Disable
Search for an account with name bobdob found only in a given OU and disable
Get-ADUser -Filter 'Name -like "name"' -SearchBase "OU=Finance,OU=UserAccounts,DC=Domain,DC=COM" | Disable-ADAccount
Disable, but make sure it’s the correct account
Get-ADUser $user | Disable-ADAccount
# or
Disable-Account -Identity userName
From a CSV file
$users=Import-CSV c:\temp\users.csv
ForEach ($user in $users)
{
Disable-ADAccount -Identity $($user.name)
}
NOTE: To search for a computer object of course use a different CSV file. The name becomes computer.name plus it need a $ at the end to designate a computer object. Like this:
-Identity "$($computer.name)
Inactive Users
$timespan = New-Timespan -Days 90
Search-ADAccount -UsersOnly -AccountInactive -TimeSpan $timespan | Disable-ADAccount
Search-ADAccount -UsersOnly -AccountInactive -DateTime ‘6/3/2018’ | Disable-ADAccount
NOTE: Active Directory synchronizes the LastLogOnDate attribute, results returned when specifying the –AccountInactive parameter with the Search-ADAccount cmdlet can be inaccurate by as much as 9–14 days.
See [[pwsh..AD-Account-Searches]] for Disable account search and list.
Enable
Enable one account
Enable-ADAccount -Identity "Sally"
Enable, but make sure account is there
Get-ADUser jonnyjon | Enable-ADAccount
Lock/Unlock
Unlock one account
Unlock-ADAccount -Identity userName
*Monitor lock status
A search that runs every 5 seconds. Make sure to modify the username.
while (1 -eq 1 ){
$command=Get-ADUser -Identity bruceLee -Properties lockedout | select lockedout
$command
start-sleep -seconds 5
}
Manual Search*
Search-ADAccount -Searchbase "OU=Datacenter,DC=CoolDomain,dc=com" -LockedOut
User Lists
Searching an OU for all accounts, select certain properties, then exporting all to a CSV
Get-ADUser -Filter * -SearchBase "OU=ServiceAccounts,OU=Datacenter,DC=coolDomain,DC=com" -Properties * | Select Name,SamAccountName,Enabled,LastLogonDate,extensionAttribute5,Description,@{n='MemberOf'; e= { $_.memberof | Out-String}} | Export-CSV D:\psExports\ServiceAccounts\ServiceAccounts_09-28-2020.csv -NoTypeInformation
Searching all over AD for account that start with yy then exporting to a csv
Get-ADUser -Filter 'SamAccountName -like "yy*"' -Properties * | Select Name,SamAccountName,Enabled,PasswordNeverExpires,PasswordLastSet,Created,Modified,LastLogonDate,LastBadPasswordAttempt,extensionAttribute5,Description,EmailAddress,@{n='MemberOf'; e= { $_.memberof | Out-String}} | Export-CSV D:\psExports\ServiceAccounts\ServiceAccounts_yy-wild.csv -NoTypeInformation
All zz accounts that are currently enabled exported to OGV instead of CSV
Get-ADUser -Filter "SamAccountName -like '$zz*'" -Properties Enabled,DisplayName,SamAccountName,EmailAddress,Name,Modified,PasswordExpired,PasswordLastSet | `
Select Enabled,DisplayName,SamAccountName,EmailAddress,Name,Modified,PasswordExpired,PasswordLastSet | `
Where {$_.Enabled -eq $true} | `
OGV