Introduction
There are case scenarios where new AD accounts may have to be part of certain groups
This script ensures to remove using the time as reference of the group removal based on the dates. Please ensure to follow some security recommendations before running PowerShell scripts in production active directory servers
Security Recommendations of AD scripts
it is important to safely run PowerShell scripts in active directory. Here are some recommendations
- Test First: Run scripts in a test environment before production.
- The Least Privilege: Execute scripts with minimal necessary permissions. Ensure the script only has permission in the Security group and not in other permissions (proper delegation)
- Only allow the script to run on a determinate Server and block the rest
- Do not allow interactive logins or other type of logins of the script account in other areas
- Sign your PowerShell if possible with code signing
- Understand Scripts: Review all script code for safety before running.
- Logging: Enable auditing for actions performed by the script if it was to be used outside the scope
- Secure Scripts: Keep scripts in a secure location, accessible only to authorized personnel ( IT )
- Off-Peak Scheduling: Run scripts during low-activity times if possible
- Backup & AD Snapshot: Ensure backups are current before making changes, including a snapshot of active directory
- Update Scripts: Regularly update scripts for changes and security.
- Secure Coding: Use secure coding , do not include credentials or other secrets in the code
- Training: Train staff on secure script execution practices.
Benefits
security: Automatically managing group memberships enhances security by ensuring that only current and active users retain access to sensitive resources.
Compliance: Many regulatory frameworks require that access to information is controlled, and that only necessary personnel have access to certain data. This script can help you accomplish certain goals
Operational Efficiency: reduces the manual workload of IT administrators by automating the process of adding and removing users from groups based on their account age. This allows IT staff to focus on more strategic tasks.
Access Control: Timely management of group memberships ensures that users have access to the resources they need when they need them and for only as long as they need them. This dynamic access control supports both operational efficiency and security.
Audit Readiness: By having a clear, automated process for managing access based on objective criteria (like account age), an organization is better prepared for audits. It simplifies demonstrating to auditors that access controls are both effective and consistently applied
Script Code
This example has been made for 15 days, removal of users from certain group
$groupDN = “Insert your Group DN” -> Modify this part to include your security group
# Import the Active Directory module
Import-Module ActiveDirectory
# Get the current date
$currentDate = Get-Date
# Calculate the date 15 days ago
$targetDate = $currentDate.AddDays(-15)
# Get all AD users
$users = Get-ADUser -Filter * -Properties Created
# Filter users created more than 15 days ago
$filteredUsers = $users | Where-Object { $_.Created -lt $targetDate }
# Specify the security group distinguished name ( Your Group CN)
$groupDN = "Insert your Group DN"
# Retrieve the members of the security group
$groupMembers = Get-ADGroupMember -Identity $groupDN
# Iterate through the filtered users and remove them from the security group of landing Sharepoint page
# Remove any members that have had the account created longer than for 15 Days
foreach ($user in $filteredUsers) {
$userDN = $user.DistinguishedName
if ($groupMembers.DistinguishedName -contains $userDN) {
Remove-ADGroupMember -Identity $groupDN -Members $user -Confirm:$false
Write-Host "User $($user.Name) removed from the security group."
}
}
7 IT & Security 