-
Title
Is it possible to mass unassign and delete tokens from users in Active Directory using Powershell? -
Description
License usage for tokens and users is reaching the limit, how can tokens be mass unassigned and deleted from old or disabled Active Directory accounts? -
Cause
All of the tokens which are assigned to an OU such as an OU containing all disabled users within Active Directory can be unassigned and deleted using commands within the Defender Management Shell which is a module for Powershell. -
Resolution
The easiest way to fix this would be to use the following Defender Management Shell commands that are included in the OneIdentity.Defender.AdminTools module.
The command Remove-TokenFromUserBatch would be the most useful in this situation. You would provide it with files that contain a list of users and a list of tokens.The command does not need an actual list of token serials to use that command, a text file can be provided for the tokens that contains 'all' for each line instead of token serials.
Then to create the list of names for users, one can export a list of all of the users contained within the Disabled folder, by using Powershell or right-clicking the Disabled folder in AD and selecting Export List. Make sure Display Name is added as a displayed column.
-
Additional Information
Open up the Defender Management Shell and run the command 'get-help remove-tokenfromuserbatch -full' for examples and a full explanation.
One could also use the command 'get-defenderuserslastlogon -UserSearchBase "CN=Disabled,DC=MyDomain,DC=Local"'. That would return Defender users who are within that OU which could then be filtered for only the CommonName column, and then export into a text file. Please see the command 'get-help get-defenderuserslastlogon -full' for more information.