?
Solved

Mass ID disablement in Active Directory

Posted on 2006-06-21
6
Medium Priority
?
382 Views
Last Modified: 2010-08-05
anybody knows how to write a script to disable and delete multiple IDs (abt 2000) in windows 2000 Active Directory?

Condition:
- one line of statement (which means NOT 2000 command line which refer to individual ID).
- the script should refer to a text file or excel file for the ID listing

appreciate yr help. I need this urgently.

thanks in advance
0
Comment
Question by:yatie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
6 Comments
 
LVL 9

Expert Comment

by:Krompton
ID: 16951191
You probably already know this but just in case; deleting things using scripts can get you into trouble.

You are wanting to remove(delete) user accounts from AD or disable them or both? Will there be computer accounts as well or just users? Please provide a little more detail as to what you want you script to accomplish.

Krompton
0
 

Author Comment

by:yatie
ID: 16956424
Hi Krompton,

Thanks for the response. What I wanna do is:
i) to disable user accounts from AD (no computer accounts, only user accounts)
ii) after two weeks, run another script to disable those disabled user accounts
iii) have a script which single or few lines BUT NOT individual user account as 1 line of command

Thanks very much. Hope you could help me achieve this.

yati
0
 
LVL 9

Accepted Solution

by:
Krompton earned 500 total points
ID: 16961351
Disabling accounts via script is reasonably easy and the script would only need to be a few lines long. The “difficult” part is if you want to use a script to get the usernames. You’ll need some criterion that will filter the accounts.

Is there something the same in all the accounts to be disabled and NOT in those to be left alone?

If your answer to this question is “no” then try this:
I know this works for 2003 but have not tried it on 2000

SO USE CAUTION

Run the following command on your Domain Controller
dsquery user > "C:\DomainUserList.txt" (EDIT the text file created and delete users you don’t want disabled)
(dsquery.exe should be located in c:\windows\system32 folder)

Save text between **** as .vbs (i.e. C:\DisableUsers.vbs)

**********
 UsageMsg = "Usage: " & VBCrLf & "          WScript.exe C:\DisableUsers.vbs UserListToDisable DNSNameOfDomainController" & VBCrLf & _
"Example:" & VBCrLf & "          WScript.exe C:\DisableUsers.vbs C:\DomainUserList.txt DC1.Domain.Local"

Const ADS_UF_ACCOUNTDISABLE = 2, ForReading = 1, ForWriting = 2, ForAppending = 8
If WScript.Arguments.Count < 2 Then
      MsgBox UsageMsg,,"Syntax Error"
      WScript.Quit
Else
      UserListFile = WScript.Arguments(0)
      Controller = WScript.Arguments(1)
End If
Set oFS = WScript.CreateObject("Scripting.FileSystemObject")
Set oFSContents = oFS.OpenTextFile(UserListFile, ForReading)
UserList = oFSContents.ReadAll
Users = Split(UserList, vbNewLine)

For Each User in Users
      If User <> "" Then
            Set objUser = GetObject("LDAP://" & Controller & "/" & (Replace(User, Chr(34), "")))
            intUAC = objUser.Get("userAccountControl")
            objUser.Put "userAccountControl", intUAC OR ADS_UF_ACCOUNTDISABLE
            objUser.SetInfo
      End If
Next

WScript.Quit

**************

Then run the following command on your Domain Controller
WScript.exe C:\DisableUsers.vbs C:\DomainUsers.txt DNSNameOfDomainController


Good Luck,
Krompton
0
 
LVL 9

Expert Comment

by:Krompton
ID: 16962293
Oh, BTW...

Replace:
          Set objUser = GetObject("LDAP://" & Controller & "/" & (Replace(User, Chr(34), "")))
          intUAC = objUser.Get("userAccountControl")
          objUser.Put "userAccountControl", intUAC OR ADS_UF_ACCOUNTDISABLE
          objUser.SetInfo

With
      Set WSHShell = CreateObject("Wscript.Shell")
      Cmd = "cmd /c dsrm -noprompt " & User
      MyVal = WSHShell.Run(Cmd,1,True)

When you want to delete the users.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question