Certain Service Accounts will not disable with Powershell, where others will

Question

I have several hundred Service Accounts I am auditing and then I am disabling any account that has not been logged into at all, or any service account that has not been logged into in over 730 days/2 years . I am using PowerShell to first check the logon date, and then simply using Get-Aduser -identity xxx | Disable-Adaccount . For the accounts that have been logged into, PowerShell disables the accounts accordingly. But the accounts that have never been logged into, the LastLogonDate is Null, PowerShell does not return any errors, but when I run Get-Aduser the account remain True/Active. I can not figure out why PowerShell won't disable the account, but if I access ADAC or ADUC directly, I can disable them with out a problem. Is there a valid reason for this? Or is there a way to back check if the service is actively running on a remote server, which would be locking or blocking the account from being disabled? Or lastly, is there a line of code I can add that will allow PowerShell to disable these accounts?

Answer 1

Are these managed service accounts? Or are they just regular AD Users that you use to run services? Or are they a mixture of those two?

There are Get-ADServiceAccount, Remove-ADServiceAccount, and Set-ADServiceAccount cmdlets to deal with managed service accounts.

You can use the Set-ADServiceAccount with the -Enabled:$false parameter to disable such an account.