Certain Service Accounts will not disable with Powershell, where others will

a-spowers 0 Reputation points
2023-04-10T13:10:40.37+00:00

I have several hundred Service Accounts I am auditing and then I am disabling any account that has not been logged into at all, or any service account that has not been logged into in over 730 days/2 years . I am using PowerShell to first check the logon date, and then simply using Get-Aduser -identity xxx | Disable-Adaccount . For the accounts that have been logged into, PowerShell disables the accounts accordingly. But the accounts that have never been logged into, the LastLogonDate is Null, PowerShell does not return any errors, but when I run Get-Aduser the account remain True/Active. I can not figure out why PowerShell won't disable the account, but if I access ADAC or ADUC directly, I can disable them with out a problem. Is there a valid reason for this? Or is there a way to back check if the service is actively running on a remote server, which would be locking or blocking the account from being disabled? Or lastly, is there a line of code I can add that will allow PowerShell to disable these accounts?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,245 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,462 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Rich Matheisen 45,906 Reputation points
    2023-04-10T14:47:31.22+00:00

    Are these managed service accounts? Or are they just regular AD Users that you use to run services? Or are they a mixture of those two?

    There are Get-ADServiceAccount, Remove-ADServiceAccount, and Set-ADServiceAccount cmdlets to deal with managed service accounts.

    You can use the Set-ADServiceAccount with the -Enabled:$false parameter to disable such an account.

    0 comments No comments