In short:
– I have a .txt list of sAMAccountNames that I need to delete from AD
– Before deleting the account, I need to perform a check to see whether they are disabled. If they are disabled, delete them, if they aren’t, do nothing.I don’t have Active Directory module and I cannot install it. The domain controllers are windows server 2003 and the management server runs windows server 2008 and has Powershell v2.0 installed.
I’ve previously used the following VBscript to disable bulk user accounts from a .TXT file:
$date = get-date -format d $time = get-date -format t $month = get-date $month1 = $month.month $year1 = $month.year $date = $date.ToString().Replace(“/”, “-”) $time = $time.ToString().Replace(":", "-") $time = $time.ToString().Replace(" ", "") $log1 = ".\Logs" + "\" + "Accountdisabled_" + $date + "_.log" $log2 = ".\Logs" + "\" + "Accountalreadydisabled_" + $date +"_.log" If ((Get-PSSnapin | where {$_.Name -match "Quest.ActiveRoles.ADManagement"}) -eq $null) { Add-PSSnapin Quest.ActiveRoles.ADManagement } $file = ".\tobedisabled.txt" get-content $file | foreach-object{ $statusofuser = get-qaduser $_ $userid = $statusofuser.Name if($statusofuser.AccountIsDisabled -like $false) { Write-host "$userid is not disabled so it will be disabled" Add-content $log1 "$userid is not disabled so it will be disabled" Disable-QADUser -Identity $userid } Else { Write-host "$userid is already disabled" Add-content $log2 "$userid is already disabled" } }Now, I was wondering if that could be adapted to instead delete users, I would change it like this:
$date = get-date -format d $time = get-date -format t $month = get-date $month1 = $month.month $year1 = $month.year $date = $date.ToString().Replace(“/”, “-”) $time = $time.ToString().Replace(":", "-") $time = $time.ToString().Replace(" ", "") $log1 = ".\Logs" + "\" + "AccountDeleted_" + $date + "_.log" $log2 = ".\Logs" + "\" + "AccountNotDisabled_" + $date +"_.log" If ((Get-PSSnapin | where {$_.Name -match "Quest.ActiveRoles.ADManagement"}) -eq $null) { Add-PSSnapin Quest.ActiveRoles.ADManagement } $file = ".\deleted.txt" get-content $file | foreach-object{ $statusofuser = get-qaduser $_ $userid = $statusofuser.Name if($statusofuser.AccountIsDisabled -like $false) { Write-host "$userid is not disabled so it will not be deleted" Add-content $log1 "$userid is not disabled so it will not be deleted" } Else { Write-host "$userid was deleted" Add-content $log2 "$userid was deleted" Remove-QADUser -Identity $userid } }I don’t know how to adapt the following code block:
if($statusofuser.AccountIsDisabled -like $false) – if this evaluates to true, I need to pass the respective user and not delete it..
Also, will Remove-QADUser -Identity $userid work? I don’t have a test environment and I can’t create a dummy user to test the script against..
Answer
I don’t have a Quest to confirm, but according to ActiveDirectory plug-in logic, you can try to replace the following
if($statusofuser.Enabled -eq $false) <– Means if account is disabled
I would run the independent query on individual accounts that were disabled, and test the command before implementing it to a script for a wider distribution
Otherwise, here’s another AD command that you can incorporate to the script for locating disabled users
Get-ADUser -Filter {enabled -eq "false" -and objectclass -eq "user"}
Attribution
Source : Link , Question Author : DSKyo , Answer Author : Lex
