How do we disable users with expired AD password with exception from AD OU?

Question

How do we disable users with expired AD password with exception from AD OU?

We have script below that disables AD users with expired password

Get-ADUser -Filter * -Properties PasswordExpired |
Where-Object PasswordExpired | Disable-ADAccount**

How do we disable users with expired password AD with exception from AD OU?

Thanks

Answer 1

Hi @Marvin Oco

Just a clarification

Today you disable AD users with expired passwords, with the script you've shared.

What you are hoping for is to exclude members of an AD OU so that they are not disabled if their passwords expire? Is my understanding correct?

If so there are several ways of doing it, the optimal solution depends on where your script runs today, you could set your script to apply to the OUs you want, and not on the ones where you want to exclude it from being run. This can be accomplished over Powershell, or even with a GPO. Ensuring that the link is enabled, enforced or the order of precedence for the GPO setting.

Best regards,
Ulv

Answer 2

Hi,

You can do it like below

$ou= "OU=testou,DC=contoso,DC=com"  
Get-ADUser -Filter {Enabled -eq $true}  -Properties PasswordExpired | Where-Object {  
    $_.PasswordExpired -and ($_.DistinguishedName -notlike "*,$ou")} | Disable-ADAccount  

Best Regards，
Ian Xue

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.