Finding disabled user accounts in an AD Group
The customer I am currently working at has an application that eats an license for every user in an AD group. They do have an scheduled task that disables user accounts and move them to a separate OU in the AD.
The scheduled task does not remove the users from the application AD group so there are a lot of licenses that remains claimed.
To address this for the long term I will create an RES Automation module that will take over the function of the scheduled task. In this module I will also remove the disabled user form the application AD group. I will describe this module in an future blog.
For now I want a PowerShell one-liner to read the group members, and check whether or not the account is disabled. I also need to exclude an pre staging OU that holds new users that are about to be enabled and released.
Since this customer had an AD that is at a Windows 2003 functional level I am user Quest Software’s ActiveRoles Management Shell for Active Directory
The PowerShell line I came up with is:
Get-QADGroupMember -Identity "SomeUser-Group" -Disabled -type user |? {$_.dn -notlike "*,OU=PreStage,*"} | Remove-QADGroupMember -Identity "SomeUser-Group" -whatif
What does it do?
First it reads the members of the given group, it only uses the accounts that are set to disabled. Than it filters the output to exclude the accounts that are placed in the OU PreStage. In the last phase it deletes the group membership for these accounts. With the last parameter “-Whatif” you will receive output on screen what it is about to perform. If the output presented is what you had intended you can remove the last parameter and the disabled accounts are deleted from the intended group.
Was once an enthusiastic PepperByte employee but is now working at Ivanti. His blogs are still valuable to us and we hope to you too.