Schedule enabling and disabling of Active Directory accounts

You can create a batch file (open notepad and copy/paste/customize the following and save it as a .bat file) then schedule using the task scheduler when you want to enable/disable the users:

:DISABLE BATCH FILE
@echo off
dsmod user "CN=User1 Name,OU=Organizational Unit,DC=Domain,DC=local" -disabled yes
dsmod user "CN=User2 Name,OU=Organizational Unit,DC=Domain,DC=local" -disabled yes
dsmod user "CN=User3 Name,OU=Organizational Unit,DC=Domain,DC=local" -disabled yes
dsmod user "CN=User4 Name,OU=Organizational Unit,DC=Domain,DC=local" -disabled yes

:ENABLE BATCH FILE
@echo off
dsmod user "CN=User1 Name,OU=Organizational Unit,DC=Domain,DC=local" -disabled no
dsmod user "CN=User2 Name,OU=Organizational Unit,DC=Domain,DC=local" -disabled no
dsmod user "CN=User3 Name,OU=Organizational Unit,DC=Domain,DC=local" -disabled no
dsmod user "CN=User4 Name,OU=Organizational Unit,DC=Domain,DC=local" -disabled no

The problem with this is that users take it differnet days, so we would need to create 200 separate batch jobs with 200 scheduled jobs

I don't believe there's a built-in way to automate this...A batch can be written so it doesn't require separate files but if the users are all going to be disabled/re-enabled on different days I can't give you a way around scheduling the users disablement without 200 tasks. No sure how many schedules each task can run within the scheduled task manager but each task can have multiple schedules. Schedules can also be created from the command line so all you'd have to do is a search and replace for the date and time in a batch file or create a question within the batch file that asks when you want to create the schedule. At least it wouldn't be so tedious as doing it manually within the task scheduler.

To the letter-of-the-Law (Best Practices) what are wanting to do is a good-thing.

From an Administrative stance it means this would soon become a full-time job all by itself in a company of more-than 50 or so employees.  While disabling unused accounts certainly reduces the surface area for an attack it presents a management issue which could be much more costly to the company

Scheduling even one task for each of the 300 users means that you will also need to maintain a calendar of who is off when, how plans have changed when they do (and THEY ALWAYS DO), manage unexpected extended leaves, early returns, the list really goes on-and-on.  This is not to mention that if only one or two people are able and available to manage this information what happens when "[Life] Happens" and you (or they) are on vacation?  What if you're in Hawaii and the BOSS comes back from London a week early to close a MAJOR deal?  How will you explain to her that she can't log in or access the files she needs?

Without a good explanation it's possible that a vacation to Hawaii might become permanent.

Things to consider.

Great point.

While I agree with you, not my call
so I need  way to do it
 

There's some folks on here that write some pretty outrageous batch files and post them...I don't have the time to develop something like that on here but somebody may post something. It could be done by creating a menu system that asks for the user's name and OU then asks for a day and time they're leaving and a day and time they return to schedule the task with 2 schedules that run once.

Not a huge batch script but it'll definitely create a boatload of tasks...could be integrated to run a task deletion after it's run each task as well. Sorry I can't be of more help at the moment.

If someone had  a script like that it would be awsome

Can you get your list into a comma-delimited text file in this format?
samid,mm/dd/yyyy,mm/dd/yyyy

e.g.
user01,06/25/2009,06/30/2009

If so, paste the script below into a text file with a .cmd extension.  Customize the value of the list variable on line 4 with the location of the comma-delimited list file.  Customize the value of the acct variable on line 5 with the name of a user account to run the scheduled tasks under.  This account must have sufficient rights to enable and disable the listed AD users.

Either run the script on a 2003 server or on an XP machine with the adminpak installed and the 2003 version of schtasks.exe copied to the same directory as the script.

Running the script will prompt for the user account's password and then create two scheduled  tasks for each line in the list.  The first will call a batch script to disable the user account, and the second will call a script to enable it.  The scheduled tasks will automatically be deleted after they run.

@echo off
setlocal
 
set list=c:\files\userlist.csv
set acct=accountname
 
set /P pw=Enter the password for the account %acct%: 
set disabler=c:\disabler.cmd
set enabler=c:\enabler.cmd
 
echo dsquery user -samid %%1 ^| dsmod user -disabled yes > "%disabler%"
echo dsquery user -samid %%1 ^| dsmod user -disabled no > "%enabler%"
 
for /F "tokens=1,2,3 delims=," %%G in ('type "%list%"') do (
 schtasks /create /ru %acct% /rp "%pw%" /sc once /tn "disable %%g" /tr "%disabler% %%g" /st 00:00 /sd %%h /z /f
 schtasks /create /ru %acct% /rp "%pw%" /sc once /tn "enable %%g" /tr "%enabler% %%g" /st 00:00 /sd %%i /z /f
)

Select allOpen in new window

after running the bat, I dont see anything in my  scheduled tasks though
 

btw just wnt to verify i am editing he line correctly
set /P pw=Enter the password for the account %acct%: domain\joe
 
 

 

Here's one with a menu that can be reused...notice it saves a variables file into a directory called assets that it looks for relative to the batch file location. File and structure are attached as well.

