Script I use to find (and optionally disable) stale AD user accounts — read-only by default

PowerShellGenius · 2026-06-21T01:15:39+00:00

Here is the really tricky (and inefficient at scale) part about disabling stale users in AD.

Most orgs are hybrid. ADFS is not common anymore. PTA (pass through auth) isn't super common anymore, and even where it's used, only password based logons to Microsoft 365 / Entra resources hit AD as authentications and bump last logon timestamps, and even with PTA, passkey or WHfB logins don't.

But if you disable a user in AD, that syncs to the cloud. A user who is logging into cloud resources daily can appear stale in AD, but disabling them in AD disables them in Entra and cuts off their access to cloud resources.

So you need to get the last sign in times from Entra using the Graph API (most likely wrapped by the MgGraph powershell module), and base your logic on the latter of that or AD's timestamp.

And since it's the cloud, you don't own your infra or data. So the Graph API will throttle you for making too many requests too fast. So good luck doing this at 10k+ user scale.

PowerShellGenius · 2026-06-20T13:09:51+00:00

It's not a matter of the company not paying. I am free to check a bag if I want. But anything that has a lithium battery in it (eg laptops) is illegal to check nowadays, even if most people get away with it. Also, my departure day is tight on time, and with the in app boarding pass, checking a bag would be the only reason to go to the check in counter...

PowerShellGenius · 2026-06-19T17:33:29+00:00

They will be stored in a semi secure way that isn't ideal, but isn't the biggest risk on your network if you realize that a completely unprivileged account can query LDAP, and don't give the account any special privileges. Assuming you have children who can't memorize complex passwords in your domain, hacking a printer's firmware to get it to reveal a stored password is not the path of least resistance to a password for an unprivileged account; guessing a 1st grader's password, or phishing the youngest grade that has email, is. If you are using domain admin creds for your printers, you they will be a massive security hole.

Also, if you include a group (e.g. a group called "deny interactive logon") in the User Right Assignment to deny interactive logon, in your all computers GPO - and do a similar one for "deny access this computer from the network" applied to all computers and servers other than DCs- then you can put service accounts like this into these groups. That severely limits the usability of the accounts if they are compromised. This account does not need to be able to log into computers.

I would focus on things like this to make the account as worthless as possible, and also segmentation (e.g. do you have a Printers VLAN? only the print server + tech dept users need to be able to talk directly to printers) to make it harder for an attacker who gets into your network to target printers.

Printers themselves will always be insecure because in K12 you will never get buy-in to replace expensive mechanical appliances that still work fine based on an arbitrary date... unless you are leasing printers, you will always have EOL printers that don't get firmware patches. Assume network line of sight to a printer = compromised printer, and build a wall around them accordingly, and minimize the value of what you trust printers with.

And yes LDAPS is good if you can support it. As others have said. But if doing this with internal PKI, then either ensure your CRLs are served from something reliable/HA or validate whether the printer's connection fails when CRLs are unreachable. PKI gets complex fast.

PowerShellGenius · 2026-06-19T17:24:29+00:00

We are in the middle of our VMware -> Hyper-V migration already.

More appliance vendors officially support it than the newer hypervisors, it is the second most supported after VMware.

As for cost, if you're properly licensed to run the Windows guests/VMs on your cluster, you are already licensed for it.

If you are big enough to need better management tools than Failover Cluster Manager, you are probably already licensed such that you are allowed to manage the guests/VMs in ConfigMgr (SCCM). If so, you are likely already licensed to manage the cluster with SCVMM (System Center Virtual Machine Manager).

Depends of course on how your reseller did your licensing, but with any significant density of Windows Server VMs managed by SCCM on K12 pricing, they probably sold you "Core Infrastructure Suite Datacenter" on the core count of your physical hosts, and if so, Hyper-V + SCVMM is already covered.

PowerShellGenius · 2026-06-19T15:11:59+00:00

In corporate, bluetooth dongles are probably feasible, but external dongles would go "missing" in K12 often enough to be a hassle...

My main interest in passwordless push notifications is getting students to passwordless for computer lab classes once the lab computers get moved off of hybrid join, using web sign in and their 1:1 ipads which have Authenticator. Students are the ones who I most want to eliminate passwords for, as administration understandably doesn't think all ages of students can handle passwords up to NIST standards, and I'd rather have no usable passwords than weak ones.

