PowerShell Script Disable-ADAccount
Verifying the Process when Disabling User Accounts in Active Directory
Disabling user accounts in Active Directory (AD) is an essential task for maintaining security and managing user access effectively. Here’s a detailed process to verify and ensure the correct disabling of user accounts in AD, along with best practices and steps to follow.
​1. Plan and Document the Process
Before proceeding, have a clear plan and documentation for the account disabling process. This includes identifying which accounts need to be disabled and understanding the implications for any dependent systems or services.
Best Practices:
-
Maintain an updated list of user accounts and their statuses.
-
Document the reasons for disabling accounts and obtain necessary approvals.
​
2. Identify the Accounts to be Disabled
Identify the user accounts that need to be disabled. This could be due to employees leaving the organization, role changes, or accounts that are no longer necessary.
Steps to Identify Accounts:
-
Use AD Users and Computers (ADUC) or PowerShell scripts to list user accounts.
-
Filter accounts based on criteria such as last logon date, department changes, or termination records.
3. Notify Relevant Parties
Before disabling an account, notify relevant stakeholders, such as the user’s manager, IT support, and any other departments that might be affected.
Best Practices:
-
Send an email notification to the relevant parties outlining the account to be disabled and the planned date and time.
-
Allow a grace period for any objections or preparations.
​
4. Disable the User Account
Disabling a user account in AD can be done using ADUC or PowerShell. Disabling an account prevents the user from logging in but retains the account information for future auditing or reactivation.
Using ADUC:
-
Open Active Directory Users and Computers.
-
Navigate to the user account.
-
Right-click the user account and select “Disable Account.”
PowerShell Solution:
So when disabling multiple AD Objects I take alot of care and consideration on verifying the changes I am going to implement. I would suggest running 3 sessions / scripts to pull and review all data before making a large change to AD or anyhting for that matter.
#List of First & Last Names from HR Dept.
# CSV Headers: Firstname, LastName
$HR_Info = Import-csv C:\temp\Users.csv
#Loop Through Accounts to be Disabled and Review. Results are Exported to TxT File
Foreach($User in $HR_Info){
Get-ADuser -Properties * -Filter * | Where{($_.GivenName -like`
"$($User.Firstname)") -and ($_.Surname -like "$($User.Lastname)")}`
| Select -ExpandProperty SamAccountName | Tee-Object C:\Temp\Disable_Accounts.txt -Append
}
#Import SamAccount Name List and Disaply to Screen
$Disable_Me = Get-content C:\temp\Disable_Accounts.txt
Foreach($Account in $Disable_Me){
Get-aduser $Account | select Givenname, Surname, Samaccountname, Enabled
}
#Now if totally confident Disable Accounts in File
$Disable_Me = Get-content C:\temp\Disable_Accounts.txt
Foreach($Account in $Disable_Me){Get-aduser $Account | Disable-ADAccount}
Foreach($Account in $Disable_Me){
Get-aduser $Account | select Givenname, Surname, Samaccountname, enabled | Tee-Object C:\temp\Accounts-Disabled.txt -Append
}