@echo off
break off
title Schedule User Disablement 
color 0E
mode con: cols=125 lines=50
set CWD=%CD%
cls 
 
:START
if exist "%CWD%\assets\vars.bat" ( 
	goto MENU
	) else ( 
	goto RELOAD
	)
 
:MENU
cls
call "%CWD%\assets\vars.bat"
echo THERE ARE EXISTING VARIABLES, LOADED VARIABLES...WHAT DO YOU WANT TO DO NEXT?
echo.
echo 0^) CREATE SCHEDULE TO DISABLE USER
echo 1^) VIEW SCHEDULED TASKS
echo 2^) DELETE SCHEDULED TASK
echo 3^) RUN SCHEDULED TASK
echo 4^) DISABLE USER NOW
echo 5^) ENABLE USER NOW
echo 6^) RECREATE VARIABLES
echo 7^) EXIT
echo.
set /P DOIT=[ ENTER 0-9 ]: 
echo.
if "%DOIT%"=="0" goto CREATE
if "%DOIT%"=="1" goto VIEW
if "%DOIT%"=="2" goto DELETE
if "%DOIT%"=="3" goto RUN
if "%DOIT%"=="4" goto DISABLE
if "%DOIT%"=="5" goto ENABLE
if "%DOIT%"=="6" goto RELOAD
if "%DOIT%"=="7" goto EXITER
if errorlevel 0 (
	echo INVALID OPTION, TRY AGAIN
	goto MENU
	)
 
:RELOAD
set /P DC1=[ ENTER THE DOMAIN NAME...NOT INCLUDING THE SUFFIX ]: 
echo.
echo SET DC1=%DC1%> "%CWD%\assets\vars.bat"
set /P DC2=[ ENTER THE DOMAIN SUFFIX ]: 
echo.
echo SET DC2=%DC2%>> "%CWD%\assets\vars.bat"
echo.
set /P DDIR=[ ENTER THE DIRECTORY TO SAVE ALL BATCH FILES FOR THE SCHEDULER...FULL PATH TO THE DIRECTORY ]: 
echo.
echo SET DDIR=%DDIR%\>> "%CWD%\assets\vars.bat"
echo.
 
goto DONE
 
:EXITER
exit
 
:CREATE
set /P UF=[ ENTER THE FIRST NAME OF THE USER TO DISABLE ]: 
echo.
set /P UL=[ ENTER THE LAST NAME OF THE USER TO DISABLE ]: 
echo.
echo [ ENTER THE ORGANIZATIONAL UNIT WHERE THE USER EXISTS...IF WITHIN MULTIPLE CONTAINERS ] 
echo [ USE THIS SYNTAX AND THE FIRST ^"OU^" IS ALREADY INCLUDED FOR YOU..................... ] 
set /P OU=[ UNIT ONE,OU=UNIT TWO,OU=UNIT THREE                                                  ]: 
echo.
echo dsmod user "CN=%UF% %UL%,OU=%OU%,DC=%DC1%,DC=%DC2%" -disabled yes > "%DDIR%disable_%UF%_%UL%.bat"
echo dsmod user "CN=%UF% %UL%,OU=%OU%,DC=%DC1%,DC=%DC2%" -disabled no > "%DDIR%enable_%UF%_%UL%.bat"
echo.
set /P ADMINUSER=[ ENTER THE ADMIN USERNAME...IF YOU'RE IN A DOMAIN IT'S DOMAIN\USERNAME ]: 
echo.
set /P ADMINPASS=[ ENTER THE ADMIN PASSWORD ]: 
echo.
set DSCHEDULE=ONCE
echo.
set /P DSTART=[ THE USER DISABLE WILL RUN %BUSCHEDULE% AT WHAT START TIME?...02:00:00 IS 2AM ]: 
echo.
set /P ESTART=[ THE USER ENABLE WILL RUN %BUSCHEDULE% AT WHAT START TIME?...02:00:00 IS 2AM ]: 
echo.
set TND="Disable %UF% %UL%"
set TNE="Enable %UF% %UL%"
echo.
set /P DSD=[ SET THE DATE TO DISABLE THE USER...MM/DD/YYYY ]: 
echo.
set /P ESD=[ SET THE DATE TO ENABLE THE USER...MM/DD/YYYY ]: 
echo.
echo [ CREATING BACKUP SCHEDULE ]
echo.
schtasks /create /ru %ADMINUSER% /rp %ADMINPASS% /sc %DSCHEDULE% /st %DSTART% /sd %DSD% /tn %TND% /tr "%DDIR%disable_%UF%_%UL%.bat"
schtasks /create /ru %ADMINUSER% /rp %ADMINPASS% /sc %DSCHEDULE% /st %ESTART% /sd %ESD% /tn %TNE% /tr "%DDIR%enable_%UF%_%UL%.bat"
echo.
 
