EDIT**
I'm thinking of running a scheduled task at the end of every workday to retrieve all accounts who have never logged on and disabling their accounts.
Please excuse any syntax errors. I may very well be fumbling here. Can anyone say if this solution will work?
get-aduser -f {-not ( lastlogontimestamp -like "*")} | Disable-ADAccount
Original Question **
I'm not a sysadmin persay, I'm more of a programmer, and new to active directory and powershell scripting. I've done scripting in bash and other languages so I can catch on quickly.
My current role(I'm new) has an industry standard to expire/ disable accounts if the first use password has not been utilized within 24 hours. I have done a search and found that AD does not support this feature, but learned that it may be possible through a script. There is a tight deadline from an audit and I must say we are a little desperate.
Any help would be appreciated, even just a background on possible ways to set the expiration time or identify accounts who have not changed the password yet.
Thank you very much
Best Answer
Yes, your one-liner should work. I modified your original command to filter for enabled accounts only.