question

Pankajbhakta95-5136 avatar image
0 Votes"
Pankajbhakta95-5136 asked AndreasBaumgarten answered

Why does it takes long time for PowerShell script to take effect on AD

Hi,

I am using the script below to read the names of users from a .csv file and disable users from AD.

The script works alright but most of the time it take 5 minutes or even more to take effect and disable the users.

Is this normal or there is a better way to run the script ?

I am running the script from PowerShell ISE on my laptop that is login to the domain.

Thanks

Pankaj






Import-Module ActiveDirectory

$userlist=Import-CSV C:\ADUSERS\DisableUsers.csv

ForEach ($user in $userlist)
{
Disable-ADAccount -Identity $($user.name)

  write-host "user $($user.name) has been disabled"

}






windows-server-powershell
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered

Hi @Pankajbhakta95-5136 ,

if the script runs fast and without any error ... but the AD User & Computer Console doesn't show the disabled users only after a delay of a few minutes it might be your script us using one DC and the AD User & Computer Console is connected to a different DC. This would explain why you see the result with a delay in the console -> The DCs have to replicate the changes first.

You can try to set the DC in the script with this line:

 $PSDefaultParameterValues = @{"*-AD*:Server"="YOUR_DC-COMPUTERNAME"}

And you should select the same DC in the AD User & Computer console as well.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Pankajbhakta95-5136 avatar image
0 Votes"
Pankajbhakta95-5136 answered

Hi @AndreasBaumgarten,
I have just now tested the script running from my laptop.

The script ran fine but it did not disable the users yet.

I have not waited for 10 minutes before replying to you.

So, both my script and your latest script runs fine without error but it takes very long time before it takes effect on the DC and disable the users.

Unfortunately, I do not have a test environment.

Since, the script is quite basic so I guess I shall have to make time with our colleagues and test it on live DC later.

If you have any other suggestion kindly let me know.

Thanks for your help.

Pankaj

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Pankajbhakta95-5136 avatar image
0 Votes"
Pankajbhakta95-5136 answered AndreasBaumgarten commented

Hi @AndreasBaumgarten,

Really appreciate your help in taking the trouble to run my script in your test environment.

No, I am not running the script directly on the DC.

I am running it from my laptop that is connected to the domain.


Thanks

Pankaj

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Pankajbhakta95-5136 ,

did you test the latest script I posted? It should work if your csv file contains the username in the name columns.

I haven't tested the script from a different computer. Just on the DC and it runs just a second or so.
Maybe you can give the script a try on a DC as well?


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten



0 Votes 0 ·
AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered

Hi @Pankajbhakta95-5136 ,

I just tested this script on a DC in my test environment:

 Import-Module ActiveDirectory
    
 $userlist=Import-CSV C:\ADUSERS\DisableUsers.csv
        
 ForEach ($user in $userlist)
 {
     Get-ADUser -Identity $user.name | Disable-ADAccount
     Write-Host "user $user.name has been disabled"
 }


I only have <100 users objects in my domain but it should not matter that much if you have about 1300 users. The script runs, disabling the user accounts within a second.

Are you running the script on a DC or a remote computer?


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Pankajbhakta95-5136 avatar image
0 Votes"
Pankajbhakta95-5136 answered

@AndreasBaumgarten
Thanks for your suggestion.


The total number of users in the AD will be approximately 1300.
There the approximately 15 locations on our domain and 20 Domain Controllers.

Our OU Structure is as given below.

a) Each location has a separate OU.
b) Under each location there are Computers OU, Groups OU & Users OU.

I have created two test users as follows.
Location OU > LocalUsers OU > GPO_Test OU > Test.User1 & Test.User2


I have only this two test users in the list on the DisableUsers.csv file and using the script mentioned earlier to disable this two users.
It is working fine except it takes long time to disable the users.


Do you think the query will take faster effect if I limit my search by adding the line as you have suggested ?

( Get-ADUser -Identity $($user.name) -SearchBase "OU=UserAccounts,DC=YOURDOMAIN,DC=LOCAL" | Disable-ADAccount )

In that case the new script will look like as shown below.




Import-Module ActiveDirectory

$userlist=Import-CSV C:\ADUSERS\DisableUsers.csv

ForEach ($user in $userlist)
{

Get-ADUser -Identity $($user.name) -SearchBase "OU=GPO_Test,OU=LocalUsers,OU=Location,DC=OurDomain,DC=local” | Disable-ADAccount

write-host "user $($user.name) has been disabled"
}




After running the script I am getting the following error.

Get-ADUser : Parameter set cannot be resolved using the specified named parameters.
At line:12 char:6
+ Get-ADUser -Identity $($user.name) -SearchBase "OU=GPO_Test,OU=L ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADUser], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.ActiveDirectory.Management.Commands.GetADUser


My line 12 is given below.
Get-ADUser -Identity $($user.name) -SearchBase "OU=GPO_Test,OU=LocalUsers,OU=Location,DC=OurDomain,DC=local” | Disable-ADAccount



Kindly suggest if I am missing anything else.

Thanks

Pankaj

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered

Hi @Pankajbhakta95-5136 ,

how many users are in the list? (just to get an idea)

In your script the user will be searched in the full AD. Depending on the OU structure and the amount of AD objects this "might last a little bit".

Maybe it's faster if the search scope in AD is more limited. this can be done this way:

 Get-ADUser -Identity $($user.name) -SearchBase "OU=UserAccounts,DC=YOURDOMAIN,DC=LOCAL" | Disable-ADAccount

https://docs.microsoft.com/en-us/powershell/module/activedirectory/disable-adaccount?view=windowsserver2019-ps#example-3--disable-all-accounts-in-an-organizational-unit-using-a-filter


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.