Automating account management in on-premise Active Directory

Posted by bobert3275@reddit | sysadmin | View on Reddit | 12 comments

We have some policies for account management that states that users with accounts that has not been logged in after 30 days are to be disabled and after 60 days they get deleted. We continue to email the user and supervisor when these actions are taking place.

Have you automated anything similar to this? Keep in mind this is on-premise

[-]

-4675636B20796F75-@reddit

Our entire AD account states are event driven based off task scheduler jobs and API calls to the HRIS.

Took a long time and many many business rules to get it there - but our entire AD provisioning/deprovisioning processes are essentially touch-free at this point. Only exception is same day-terminations (disgruntled staff etc).

[-]

chesser45@reddit

FIM / MIM for stuff like this where I work. It’s part of an overall strategy to try and automate the join/move/leave or at least as much as possible.

It’s great and it’s not great but you probably have similar experiences.

[-]

KavyaJune@reddit

You can use PowerShell along with Task Scheduler, but it takes considerable time to write, maintain, and manage scripts.

If you prefer using a tool, you can try AdminDroid Active Directory Management Tool. It includes pre-built automation templates and also allows easy customization. The free version offers 200+ reports covering users, groups, computers, AD security, and more.

https://admindroid.com/active-directory-reporting-tool

[-]

alraffa218@reddit

Use ManageEngine AD Manager.. it has built in workflows for exact requirements and around 50+ similar scenarios. Let me know if you need any help with it.

[-]

Frothyleet@reddit

This is an extremely trivial thing to automate, to the extent that I'd recommend you avoid trying to find any examples and use this as a powershell learning opportunity.

At the most basic level you'll have a powershell script you run daily out of task manager, the pseudo-code being something like:

$AllActive = Get-AdUser -filter {enabled -eq $true} -prop lastlogondate,emailaddress -searchbase [your OU for real accounts so this isn't including service accounts and such like]

foreach ($user in $allactive) {if ($user.lastlogondate -lt (get-date).adddays(-30)) {Disable-ADAccount $user; send-mailmessage -to $user.emailaddress -subject 'do you work here' -body 'cause we disabled your account'}

$AlreadyDisabled = Get-AdUser -filter {enabled -ne $true} -prop lastlogondate,manager -searchbase [your OU for real accounts so this isn't including service accounts and such like]

foreach ($user in $alreadydisabled) {if ($user.lastlogondate -lt (get-date).adddays(-60)) {$MGR = (Get-Aduser $user.manager -prop emailaddress).emailaddress; Remove-ADAccount $user; send-mailmessage -to $MGR -subject 'we deleted your dude' -body '$user.name hadn't logged in within 60 days so now he's gone, hope that's cool'}

Now, like, in the real world, add some logging, add some monitoring, don't use send-mailmessage (use API calls to your ticketing system, perhaps). But it's a really simple project to cut your teeth on and the logic above is all it takes, at least fundamentally!

[-]

ghostnodesec@reddit

Yes, via scheduled scripts that run. We also auto populate certain groups based on things like department/location as well, and yes there are 3rd party but not really necassary.

[-]

theoriginalharbinger@reddit

PowerShell to generate a CSV.

Then have something that consumes the CSV, including mail merge, import to your governance tool, ticket creation to remove the accounts, whatever. Or just disable/delete and use the CSV to indicate that the action has occurred.

[-]

TrippTrappTrinn@reddit

We would just use a scheduled task with a powershell script. Be sure to include checks so that it does not suddenly disable every user... Like limit how many accounts it can disable/delete in a single run.

Before our AD was linked to HR (many years ago), we had such s script, and due to an unhandled error, it disabled several thousand accounts one night. That was fun....

[-]

torbar203@reddit

similar, I have a script that connects to our HR database, creates new accounts, updates accounts, etc, based on that, and then keeps the "all employees" group updated based on the results of that.

that group also handles 365 licensing. One time the script ran when the database server was offline, so it removed everyone from that group, so suddnely nobody had 365 licensing for a brief period. that was fun

Now it makes sure it can connect to that database server before it continues the rest of the script

[-]

Reo_Strong@reddit

We've automated this via scrips that run daily on the DCs.

Essentially, they check for any account in the users OU that has not been logged into for more than XX days.

Since we also have users who have an account (to support other systems), but don't login to it, we also check the door access system via API call for badge activity.

There are 3rd party apps that do this to, but I'm too cheap to even entertain the idea of paying for something that can be done in like 5 lines of powershell.

[-]

AppIdentityGuy@reddit

There are many solutions out there to do this. Depends on whether you want HR integration etc...

[-]

SenikaiSlay@reddit

If using azure you can use azure runbooks and a hybrid worker to set this up. We do this for account creation as well. Or you have a script on the DC with task scheduleer to run daily to check your ad for this