Active Directory test accounts are supposed to be created only in test environments. However, this may not be true in some cases where a new integration or update of a solution / software is in progress: Test accounts may be required to do the needed tests and checks in the production environment.

Unfortunately, Active Directory administrators may forget to remove test accounts after the end of tests. This is because they can be located under different Organizational Units and it may be difficult to identify them.

In order to have a clear Life Cycle and an ease of management of test accounts, the following scripts were created:

Management of test accounts in an Active Directory production domain - Part I: Creation of test accounts

Management of test accounts in an Active Directory production domain - Part II: Notification about expiry for test accounts

Management of test accounts in an Active Directory production domain - Part III: Removal of test accounts

Management of test accounts in an Active Directory production domain - Part II: Notification about expiry for test accounts

A notification about the expiry of test accounts can be introduced as part of the management of such accounts. 

The following script was developed to send a notification e-mail to the owner of the test account (The global Active Directory administrator will be on CC) asking for an extension of the expiry date and time of the test account. This was configured to start fourteen (14) days before the expiry of the account.

This notification can be scheduled to be done on weekly basis.

Before using the script, you need to update the following variables:

 

PowerShell
Edit|Remove
############################################################### 
# Test_Account_Notification_v1.0.ps1 
# Version 1.0 
# MALEK Ahmed - 30 / 03 / 2013 
################### 
 
################## 
#--------Config 
################## 
$adPath="LDAP://DC=contoso,DC=msft" 
$domainnetbiosname = "CONTOSO" 
$noreplymail = "no-reply@contoso.msft" 
$globalADadminmail = "administrator@contoso.msft" 
$smtpServer = "mail.contoso.msft" 
         
################## 
#--------Main   
################## 
#Identify Stamp 
$Stamp = ((get-date).adddays(-2*7)).ToFileTime() 
#LDAP connection 
$objDomain=New-Object System.DirectoryServices.DirectoryEntry($adPath) 
#Doing an LDAP search 
$ObjSearch=New-Object System.DirectoryServices.DirectorySearcher($ObjDomain) 
$ObjSearch.PageSize = 60000     
#Filtering user accounts based on their mail 
$ObjSearch.Filter = "(&(objectCategory=person)(objectClass=user)(info=User-TestAccount*)(accountexpires>="+$Stamp+"))" 
$allSearchResult = $ObjSearch.FindAll() 
foreach ($SearchResult in $allSearchResult) 
{ 
        $testaccount=New-Object System.DirectoryServices.DirectoryEntry($SearchResult.Path) 
        $mailbody = "The account " + $domainnetbiosname + "\" + $testaccount.samaccountname + " will expire in few days and will be automatically removed after the expiry. Please ask for the account expiry date extension if you would like to keep using this test account. "+ "`r`n`r`n" 
        #Notification about the script execution 
        $testaccountownermail = ($testaccount.info -replace "User-TestAccount Owner: ","") 
        $Receiver=$testaccountownermail 
        $msg = new-object Net.Mail.MailMessage 
        $smtp = new-object Net.Mail.SmtpClient($smtpServer) 
        $msg.From = $noreplymail 
        $msg.To.Add($Receiver) 
        $msg.cc.Add($globalADadminmail) 
        $msg.Subject = "[IMPORTANT] The account "+ $domainnetbiosname + "\" + $testaccount.samaccountname + " will expire in few days and will be automatically removed after the expiry." 
        $msg.Body = $mailbody 
        $msg.Priority = [System.Net.Mail.MailPriority]::High 
        $smtp.Send($msg) 
}