pwsh..AD Account Disable/Enable/Lock

by

Disable

Search for an account with name bobdob found only in a given OU and disable
Get-ADUser -Filter 'Name -like "name"' -SearchBase "OU=Finance,OU=UserAccounts,DC=Domain,DC=COM" | Disable-ADAccount
Disable, but make sure it’s the correct account
Get-ADUser $user | Disable-ADAccount
# or
Disable-Account -Identity userName
From a CSV file
$users=Import-CSV c:\temp\users.csv
ForEach ($user in $users)
{
     Disable-ADAccount -Identity $($user.name)
}

NOTE: To search for a computer object of course use a different CSV file. The name becomes computer.name plus it need a $ at the end to designate a computer object. Like this:

-Identity "$($computer.name)
Inactive Users
$timespan = New-Timespan -Days 90
Search-ADAccount -UsersOnly -AccountInactive -TimeSpan $timespan | Disable-ADAccount
Search-ADAccount -UsersOnly -AccountInactive -DateTime ‘6/3/2018’ | Disable-ADAccount

NOTE: Active Directory synchronizes the LastLogOnDate attribute, results returned when specifying the –AccountInactive parameter with the Search-ADAccount cmdlet can be inaccurate by as much as 9–14 days.

See [[pwsh..AD-Account-Searches]] for Disable account search and list.

Enable

Enable one account

Enable-ADAccount -Identity "Sally"

Enable, but make sure account is there

Get-ADUser jonnyjon | Enable-ADAccount

Lock/Unlock

Unlock one account

Unlock-ADAccount -Identity userName

*Monitor lock status

A search that runs every 5 seconds. Make sure to modify the username.

while (1 -eq 1 ){
$command=Get-ADUser -Identity bruceLee -Properties lockedout | select lockedout
$command
start-sleep -seconds 5
}

Manual Search*

Search-ADAccount -Searchbase "OU=Datacenter,DC=CoolDomain,dc=com" -LockedOut

User Lists

Searching an OU for all accounts, select certain properties, then exporting all to a CSV

Get-ADUser -Filter * -SearchBase "OU=ServiceAccounts,OU=Datacenter,DC=coolDomain,DC=com" -Properties * | Select Name,SamAccountName,Enabled,LastLogonDate,extensionAttribute5,Description,@{n='MemberOf'; e= { $_.memberof | Out-String}} | Export-CSV D:\psExports\ServiceAccounts\ServiceAccounts_09-28-2020.csv -NoTypeInformation

Searching all over AD for account that start with yy then exporting to a csv

Get-ADUser -Filter 'SamAccountName -like "yy*"' -Properties * | Select Name,SamAccountName,Enabled,PasswordNeverExpires,PasswordLastSet,Created,Modified,LastLogonDate,LastBadPasswordAttempt,extensionAttribute5,Description,EmailAddress,@{n='MemberOf'; e= { $_.memberof | Out-String}} | Export-CSV D:\psExports\ServiceAccounts\ServiceAccounts_yy-wild.csv -NoTypeInformation

All zz accounts that are currently enabled exported to OGV instead of CSV

Get-ADUser -Filter "SamAccountName -like '$zz*'" -Properties Enabled,DisplayName,SamAccountName,EmailAddress,Name,Modified,PasswordExpired,PasswordLastSet | `
Select Enabled,DisplayName,SamAccountName,EmailAddress,Name,Modified,PasswordExpired,PasswordLastSet | `
Where {$_.Enabled -eq $true} | `
OGV