Home  Tutorials  Active Directory


Management of test accounts in an Active Directory production domain - Part III: Removal of test accounts (EN)

Active Directory test accounts are supposed to be created only in test environments. However, this may not be true in some cases where a new integration or update of a solution / software is in progress: Test accounts may be required to do the needed tests and checks in the production environment.

Unfortunately, Active Directory administrators may forget to remove test accounts after the end of tests. This is because they can be located under different Organizational Units and it may be difficult to identify them.

In order to have a clear Life Cycle and an ease of management of test accounts, the following scripts were created:

Management of test accounts in an Active Directory production domain - Part I: Creation of test accounts
Management of test accounts in an Active Directory production domain - Part II: Notification about expiry for test accounts
Management of test accounts in an Active Directory production domain - Part III: Removal of test accounts

Management of test accounts in an Active Directory production domain - Part III: Removal of test accounts

If a test account expired and the owner have not asked for an extension of the expiry date of the test account, it can be removed as part of an automatic cleanup process of test accounts.

This could be done using the following script that can be scheduled on daily basis.

Before using the script, you need to update the following variables:
  • $adPath: Update the Distinguished Name to be the one of the Active Directory domain to check for test accounts
  • $domainnetbiosname: Specify the NetBIOS name of the domain you use
  • $smtpserver: Specify the DNS name of the SMTP server to use for sending e-mail notifications
  • $noreplymail: Specify the SMTP address to use to send e-mail notifications
  • $globalADadminmail: Specify the e-mail address of the global Active Directory administrator
###############################################################
# Test_Account_Removal_v1.0.ps1
# Version 1.0
# MALEK Ahmed - 30 / 03 / 2013
###################

##################
#--------Config
##################
$adPath="LDAP://DC=contoso,DC=msft"
$domainnetbiosname = "CONTOSO"
$noreplymail = "no-reply@contoso.msft"
$globalADadminmail = "administrator@contoso.msft"
$smtpServer = "mail.contoso.msft"

##################
#--------Main
##################
#Identify Stamp
$Stamp = (get-date).ToFileTime()
#LDAP connection
$objDomain=New-Object System.DirectoryServices.DirectoryEntry($adPath)
#Doing an LDAP search
$ObjSearch=New-Object System.DirectoryServices.DirectorySearcher($ObjDomain)
$ObjSearch.PageSize = 60000
#Filtering user accounts based on their mail
$ObjSearch.Filter = "(&(objectCategory=person)(objectClass=user)(info=User-TestAccount*)(accountexpires<="+$Stamp+"))"
$allSearchResult = $ObjSearch.FindAll()
foreach ($SearchResult in $allSearchResult)
{
$testaccount=New-Object System.DirectoryServices.DirectoryEntry($SearchResult.Path)
$errorcount1 = $Error.Count
dsrm $testaccount.distinguishedname -noprompt -c
$errorcount2 = $Error.Count
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$msg.From = $noreplymail
#Notification about the test account removal
if ($errorcount1 -eq $errorcount1)
{
$mailbody = "The test account " + $domainnetbiosname + "\" + $testaccount.samaccountname + " was removed from Active Directory. "+ "`r`n`r`n"
$testaccountownermail = ($testaccount.info -replace "User-TestAccount Owner: ","")
$Receiver=$testaccountownermail
$msg.cc.Add($globalADadminmail)
$msg.Subject = "[IMPORTANT] The account " + $domainnetbiosname + "\" + $testaccount.samaccountname + " was removed from Active Directory."
}
else
{
$mailbody = "The test account " + $domainnetbiosname + "\" + $testaccount.samaccountname + " was not removed from Active Directory. "+ "`r`n`r`n"
$testaccountownermail = ($testaccount.info -replace "User-TestAccount Owner: ","")
$Receiver=$globalADadminmail
$msg.Subject = "[ERROR] The account " + $domainnetbiosname + "\" + $testaccount.samaccountname + " was notremoved from Active Directory."
}
$msg.To.Add($Receiver)
$msg.Body = $mailbody
$msg.Priority = [System.Net.Mail.MailPriority]::High
$smtp.Send($msg)
}

Verified on the following platforms

 Windows 10 No
 Windows Server 2012 No
 Windows Server 2012 R2 No
 Windows Server 2008 R2 Yes
 Windows Server 2008 No
 Windows Server 2003 No
 Windows 8
 No
 Windows 7 No
 Windows Vista No
 Windows XP No
 Windows 2000 No

This script is tested on these platforms by the author. It is likely to work on other platforms as well. If you try it and find that it works on another platform, please add a note to the script discussion to let others know.

Disclaimer
 
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.