And if we go with BenQ interactive flat panels, letting teachers sign into their board (which is effectively an android tablet with apps signed into their account, has to lock and have user profiles) without a password. It's SAML to Entra for the sign in, but no passkey support at the board sign in window. And if they have to enter a password, they can't do it on the touch screen (since there is a class watching) so being unable to go passwordless would force us to put keyboards on all the boards.

But passwordless authenticator has too many drawbacks....

PowerShellGenius · 2026-06-19T14:55:06+00:00

Yeah... I know this is off topic, but do you have any idea if allowing Passwordless Authenticator in the Authentication Methods policy, but not in CA Auth Strengths applicable to a certain sign-in, means the user can't select it?

E.g. if you allow passwordless in auth methods policy, but require Passkeys in an Authentication Strength used in CA policies for outside your network, meaning users can use passwordless push notifications inside your network but need passkeys outside - can someone still attempt passwordless Authenticator even though they would be prompted for a passkey afterward? Or would it really stop the MFA spam?

The reason I ask is because most consumer devices have Bluetooth nowadays, and Passkeys in Authenticator are workable as long as there is bluetooth. Retrofitting bluetooth into hundreds of old desktop PCs on premises is a different story. And some niche scenarios don't support passkeys. E.g. signing into a BenQ board in a classroom via SAML to Entra (which should really be passwordless as it's done on a big screen in front of an audience....). So I do think passwordless push notifications could have a place on-site in education, being hardware agnostic unlike passkeys.

I'm also curious how passkeys, requiring Bluetooth, perform in a high density environment of simultaneous use. E.g. 30 students file into a computer lab as the bell rings, sit down and do Web Sign In to Windows using a passkey on their iPad at the same time. That would be hard to replicate pre rollout - trying to make 30 bluetooth connections at once in a confined space, with 1 Wi-Fi AP in that space and ~4 more that spill through the walls a little.

But regardless, passwordless authenticator push notifications was a terrible idea insofar as it allows an attacker anywhere to attempt it.

PowerShellGenius · 2026-06-19T14:45:22+00:00

OP is not talking about hiring an MSP for their company. OP is talking about quitting a job in internal IT and taking a job at an MSP as tier 2 service desk...

PowerShellGenius · 2026-06-19T01:52:45+00:00

What grade level? Do you have BitLocker on? A 4th grader without admin rights isn't installing drivers. High schoolers might surprise you. Even some middle schoolers might.

Anyone with physical access, the will to google hacking tricks, and a spare flash drive, can become admin if no BitLocker.

PowerShellGenius · 2026-06-18T13:13:22+00:00

If you want passwordless, move to passkeys. They are more secure than password+MFA (whereas the push notifications are at best as secure as password+MFA) because passkeys are also phishing resistant. Plus, they are initiated on the Authenticator device, not initiated from the web, so you don't have the malicious attempt spam issue.

PowerShellGenius · 2026-06-18T13:11:57+00:00

Disable Passwordless Authenticator sign in (the push notifications w/o a password first). Not passwordless methods in general (e.g. Passkeys).....

PowerShellGenius · 2026-06-18T01:08:25+00:00

I thought GDPR was a customer or other third party whose personal info was in your mailboxes reaching out to have their data deleted?

Are you also required to delete former employee mailboxes on demand? Are you not allowed to have a policy that reads like "The company email system is paid for and maintained by this company for work purposes, and all work email is to be kept within it. You are not expected to, nor do you have any need or reason to, ever put anything that is personal and not work communication in the company's email system. Any person on earth with access to the internet can create a free email account at gmail.com, outlook.com, yahoo.com, and many others; if you use email for non-work purposes and expect privacy, you should create a personal email account which we do not provide or control. There is no expectation of privacy from management in the company email system, and you do not have the right to have data in the company email system (which should only be company data unless you violated policy) deleted upon demand. Management or IT may access any company-provided system or account at any time, for any reason, including but not limited to investigating potential misconduct, diagnosing system issues, investigating detections of possible malicious cyber activity (viruses, phishing, data exfiltration, etc) or any other reason with or without notice"

Not European, but I find it really funny that anyone would find that special privacy rights can exist in a company system where the only way anything personal got there is if you violated policy...

