(1) Domain GPO does NOT grant Log on as batch to Domain admins
(2) Domain GPO requires AD accounts be disabled after 35 days on non-use.
I want to use Task Scheduler to run a powershell script every night looking for accounts over 35 days old.
I created a powershell script (called DisableAD.ps1) that works. I also created a service account with domain admin rights for Task Scheduler to use
Task Scheduler job fails because the service account has domain admin rights.
If I change the service account to non-domain admin rights, the job runs but the accounts don’t get disabled.
I’m looking for a way to fool the system. Can I run a Task Scheduler job that calls DisableAD.ps1 and have it use my domain credentials to disable AD accounts?
Is this the best way to go? If yes, what would the call file look like? Would the call file have my domain credentials or would DisableAD.ps1 have it?