Skip to content
A small Powershell script that disables all the Active Directory user accounts inactive for more than X days.
PowerShell
Branch: master
Clone or download
Latest commit 0d9a0ed Aug 22, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Disable-Invalid-ADAccounts.ps1
LICENSE Initial commit Aug 21, 2019
README.md Update README.md Aug 22, 2019

README.md

Disable-Inactive-ADAccounts

A small Powershell script that disables all the Active Directory user accounts inactive for more than X days (and/or deletes those that have been disabled more than Y days ago).

Why should we do that?

As a matter of fact, being able to automatically disable AD accounts after X days of inactivity is a good security practice. If you don't have such process up, your Active Directory could grant "permanent" access to many user accounts that should no longer be active, such as those of ex-employees or collaborators who are no longer active at your company.

Unfortunately, such feature is not (yet) supported by any version of Windows or Windows Server, at least up to Windows 10 and Windows Server 2019. That's why I ended up to develop this Powershell script.

Usage

To disable all AD users that has been inactive for 180 days or more (without deleting them):

> powershell .\Disable-Invalid-ADAccounts.ps1 -days 180

Same thing as before, plus creating a logFile.csv file containing a list of all disabled users:

> powershell .\Disable-Invalid-ADAccounts.ps1 -days 180

To disable all AD users that has been inactive for 180 days or more and also delete those that have been previously disabled more than 180 days ago.

> powershell .\Disable-Invalid-ADAccounts.ps1 -days 180 -deleteDays 180

Same thing as before, plus creating a logFile.csv file containing a list of all disabled users and a deleteLogFile.csv file containing a list of all deleted users:

> powershell .\Disable-Invalid-ADAccounts.ps1 -days 180

In case you get permissions issues when disabling/deleting AD users, you can bypass them using the Bypass Execution Policy Flag in the following way:

> powershell -ExecutionPolicy Bypass -File Disable-Invalid-ADAccounts.ps1

License

Licensed under GNU - General Public License, v3.0 - https://www.gnu.org/licenses/gpl-3.0.en.html

Credits

References

You can’t perform that action at this time.