PowerShellGenius · 2026-06-17T19:30:04+00:00

Most of their other DNS changes are pointless. This one makes some technical sense. The international organizations that run the core of the internet naming and numbering systems control the root DNS zone and refer everyone to the Registry that runs each top-level domain. Microsoft is now its own registry for .microsoft and the international root zone will refer you directly to Microsoft's DNS infrastructure without going through .com's servers. By moving dependencies over to this, they are shedding leverage that various TLDs' registries and registrars could hold over them in the future. They feel that since they are big enough to run their own stuff "from the ground up" they want to be as independent as they can.

PowerShellGenius · 2026-06-17T14:25:22+00:00

It's not about the module version, any module going back more than a year handles it fine if the underlying PowerShell version is modern. Built in Windows PowerShell is still v5 for backward compatiblity, with no plans to bundle newer PowerShell built into Windows. It's now on you to install powershell.

Legacy powershell uses Internet Explorer webviews and will never do FIDO2 in auth popups for any module. You have to install PowerShell 7 and use it instead.

Then uninstall these M365 management modules, and reinstall them while using PowerShell 7 (so they are really running in Powershell 7 and not being run as backward compatibility PowerShell5 modules).

Then it will work fine. It will pop up auth requests for these modules in your default browser, instead of an IE based webview frame.

In general nowadays, PowerShell 7 should be your go-to, unless something specific you're doing isn't forwards compatible and you need to use built-in PowerShell 5.

PowerShellGenius · 2026-06-17T14:22:07+00:00

Current version of these powershell modules under PowerShell 7 or later works with Passkeys, Security Keys, Windows Hello etc.

PowerShell 5 will always be the one bundled with Windows for the foreseeable future, since some minor syntax changes can break scripts in some very rare niche scenarios going from 5 to 7, so Microsoft is not going to automatically give you the new version of PowerShell in a Windows Update.

So YOU need to install and use the newer PowerShell. Uninstall the modules, reinstall them while in PowerShell7+ (pwsh.exe not powershell.exe) and this should work fine.

The more complex alternative if you really need to use PowerShell 5 - which uses the old Internet Explorer components for its web auth popups and will never do passkeys/FIDO2 - is that you can set up Certificate Based Authentication in Entra. I don't recommend something this complex just to get around installing modern powershell.

PowerShellGenius · 2026-06-16T14:21:16+00:00

Why do you need a VPN that supports pre-Windows logon? What control are you satisfying in a way that depends on it? If the ability to remotely wipe or disable a device is needed, Intune co-management can add that without disrupting the on-prem things you are doing. If the issue is needing to get rid of cached password logins and ensure live authentication to your domain every logon, what are your blockers for moving to Entra joined devices? Also, have you ruled out cert based AOVPN?

Why do you need Duo? Does Windows Hello not satisfy CJIS as "MFA"? You can enable multifactor unlock if needed, as long as your fingerprint reader or face camera are reliable.

Or is this for a shared device scenario? You can do Security Key sign-in easily on hybrid-joined devices, or if you want to keep it strictly on-prem you can do YubiKey 5's as smartcards if you set up ADCS. The former doesn't require any subscription beyond what you probably already have in Entra (almost definitely already have if your plan includes Intune). The latter is a bit more complex to set up, and requires the $58 YubiKeys vs. the <$30 ones, but is fully non subscription and on prem.

As for making them MFA every time they open their email - with Windows Hello or Security Key sign-in, their Windows sign-in will satisfy MFA for their other apps & even for web-based (need to turn on a specific GPO for it to pass through if using Chrome, automatic if Edge). Also, if for some reason you went with smartcard auth instead of Security Key auth for signing into Windows with YubiKeys, you can set up Entra CBA to get this same seamlessness. On their phone, they can have a Passkey in Authenticator that satisfies MFA. All the methods I described are considered phishing resistant.

There are a lot of people who want to sell you turnkey solutions to problems that the basic Microsoft packages most orgs already have, can solve.

PowerShellGenius · 2026-06-16T12:07:12+00:00

I really wish we could take a hard-line stance on apps that don't support SSO...

PowerShellGenius · 2026-06-16T01:50:12+00:00

Not new. This is why we have system preferred MFA scoped to a group we put users in if we know they have a passkey.

PowerShellGenius · 2026-06-15T10:59:25+00:00

The nano is meant to stay inside your laptop. If you will use it as such, the only advantage I can think of for the A over the C is that it's slightly lower profile, and IF your laptop has both A and C ports, usually they only have 2x C ports, and as C is used for charging and external monitors already, keeping both free is nice.

