Currently, we disable an account and leave it in its original Organizational Unit (OU) for 2 weeks before removing all its group memberships and relocating it to a 'User Disabled' OU. I'm trying to write a PowerShell script that detects when an account has been disabled for 2 weeks. However, I'm struggling with how to track the duration of an account's disabled status. Using the last logged-on date as a workaround seems risky since we could accidentally disable accounts of users on vacation. Has anyone tackled this before? I'm also open to new methods if they don't involve third-party software.
1 Answer
You can easily track the duration by using the 'whenChanged' or 'last modified' date of the account. If you disable the accounts and place them in a holding OU, these timestamps will help you manage their status effectively. Just make sure to consider how often those attributes change, especially for accounts that aren't frequently used.
That’s true, but if you're modifying 'whenChanged' for some accounts, it may not reflect the right timing for inactive accounts or specific break glass accounts. I'm debating on setting a policy to check time since the last modification while skipping certain user types.