Why does it takes long time for PowerShell script to take effect on AD

Question

Hi,

I am using the script below to read the names of users from a .csv file and disable users from AD.

The script works alright but most of the time it take 5 minutes or even more to take effect and disable the users.

Is this normal or there is a better way to run the script ?

I am running the script from PowerShell ISE on my laptop that is login to the domain.

Thanks

Pankaj

---

Import-Module ActiveDirectory

$userlist=Import-CSV C:\ADUSERS\DisableUsers.csv

ForEach ($user in $userlist)
{
Disable-ADAccount -Identity $($user.name)

 write-host "user $($user.name) has been disabled"

}

---

Answer 1

Hi @Pankajbhakta95 ,

if the script runs fast and without any error ... but the AD User & Computer Console doesn't show the disabled users only after a delay of a few minutes it might be your script us using one DC and the AD User & Computer Console is connected to a different DC. This would explain why you see the result with a delay in the console -> The DCs have to replicate the changes first.

You can try to set the DC in the script with this line:

$PSDefaultParameterValues = @{"*-AD*:Server"="YOUR_DC-COMPUTERNAME"}  

And you should select the same DC in the AD User & Computer console as well.

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Answer 2

Hi @Pankajbhakta95 ,

how many users are in the list? (just to get an idea)

In your script the user will be searched in the full AD. Depending on the OU structure and the amount of AD objects this "might last a little bit".

Maybe it's faster if the search scope in AD is more limited. this can be done this way:

Get-ADUser -Identity $($user.name) -SearchBase "OU=UserAccounts,DC=YOURDOMAIN,DC=LOCAL" | Disable-ADAccount  

https://learn.microsoft.com/en-us/powershell/module/activedirectory/disable-adaccount?view=windowsserver2019-ps#example-3--disable-all-accounts-in-an-organizational-unit-using-a-filter

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Answer 3

@Andreas Baumgarten
Thanks for your suggestion.

The total number of users in the AD will be approximately 1300.
There the approximately 15 locations on our domain and 20 Domain Controllers.

Our OU Structure is as given below.

a) Each location has a separate OU.
b) Under each location there are Computers OU, Groups OU & Users OU.

I have created two test users as follows.
Location OU > LocalUsers OU > GPO_Test OU > Test.User1 & Test.User2

I have only this two test users in the list on the DisableUsers.csv file and using the script mentioned earlier to disable this two users.
It is working fine except it takes long time to disable the users.

Do you think the query will take faster effect if I limit my search by adding the line as you have suggested ?

( Get-ADUser -Identity $($user.name) -SearchBase "OU=UserAccounts,DC=YOURDOMAIN,DC=LOCAL" | Disable-ADAccount )

In that case the new script will look like as shown below.

---

Import-Module ActiveDirectory

$userlist=Import-CSV C:\ADUSERS\DisableUsers.csv

ForEach ($user in $userlist)
{

Get-ADUser -Identity $($user.name) -SearchBase "OU=GPO_Test,OU=LocalUsers,OU=Location,DC=OurDomain,DC=local” | Disable-ADAccount

write-host "user $($user.name) has been disabled"
}

---

After running the script I am getting the following error.

Get-ADUser : Parameter set cannot be resolved using the specified named parameters.
At line:12 char:6

• Get-ADUser -Identity $($user.name) -SearchBase "OU=GPO_Test,OU=L ...
• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
• CategoryInfo : InvalidArgument: (:) [Get-ADUser], ParameterBindingException
• FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.ActiveDirectory.Management.Commands.GetADUser

My line 12 is given below.
Get-ADUser -Identity $($user.name) -SearchBase "OU=GPO_Test,OU=LocalUsers,OU=Location,DC=OurDomain,DC=local” | Disable-ADAccount

Kindly suggest if I am missing anything else.

Thanks

Pankaj

Answer 4

Hi @Pankajbhakta95 ,

I just tested this script on a DC in my test environment:

Import-Module ActiveDirectory  
  
$userlist=Import-CSV C:\ADUSERS\DisableUsers.csv  
      
ForEach ($user in $userlist)  
{  
    Get-ADUser -Identity $user.name | Disable-ADAccount  
    Write-Host "user $user.name has been disabled"  
}  

I only have <100 users objects in my domain but it should not matter that much if you have about 1300 users. The script runs, disabling the user accounts within a second.

Are you running the script on a DC or a remote computer?

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Answer 5

Hi @Andreas Baumgarten ,

Really appreciate your help in taking the trouble to run my script in your test environment.

No, I am not running the script directly on the DC.

I am running it from my laptop that is connected to the domain.

Thanks

Pankaj