https://avanster.tech/tags/automation/Recent content in Automation on Alfred van SterHugo -- 0.160.1en-usSat, 03 Jan 2026 09:00:00 +0000https://avanster.tech/library/active-directory-user-cleanup/Sat, 03 Jan 2026 09:00:00 +0000https://avanster.tech/library/active-directory-user-cleanup/<p>Stale accounts are a primary vector for lateral movement in a compromised network. This script automates the &ldquo;Sanitization&rdquo; phase of identity management by identifying and disabling dormant accounts.</p> <h3 id="1-the-logic-flow">1. The Logic Flow</h3> <p>The script follows a safe-failure logic to ensure no critical service accounts are accidentally disabled:</p> <ol> <li><strong>Targeting:</strong> Narrowly scopes the search to specific User OUs.</li> <li><strong>Evaluation:</strong> Filters for <code>LastLogonDate</code> older than 90 days.</li> <li><strong>Action:</strong> Disables the account and logs the event for auditing.</li> </ol> <h3 id="2-the-implementation">2. The Implementation</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#75715e"># Configuration</span> </span></span><span style="display:flex;"><span>$DaysInactive = <span style="color:#ae81ff">-90</span> </span></span><span style="display:flex;"><span>$TargetDate = (Get-Date).AddDays($DaysInactive) </span></span><span style="display:flex;"><span>$LogPath = <span style="color:#e6db74">&#34;C:\Logs\AD_Cleanup_</span>$(Get-Date -Format <span style="color:#e6db74">&#39;yyyyMMdd&#39;</span>)<span style="color:#e6db74">.log&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Fetch and Process</span> </span></span><span style="display:flex;"><span>Get-ADUser -Filter <span style="color:#e6db74">&#39;LastLogonDate -lt $TargetDate -and Enabled -eq $true&#39;</span> -Properties LastLogonDate | </span></span><span style="display:flex;"><span> ForEach-Object { </span></span><span style="display:flex;"><span> $User = $_.SamAccountName </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">try</span> { </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Use -WhatIf for safety during testing</span> </span></span><span style="display:flex;"><span> Disable-ADAccount -Identity $_.DistinguishedName -ErrorAction Stop </span></span><span style="display:flex;"><span> Add-Content -Path $LogPath -Value <span style="color:#e6db74">&#34;SUCCESS: Disabled </span>$User<span style="color:#e6db74"> (Last Login: </span>$($_.LastLogonDate)<span style="color:#e6db74">)&#34;</span> </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">catch</span> { </span></span><span style="display:flex;"><span> Add-Content -Path $LogPath -Value <span style="color:#e6db74">&#34;ERROR: Failed to disable </span>$User<span style="color:#e6db74">. Check permissions.&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span></code></pre></div>https://avanster.tech/library/sample-script/Sat, 03 Jan 2026 00:00:00 +0000https://avanster.tech/library/sample-script/A PowerShell script to identify and disable inactive AD users.