$users = Get-Content C:\Temp\kumar\admaccount1.txt
$targetou = "OU=Unmanaged Users,DC=Test,DC=com"
foreach ($usr in $users){
$userdn = Get-Aduser $usr -Properties * | Select-Object -ExpandProperty DistinguishedName
if ($usr){
Disable-ADAccount $usr
if ($usr) {
Move-ADObject -Identity $userdn -TargetPath $targetou
}
}
}
We manage several enterprise Azure AD applications that grant access to both internal users and external guest accounts. Frequently, we receive bulk requests to add guest accounts into Azure AD groups. To streamline this process and reduce manual effort, we developed a script that automates the addition of guest accounts to the required groups.
#[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;
# Connect to Azure AD
#Connect-AzureAD
# Import users from CSV
$Users = get-content "C:\temp\kumar\users.txt"
# Specify the group
$Group = Get-AzureADGroup -ObjectId abcdef-xyx-123
# Add each user to the group
foreach ($User in $Users) {
$userObjectId = (Get-AzureADUser -Filter "Mail eq '$User'").ObjectID
if ($userObjectId -ne $null) {
Add-AzureADGroupMember -ObjectId $Group.ObjectId -RefObjectId $userObjectId -ErrorAction SilentlyContinue
Write-Host "WIP $User"
}
}
#$userObjectId = (Get-AzureADUser -Filter "Mail eq 'abc@xyz.com'").ObjectID
The below script would help you to generate passwords randomly, instead of using public sites, you can generate the password by yourself.
$Password = New-Object -TypeName PSObject
$Password | Add-Member -MemberType ScriptProperty -Name "Password" -Value { ("123456789!@#$%&0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz".tochararray() | sort {Get-Random})[0..15] -join '' }
$Password #| Out-GridView
Recently, our security team detected suspicious activity involving approximately 200 accounts. They immediately engaged me to disable these accounts and requested that comments be added during the disable process to ensure the service desk team does not inadvertently re-enable them. To meet this requirement, we developed a lightweight script that automated the account disable action while inserting the necessary comments for tracking and control.
$listofuser = Get-content C:\Temp\user.txt
#$Comment = "Account disabled on 05-Dec-2025 by Admin IncNumber"
foreach ($usr in $listofuser) {
# Disable the account
Get-Aduser -Filter {UserPrincipalName -eq $usr} | Disable-ADAccount
# Update the description field
Get-Aduser -Filter {UserPrincipalName -eq $usr} | Set-ADUser -Description $Comment
# Get-Aduser -Filter {UserPrincipalName -eq $usr} -Properties Description |Select-Object Name,UserPrincipalName,Enabled,Description | Export-Csv C:\Temp\report.csv -NoTypeInformation -Encoding UTF8 -Append
# Write-Host "Account Disabled for the user $usr | $comment" -ForegroundColor Green
}
Our security team requested an assessment to identify privileged accounts and verify their MFA status. To address this requirement, we began developing a script that retrieves all _ADM accounts along with the details of their configured MFA methods.
# [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;
#Connect-MgGraph -Scopes "Directory.Read.All","UserAuthenticationMethod.Read.All"
$searchBase = "OU=Privileged,OU=Managed Users,DC=TEST,DC=com"
$listofusers = Get-ADUser -SearchBase $searchBase -Filter {samaccountname -like "*_adm"} -Properties * | Select-Object -ExpandProperty UserPrincipalName
foreach ($usr in $listofusers){
# Get all users and check their authentication methods
$results = Get-MgUser -UserId $usr | ForEach-Object {
$methods = Get-MgUserAuthenticationMethod -UserId $_.Id
[PSCustomObject]@{
DisplayName = $_.DisplayName
UserPrincipalName = $_.UserPrincipalName
MFAEnabled = ($methods | Where-Object {$_.AdditionalProperties['@odata.type'] -like "*microsoft.graph.microsoftAuthenticatorAuthenticationMethod*"}).Count -gt 0
}# Export to CSV
$results | Export-Csv -Path "C:\Temp\kumar\MFAStatus.csv" -NoTypeInformation -Append
}
}
We recently encountered a surge of incidents where numerous administrator accounts were found to be expired, leading to a flood of support tickets. Upon investigation with several users, we discovered that the Identity Access Management (IAM) team had identified approximately 1,500 user accounts that had expired and subsequently renewed them due to organizational changes. However, this renewal process inadvertently caused the associated _ADM accounts to also expire.
Unfortunately, when the IAM team extended the user accounts, they only updated the regular accounts and overlooked the privileged (_ADM) accounts. As a result, the AD team was later requested to align the expiration dates of the 1,500 user accounts with their corresponding _ADM accounts. To resolve this, we developed a script that synchronized and updated the expiration dates of the privileged accounts to match those of the regular accounts.
$listofusers = Get-content C:\Temp\user.txt
foreach ($usr in $listofusers) {
$date = Get-aduser $usr -Properties AccountExpirationDate | Select-Object -ExpandProperty AccountExpirationDate
$ConvertADm2Normal= Get-ADUser $usr | Select-Object -ExpandProperty SamAccountName
$newName = $ConvertADm2Normal + "_Adm"
Get-ADUser -Identity $newName | Set-ADAccountExpiration -DateTime:$date -Server test.com
#Get-ADUser $newName -Properties AccountExpirationDate | Select-Object Name,AccountExpirationDate
}
