Disable AD Accounts Using Task Scheduler

Background
(1) Domain GPO does NOT grant Log on as batch to Domain admins
(2) Domain GPO requires AD accounts be disabled after 35 days on non-use.

I want to use Task Scheduler to run a powershell script every night looking for accounts over 35 days old.

I created a powershell script (called DisableAD.ps1) that works. I also created a service account with domain admin rights for Task Scheduler to use

Issue
Task Scheduler job fails because the service account has domain admin rights.
If I change the service account to non-domain admin rights, the job runs but the accounts don’t get disabled.

Question
I’m looking for a way to fool the system. Can I run a Task Scheduler job that calls DisableAD.ps1 and have it use my domain credentials to disable AD accounts?

Is this the best way to go? If yes, what would the call file look like? Would the call file have my domain credentials or would DisableAD.ps1 have it?

Please Advise,
Dave

Not sure how hip anyone on this forum is to discuss “fooling” the security put in place by Microsoft. Why not do it the correct way and create a service account that is NOT a DA, then delegate the appropriate permissions to it?

2 Likes

I think you can use Delegate Control in specific OU.
keep the service account but do not give it domain admin rights. only give it the disable/enable accounts right(or you want to do more ) by Delegate Control.