goto DONE
 
:VIEW
schtasks
goto DONE
 
:DELETE
echo [ HERE'S YOU'RE EXISTING SCHEDULED TASKS ]
echo.
schtasks
echo.
set /P SCRM=[ TO REMOVE THE SCHEDULED TASK TYPE ITS NAME ]: 
echo.
schtasks /delete /tn "%SCRM%"
echo.
echo [ DONE ]
echo.
:YESNO
set /P YESNO=[ DO YOU WANT TO REMOVE ANOTHER TASK? Y OR N ]: 
echo.
 
if "%YESNO%"=="Y" goto DELETE
if "%YESNO%"=="y" goto DELETE
if "%YESNO%"=="N" goto DONE
if "%YESNO%"=="n" goto DONE
if errorlevel 0 (
	echo [ INVALID RESPONSE ]
	echo.
	goto YESNO
	)
	
:RUN
echo [ HERE'S YOU'RE EXISTING SCHEDULED TASKS ]
echo.
schtasks
echo.
set /P TN=[ TYPE THE NAME OF THE TASK TO RUN ]: 
echo.
schtasks /run /tn "%TN%"
echo.
if errorlevel 0 (
	echo [ INVALID TASK NAME ]
	echo.
	goto RUN
	)
	
goto DONE
 
:DISABLE
set /P UF=[ ENTER THE FIRST NAME OF THE USER TO DISABLE ]: 
echo.
set /P UL=[ ENTER THE LAST NAME OF THE USER TO DISABLE ]: 
echo.
echo [ ENTER THE ORGANIZATIONAL UNIT WHERE THE USER EXISTS...IF WITHIN MULTIPLE CONTAINERS ] 
echo [ USE THIS SYNTAX AND THE FIRST ^"OU^" IS ALREADY INCLUDED FOR YOU..................... ] 
set /P OU=[ UNIT ONE,OU=UNIT TWO,OU=UNIT THREE                                                  ]: 
echo.
dsmod user "CN=%UF% %UL%,OU=%OU%,DC=%DC1%,DC=%DC2%" -disabled yes
echo.
 
goto DONE
 
:ENABLE
set /P UF=[ ENTER THE FIRST NAME OF THE USER TO ENABLE ]: 
echo.
set /P UL=[ ENTER THE LAST NAME OF THE USER TO ENABLE ]: 
echo.
echo [ ENTER THE ORGANIZATIONAL UNIT WHERE THE USER EXISTS...IF WITHIN MULTIPLE CONTAINERS ] 
echo [ USE THIS SYNTAX AND THE FIRST ^"OU^" IS ALREADY INCLUDED FOR YOU..................... ] 
set /P OU=[ UNIT ONE,OU=UNIT TWO,OU=UNIT THREE                                                  ]: 
echo.
dsmod user "CN=%UF% %UL%,OU=%OU%,DC=%DC1%,DC=%DC2%" -disabled no
echo.
 
goto DONE
 
:DONE
echo.
echo RETURNING TO MENU
echo.
pause
goto MENU
 
:EOF
echo.
echo [ END OF FILE ]
echo.

Select allOpen in new window

batch.zip

Shift-3 ... good one. Maybe they can be integrated if needed.

>btw just wnt to verify i am editing he line correctly
>set /P pw=Enter the password for the account %acct%: domain\joe

No.  Per my instructions, the only lines you should be editing are 4 and 5.  If your list is c:\list file.csv and you're going to run the scheduled tasks under the username neoptoent, they should look like the lines below.  Don't edit line 7.

Also, ensure that the dates are in mm/dd/yyyy format.

Run the script from a command prompt or add the line pause to the end and see if any errors appear.

set list=c:\list file.csv
set acct=neoptoent

Select allOpen in new window

hi,
It says the dat should be in month,day,year format
 
I have a file called userlist.csv editited it with notepad and have this entry
john_a,06/25/2009,06/25/2009

erro:invalid start date (date should be in the "mm/dd/yyyy" format).

also in the bat files created, i see
dsquery user -samid %1 |dsmod user -disabled no
 
does show the account to modify

Hey works great
It does not delete the sceduled task though after it runs.
Additonally,
Do you know if there is a DS mod command to add a "log on to"  computer in AD as well as a command to change it to "log ont o all" ?

Are you using the version of schtasks.exe from Server 2003?  The XP version doesn't support the /z switch, which checks the Delete the task if it is not scheduled to run again box.

The tasks will only delete themselves after they run according to the schedule, not when run manually.

I don't understand your last question.

we have another task for some users to limit some users to specific machines on a schedule.
So i was going to modify the sciript you creaeted to do that task as well when needed.
so i was looking for an ad command to add a computer to the log on to section > and another one to remove the setting
 
Your script is amazing....it is deleting the task

No, I'm pretty sure dsmod won't do that.  However, vbscript will.

If I close this and open another thread will you help me out with that?
 
I really need to learn vbscript you can do so much with it

I will if time permits.

Use the Ask a related question link.

Great work

Great,
I have close this thread and opened a related one
 Thanks
https://www.experts-exchange.com/questions/24530353/Modify-scheduling-ad-accounts-enable-disable-to-also-place-account-in-group-and-create-log-on-to-record.html