Disabling Active Directory User Accounts, Part 2

September 4, 2008 · Filed Under Active Directory, Exchange Server 2007, Powershell | 412 views

As a followup to the Disabling Active Directory User Accounts, Part 1 post, here’s a Powershell script that will disable multiple accounts for you by using a CSV input file.

Scipt features:

The username of the the administrator running the script is recorded in the text file that lists all of the groups the account was removed from.
An email is automatically created and sent to the configured recipients (such as the AD Administrators group and/or Information Security…), which is fantastic from an end-to-end accountability and auditing point of view (who did it, when did they do it and why…)
Disables the specified AD account
Hides the mailbox from the Global Address List
Removes the account from all groups it was a member of
Creates a text file log of all groups the account was a member of
Sets the password to be changed at the next login
Sets the disable date in the “Title” field (an unused field in my organization)

Just find the following variables in the script and change them accordingly:

$SourceFile = “\\MYSERVERPATH\account_disables_input.csv”
- This is the full UNC path to the CSV input file
$EmailReportFile = \\MYSERVERPATH\Account_Disables_Report.txt
- This is the full UNC path to where you want the report saved (this is what is emailed out)
$domain = “LDAP://dc=DOMAIN,dc=local”
- The LDAP bind URL for your domain…
$To = “someone@mycompany.com”
- SMTP addresses, comma seperated, of who you want the report emailed to
$SmtpClient.host = “smtp.mail.mycompany.com”
- The SMTP host name to handle your email report (your Exchagne 2007 Hub Transport server(s) or Exchange 2003/2000 front-end server(s) typically, make sure you can perform anonymous relay internally though….)