Active Directory test accounts are supposed to be created only in test environments. However, this may not be true in some cases where a new integration or update of a solution / software is in progress: Test accounts may be required to do the needed tests and checks in the production environment.
Unfortunately, Active Directory administrators may forget to remove test accounts after the end of tests. This is because they can be located under different Organizational Units and it may be difficult to identify them.
In order to have a clear Life Cycle and an ease of management of test accounts, the following scripts were created:
Management of test accounts in an Active Directory production domain - Part III: Removal of test accounts
If a test account expired and the owner have not asked for an extension of the expiry date of the test account, it can be removed as part of an automatic cleanup process of test accounts.
This could be done using the following script that can be scheduled on daily basis.
Before using the script, you need to update the following variables:
###############################################################
# Test_Account_Removal_v1.0.ps1
# Version 1.0
# MALEK Ahmed - 30 / 03 / 2013
###################
##################
#--------Config
##################
$adPath="LDAP://DC=contoso,DC=msft"
$domainnetbiosname = "CONTOSO"
$noreplymail = "no-reply@contoso.msft"
$globalADadminmail = "administrator@contoso.msft"
$smtpServer = "mail.contoso.msft"
##################
#--------Main
##################
#Identify Stamp
$Stamp = (get-date).ToFileTime()
#LDAP connection
$objDomain=New-Object System.DirectoryServices.DirectoryEntry($adPath)
#Doing an LDAP search
$ObjSearch=New-Object System.DirectoryServices.DirectorySearcher($ObjDomain)
$ObjSearch.PageSize = 60000
#Filtering user accounts based on their mail
$ObjSearch.Filter = "(&(objectCategory=person)(objectClass=user)(info=User-TestAccount*)(accountexpires<="+$Stamp+"))"
$allSearchResult = $ObjSearch.FindAll()
foreach ($SearchResult in $allSearchResult)
{
$testaccount=New-Object System.DirectoryServices.DirectoryEntry($SearchResult.Path)
$errorcount1 = $Error.Count
dsrm $testaccount.distinguishedname -noprompt -c
$errorcount2 = $Error.Count
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$msg.From = $noreplymail
#Notification about the test account removal
if ($errorcount1 -eq $errorcount1)
{
$mailbody = "The test account " + $domainnetbiosname + "\" + $testaccount.samaccountname + " was removed from Active Directory. "+ "`r`n`r`n"
$testaccountownermail = ($testaccount.info -replace "User-TestAccount Owner: ","")
$Receiver=$testaccountownermail
$msg.cc.Add($globalADadminmail)
$msg.Subject = "[IMPORTANT] The account " + $domainnetbiosname + "\" + $testaccount.samaccountname + " was removed from Active Directory."
}
else
{
$mailbody = "The test account " + $domainnetbiosname + "\" + $testaccount.samaccountname + " was not removed from Active Directory. "+ "`r`n`r`n"
$testaccountownermail = ($testaccount.info -replace "User-TestAccount Owner: ","")
$Receiver=$globalADadminmail
$msg.Subject = "[ERROR] The account " + $domainnetbiosname + "\" + $testaccount.samaccountname + " was notremoved from Active Directory."
}
$msg.To.Add($Receiver)
$msg.Body = $mailbody
$msg.Priority = [System.Net.Mail.MailPriority]::High
$smtp.Send($msg)
}
############################################################### # Test_Account_Removal_v1.0.ps1 # Version 1.0 # MALEK Ahmed - 30 / 03 / 2013 ################### ################## #--------Config ################## $adPath="LDAP://DC=contoso,DC=msft" $domainnetbiosname = "CONTOSO" $noreplymail = "no-reply@contoso.msft" $globalADadminmail = "administrator@contoso.msft" $smtpServer = "mail.contoso.msft" ################## #--------Main ################## #Identify Stamp $Stamp = (get-date).ToFileTime() #LDAP connection $objDomain=New-Object System.DirectoryServices.DirectoryEntry($adPath) #Doing an LDAP search $ObjSearch=New-Object System.DirectoryServices.DirectorySearcher($ObjDomain) $ObjSearch.PageSize = 60000 #Filtering user accounts based on their mail $ObjSearch.Filter = "(&(objectCategory=person)(objectClass=user)(info=User-TestAccount*)(accountexpires<="+$Stamp+"))" $allSearchResult = $ObjSearch.FindAll() foreach ($SearchResult in $allSearchResult) { $testaccount=New-Object System.DirectoryServices.DirectoryEntry($SearchResult.Path) $errorcount1 = $Error.Count dsrm $testaccount.distinguishedname -noprompt -c $errorcount2 = $Error.Count $msg = new-object Net.Mail.MailMessage $smtp = new-object Net.Mail.SmtpClient($smtpServer) $msg.From = $noreplymail #Notification about the test account removal if ($errorcount1 -eq $errorcount1) { $mailbody = "The test account " + $domainnetbiosname + "\" + $testaccount.samaccountname + " was removed from Active Directory. "+ "`r`n`r`n" $testaccountownermail = ($testaccount.info -replace "User-TestAccount Owner: ","") $Receiver=$testaccountownermail $msg.cc.Add($globalADadminmail) $msg.Subject = "[IMPORTANT] The account " + $domainnetbiosname + "\" + $testaccount.samaccountname + " was removed from Active Directory." } else { $mailbody = "The test account " + $domainnetbiosname + "\" + $testaccount.samaccountname + " was not removed from Active Directory. "+ "`r`n`r`n" $testaccountownermail = ($testaccount.info -replace "User-TestAccount Owner: ","") $Receiver=$globalADadminmail $msg.Subject = "[ERROR] The account " + $domainnetbiosname + "\" + $testaccount.samaccountname + " was notremoved from Active Directory." } $msg.To.Add($Receiver) $msg.Body = $mailbody $msg.Priority = [System.Net.Mail.MailPriority]::High $smtp.Send($msg) }