We recently encountered a surge of incidents where numerous administrator accounts were found to be expired, leading to a flood of support tickets. Upon investigation with several users, we discovered that the Identity Access Management (IAM) team had identified approximately 1,500 user accounts that had expired and subsequently renewed them due to organizational changes. However, this renewal process inadvertently caused the associated _ADM accounts to also expire.
Unfortunately, when the IAM team extended the user accounts, they only updated the regular accounts and overlooked the privileged (_ADM) accounts. As a result, the AD team was later requested to align the expiration dates of the 1,500 user accounts with their corresponding _ADM accounts. To resolve this, we developed a script that synchronized and updated the expiration dates of the privileged accounts to match those of the regular accounts.
$listofusers = Get-content C:\Temp\user.txt
foreach ($usr in $listofusers) {
$date = Get-aduser $usr -Properties AccountExpirationDate | Select-Object -ExpandProperty AccountExpirationDate
$ConvertADm2Normal= Get-ADUser $usr | Select-Object -ExpandProperty SamAccountName
$newName = $ConvertADm2Normal + "_Adm"
Get-ADUser -Identity $newName | Set-ADAccountExpiration -DateTime:$date -Server cwgvmadcpr014.ngco.com
#Get-ADUser $newName -Properties AccountExpirationDate | Select-Object Name,AccountExpirationDate
}
No comments:
Post a Comment