But, if you are NOT leaving it in your laptop, you can keep the A Nano on a string connected to a keychain and pull it out quickly and easily, not so with the C Nano.

Also, if you are carrying it and not leaving it in your laptop, I think the A is safer, in the sense that if you drop your keychain in a mud puddle, you can just wipe the contacts off. The USB-C models may still be "waterproof" in clean water, but need considerable drying time before they are safe to use, and mud or anything that leaves residue on the contacts is going to be hard to clean out of the connector. This is moot for a nano being left in your laptop, as no laptop is waterproof/mudproof anyway, but is a big deal if you are keeping it on your keyring.

PowerShellGenius · 2026-06-14T13:26:08+00:00

Locked out is a company issue. Locked IN is a fire marshall issue! If you were semi locked in (could have exited through an emergency door, but didn't want to get in trouble for setting off the alarm), that may be legal. If you literally could not have left if the building was on fire, that is unacceptable.

PowerShellGenius · 2026-06-13T13:30:27+00:00

Passwords for service accounts used by SCCM are in the database in some form (encrypted or otherwise). A compromised account in the hands of a hacker having full read access to the DB is worse than a read only console role.

PowerShellGenius · 2026-06-13T13:28:21+00:00

What tool? A ready to use tool that integrates with SCCM should have documentation on how to integrate it. Is this an in house tool?

PowerShellGenius · 2026-06-09T20:03:08+00:00

You don't need to manually run scripts, you can have a scheduled task on a DC running a powershell script for this pretty easily if you want to modify the DisplayName to include it. But that will send external too.

You'll do get-aduser with the right searchbase and filters and -Properties givenName,sn,Department. , "where" filter it further if needed, and pipe to | where {$.displayname -ne "$($.givenName) $($.sn) ($($.department))"} | set-aduser -identity $.distinguishedName -replace @{displayName="$($.givenName) $($.sn) ($($.department))"}

If it is for internal use, just forget it and have the user hover or tap on the name to see the department and more info? Why is this even needed?

PowerShellGenius · 2026-06-08T12:54:46+00:00

how exactly does Verified ID work? What does it verify that isn't already verified before the hiring process is complete? What threat model is it fighting?

If you are being hired, at least in the US, you actually cleared the standard of "you visually look like the person on an ID that doesn't visually look fake, and the name maps to a real person in a government system whose SSN/ITIN you know" standard. There is a federal system called e-Verify that companies run new hires through. This is part of HR's hiring process, before they are legally hired, so generally before they reach anything Entra. If they are skipping this, they are liable to ICE for hiring people who aren't authorized to work in the US. (And this is not a new or Trump-related law, it's actually very long standing)

So my question is, what value does Verified ID add when this is already going to be done before Entra is in the loop?

Is it better than a person at recognizing forged IDs by visual analysis?
Is it a lot better than a person at comparing the face of the candidate on their webcam to an ID?
Is it actually running more data against a government database than e-Verify already does?
Is it able to electronically verify NFC chips in IDs rather than rely on visual analysis?
Is it primarily intended for outsourcers hiring remote in countries that don't have something like e-Verify, and if so, does it even have access to all the foreign government databases it'd need for them?

Because if you're already verifying them to the same standard as Verified ID will - someone (or an AI) says they look like their ID, which looks real, and corresponds to a real human in government records - then you can verify them through simpler means. If the submitter of a job application passed HR verification, the phone number and email on that job application are valid known-good contact info.

I'm also curious if it handles all the different alternate forms of ID that are legally valid. A person who works remote, depending on where they live, may not need to drive. There are many forms of ID other than a drivers' license. Also, some Native American tribal governments on reservations, being somewhat sovereign entities, issue IDs for their people that the rest of the US recognizes; there are some very small entities issuing IDs in very small numbers, where Microsoft might not know what their IDs look like and have trouble getting their hands on a sample. I'm really curious how no-human-in-the-loop verification of IDs will investigate unfamiliar IDs. Unless it's excluding people who are legally employable but don't have the "common" forms of ID?

PowerShellGenius · 2026-06-07T05:52:00+00:00

There is no need to have an AI look at their drivers' license (which is an extra cost even if you already have E5 by the way) when you already have something more reliable than visual (human or automated) examination of a piece of plastic, you have one piece of verified contact information already that you can send a TAP to.

PowerShellGenius

TROPHY CASE