Home  Tutorials  Active Directory


Management of test accounts in an Active Directory production domain - Part II: Notification about expiry for test accounts (EN)

Active Directory test accounts are supposed to be created only in test environments. However, this may not be true in some cases where a new integration or update of a solution / software is in progress: Test accounts may be required to do the needed tests and checks in the production environment.

Unfortunately, Active Directory administrators may forget to remove test accounts after the end of tests. This is because they can be located under different Organizational Units and it may be difficult to identify them.

In order to have a clear Life Cycle and an ease of management of test accounts, the following scripts were created:

Management of test accounts in an Active Directory production domain - Part I: Creation of test accounts
Management of test accounts in an Active Directory production domain - Part II: Notification about expiry for test accounts
Management of test accounts in an Active Directory production domain - Part III: Removal of test accounts

Management of test accounts in an Active Directory production domain - Part II: Notification about expiry for test accounts

A notification about the expiry of test accounts can be introduced as part of the management of such accounts.

The following script was developed to send a notification e-mail to the owner of the test account (The global Active Directory administrator will be on CC) asking for an extension of the expiry date and time of the test account. This was configured to start fourteen (14) days before the expiry of the account.

This notification can be scheduled to be done on weekly basis.

Before using the script, you need to update the following variables:
  • $adPath: Update the Distinguished Name to be the one of the Active Directory domain to check for test accounts
  • $domainnetbiosname: Specify the NetBIOS name of the domain you use
  • $smtpserver: Specify the DNS name of the SMTP server to use for sending e-mail notifications
  • $noreplymail: Specify the SMTP address to use to send e-mail notifications
  • $globalADadminmail: Specify the e-mail address of the global Active Directory administrator
###############################################################
# Test_Account_Notification_v1.0.ps1
# Version 1.0
# MALEK Ahmed - 30 / 03 / 2013
###################

##################
#--------Config
##################
$adPath="LDAP://DC=contoso,DC=msft"
$domainnetbiosname = "CONTOSO"
$noreplymail = "no-reply@contoso.msft"
$globalADadminmail = "administrator@contoso.msft"
$smtpServer = "mail.contoso.msft"

##################
#--------Main
##################
#Identify Stamp
$Stamp = ((get-date).adddays(-2*7)).ToFileTime()
#LDAP connection
$objDomain=New-Object System.DirectoryServices.DirectoryEntry($adPath)
#Doing an LDAP search
$ObjSearch=New-Object System.DirectoryServices.DirectorySearcher($ObjDomain)
$ObjSearch.PageSize = 60000
#Filtering user accounts based on their mail
$ObjSearch.Filter = "(&(objectCategory=person)(objectClass=user)(info=User-TestAccount*)(accountexpires>="+$Stamp+"))"
$allSearchResult = $ObjSearch.FindAll()
foreach ($SearchResult in $allSearchResult)
{
$testaccount=New-Object System.DirectoryServices.DirectoryEntry($SearchResult.Path)
$mailbody = "The account " + $domainnetbiosname + "\" + $testaccount.samaccountname + " will expire in few days and will be automatically removed after the expiry. Please ask for the account expiry date extension if you would like to keep using this test account. "+ "`r`n`r`n"
#Notification about the script execution
$testaccountownermail = ($testaccount.info -replace "User-TestAccount Owner: ","")
$Receiver=$testaccountownermail
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$msg.From = $noreplymail
$msg.To.Add($Receiver)
$msg.cc.Add($globalADadminmail)
$msg.Subject = "[IMPORTANT] The account "+ $domainnetbiosname + "\" + $testaccount.samaccountname + " will expire in few days and will be automatically removed after the expiry."
$msg.Body = $mailbody
$msg.Priority = [System.Net.Mail.MailPriority]::High
$smtp.Send($msg)
}

Verified on the following platforms

 Windows 10 No
 Windows Server 2012 No
 Windows Server 2012 R2 No
 Windows Server 2008 R2 Yes
 Windows Server 2008 No
 Windows Server 2003 No
 Windows 8
 No
 Windows 7 No
 Windows Vista No
 Windows XP No
 Windows 2000 No

This script is tested on these platforms by the author. It is likely to work on other platforms as well. If you try it and find that it works on another platform, please add a note to the script discussion to let others know.

Disclaimer
 
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.