52 lines
1.2 KiB
PowerShell
52 lines
1.2 KiB
PowerShell
function Disable-ActiveDirectoryAccount {
|
|
|
|
<#
|
|
.SYNOPSIS
|
|
Disables a user, MSA, or gMSA account
|
|
|
|
.DESCRIPTION
|
|
Disables a user, MSA, or gMSA account
|
|
|
|
.PARAMETER Accounts
|
|
[Microsoft.ActiveDirectory.Management.ADAccount] An ADAccount base object
|
|
|
|
.EXAMPLE
|
|
Disable-ActiveDirectoryAccount "fake.serviceaccount"
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
param(
|
|
[Parameter(Mandatory = $true)]
|
|
[Microsoft.ActiveDirectory.Management.ADAccount]$Account
|
|
)
|
|
|
|
$logLead = Get-LogLeadName
|
|
|
|
if (!(Test-IsUserDomainAdmin)) {
|
|
|
|
Write-Warning "$logLead : You must have domain administrative privileges to run this command"
|
|
return $nulls
|
|
}
|
|
|
|
$accountName = $Account.Name
|
|
|
|
if ($true -eq $Account.Enabled) {
|
|
|
|
Write-Host "$logLead : Disabling account [$accountName]"
|
|
|
|
if ($Account.DistinguishedName -match "Managed Service Accounts") {
|
|
|
|
Write-Verbose "$logLead : MSA/gMSA detected"
|
|
Set-ADServiceAccount -Identity $Account.DistinguishedName -Enabled:$false
|
|
} else {
|
|
|
|
Write-Verbose "$logLead : Standard account detected"
|
|
Set-ADUser -Identity $Account.DistinguishedName -Enabled:$false
|
|
}
|
|
|
|
} else {
|
|
|
|
Write-Warning "$logLead : Account [$accountName] already disabled."
|
|
}
|
|
}
|