Automated Account Disabler

tankerkiller125

I wrote the following Powershell script for my company to quickly and effectively disable user accounts and revoke all access to our network. It works with AD, Azure AD, Exchange On-Prem (2013+) and Exchange Online.

It works by forcing a password change to something random, disabling the user account, revoking all user groups (except for the default one), blocking the Azure Sign In, and then from there it goes into exchange and blocks all of the users ActiveSync devices.

param (
        [string]$ADServer = $env:computername,
        [string]$Domain = $env:userdnsdomain,
        [string]$ExchangeServer = $env:computername,
        [bool]$EXO = $false,
        [string]$AADUsername = "",
        [string]$Username = $( throw "-username is required." )
    )


    $FQUsername = "$Username@$Domain"

    if ($AADUsername -ne "") {
        $AADUsername = $AADUsername
    } else {
        $AADUsername = $FQUsername
    }
    
    # Force a password change
    Set-ADAccountPassword -Server $ADServer -Identity $FQUsername -Reset -NewPassword [System.Web.Security.Membership]::GeneratePassword(10, 3)

    # Disable the account
    Disable-ADAccount -Server $ADServer -Identity $FQUsername

    # Remove all groups from user except for the default one
    Get-ADPrincipalGroupMembership -Server $ADServer -Identity $FQUsername | Where-Object -Property Name -NE -Value 'Domain Users' | Remove-ADGroupMember -Members $FQUsername

    # Block Azure AD Sign In
    Connect-AzureAD
    Set-AzureADUser -ObjectID $AADUsername -AccountEnabled $false
    Revoke-AzureADUserAllRefreshToken -ObjectId $AADUsername
    Disconnect-AzureAD

    # Block user devices from Exchange ActiveSync, convert to Shared Mailbox
    if ($EXO)
    {
        Connect-ExchangeOnline
        Get-EXOMobileDeviceStatistics -Mailbox $AADUsername | ForEach-Object -Process { Set-EXOCASMailbox -Identity $AADUsername -ActiveSyncBlockedDevicesIDs $_.DeviceID }
        Set-Mailbox -Identity $AADUsername -Type Shared
    }
    else
    {
        $UserCredential = Get-Credential -Message "Please enter your on-prem exchange credentials"
        $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "http://$ExchangeServer/PowerShell/" -Authentication Kerberos -Credential $UserCredential
        Import-PSSession $Session -DisableNameChecking
        Get-MobileDeviceStatistics -Server $ExchangeServer -Mailbox $FQUsername | ForEach-Object -Process { Set-CASMailbox -Identity $FQUsername -ActiveSyncBlockedDeviceIDs $_.DeviceID }
        Set-Mailbox -Identity $FQUsername -Type Shared
        Remove-PSSession $Session
    }

The following options do the following things:

Parameter	Type	Default	Required	Description
ADServer	String	$env:computername	false	Regular AD Server
Domain	String	$env:userdnsdomain	false	On-Prem Domain
ExchangeServer	String	$env:computername	false	On-Prem Exchange Server
EXO	Boolean	$false	false	Exchange Online?
Username	String	null	true	The username of the on-prem user being disabled
AADUsername	String	null	false	AzureAD full username (including @) if diffrent from on-prem

katos

Great resource, and a must-have for a sysmin! 🙂

phenomlab

On the flip side, you’d need to ensure that this is kept out of sight of potentially malicious usage - or, perhaps, even an insider threat for a bad actor who also happens to be a sysadmin in your organisation. Admittedly, this could be perceived as far-fetched and implausible, but it’s happened. One execution of this script is a DoS attack waiting to happen.

Lock every account except one….imagine the fallout….

tankerkiller125

phenomlab As the sole sys-admin this is a non-issue for me. If this were in an environment with multiple admins/IT guys I’d probably embed it into a web app that logs every usage to a secure database only accessible by a randomly generated password that the IT staff only have the first half of and the CEO/the president have the other half.

phenomlab

tankerkiller125 Great approach. But what if the script is lifted from your network by an attacker already inside, and executed ? It’s easily possible to get domain admin in less than 15 minutes by simply passing an NTLM hash from an already logged in workstation.

This is why I am a huge fan of bastion hosts that are in air gapped networks.

tankerkiller125

phenomlab Air gapped networks are great, one of the things I’m working on getting setup is a properly secured separate network for testing and another separate network for our security related stuff (Alarm system, Cameras, etc.) everything here was setup well before I got here and our office doesn’t even have a simple VLAN configuration.

phenomlab

tankerkiller125 Great. Flat VLANS are always a cause for concern - a wide open playing field for any potential attacker. I’ve spent years defining what our landscape looks like, and whilst we’re not quite “there”, we are almost on the mark for as far as possible as this is.

tankerkiller125

I’ve update this script with a tiny extra line of command that will force reset the tokens for the user account. Effectively forcing them out of OneDrive and other Microsoft hosted services.

tankerkiller125

Update
I’ve updated the script to remove the Azure AD `(Get-Credentials) as it’s not going to be usable in the future when Microsoft disables Basic auth completely, and it’s not compatible with MFA.

I’m currently working an update that will allow the automatic moving of OneDrive files to a SharePoint library and converting the mailbox to shared.

tankerkiller125

I am currently working to add OneDrive copying to a SharePoint Document library to this script since that’s the only thing holding up our company from using only this script. I’m hoping to have an update sometime later this week or next.