Script to enable or disable users within OU

Hi there, I am looking for the script that will enable or disable users within OU. Please help me out, thank you in advance.
2LLAsked:
Who is Participating?
 
rejoinderCommented:
Here is a script that will disable all users within a particular OU.
Line 1 needs to be edited to point to the OU the users are in.  If you are not familiar with how to enter the OU path, please let me know but the idea is this...
start with the OU itself (ou=xyz) use commas as you travers up the tree so that if the path looks like this \My Users\Disabled Users\Here you would have to start with ou=Here,ou=Disabled Users,ou=My Users.
Next is your FQDN such that it might look like this sub.domain.com but for the script would need to be dc=sub,dc=domain,dc=com.
Combined the string will appear as ou=Here,ou=Disabled Users,ou=My Users,dc=sub,dc=domain,dc=com
strOU = "OU=Disabled,OU=My Users,DC=domain,DC=com"
 
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOOBject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
strBase = "<LDAP://" & strOU & ">"
strFilter = "(&(objectCategory=person)(objectClass=user))"
strAttributes = "distinguishedName"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 1000
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
    strUserDN = objRecordSet.Fields("distinguishedName")
    set objUser = GetObject("LDAP://" & strUserDN)
    objUser.AccountDisabled = True
    objUser.SetInfo
    objRecordSet.MoveNext
Loop

Open in new window

0
 
JuanCarnigliaCommented:
Taken from:

http://techtasks.com/code/viewbookcode/1579
-----


strDisableAccount = FALSE  
strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com

set objUser = GetObject("LDAP://" & strUserDN)
if objUser.AccountDisabled = TRUE then
   WScript.Echo "Account for " & objUser.Get("cn") & " currently disabled"
   if strDisableAccount = FALSE then
      objUser.AccountDisabled = strDisableAccount
      objUser.SetInfo
      WScript.Echo "Account enabled"
   end if
else
   WScript.Echo "Account currently enabled"
   if strDisableAccount = TRUE then
      objUser.AccountDisabled = strDisableAccount
      objUser.SetInfo
      WScript.Echo "Account disabled"
   end if
end if


Greetings
0
 
2LLAuthor Commented:
Thank JuanCarniqlia. Actually, I am looking for the the script that will enable or disable users within OU, not individual user.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
JuanCarnigliaCommented:
Oh, you mean ALL users within the same OU.

You would have to do a search, and then, disable/enable each one, while looping through them.

Maybe this,

Option Explicit

Dim objDSE, strDefaultDN, strDN, objContainer, objChild

Set objDSE = GetObject("LDAP://rootDSE")
strDefaultDN = "CN=Users," & objDSE.Get("defaultNamingContext")

strDN =       InputBox("Enter the distinguished name of a container" & _
      vbCrLf & "(e.g. " & strDefaultDN & ")", , strDefaultDN)

If strDN = "" Then WScript.Quit(1)            'user clicked Cancel

Set objContainer = GetObject("LDAP://" & strDN)

objContainer.Filter = Array("user")
For Each objChild In objContainer
      WScript.Echo objChild.Name & vbTab & objChild.Description

if objChild.AccountDisabled = TRUE then
   WScript.Echo "Account for " & objChild.Get("cn") & " currently disabled"
   if strDisableAccount = FALSE then
      objChild.AccountDisabled = strDisableAccount
      objChild.SetInfo
      WScript.Echo "Account enabled"
   end if
else
   WScript.Echo "Account currently enabled"
   if strDisableAccount = TRUE then
      objChild.AccountDisabled = strDisableAccount
      objChild.SetInfo
      WScript.Echo "Account disabled"
   end if
end if
Next
0
 
2LLAuthor Commented:
No, this is not the one that I am looking for. While my task required to disable/enable within OU as fast as possible, I should not search individual user at all. That's why I need help from experts.
Anyway, thank you very much for your help.
0
 
rejoinderCommented:
Opps - you also wanted to be able to enable within an OU as well - this is a revised script.
Edit line 2; True will disable accounts, False will enable all accounts
(within the OU mentioned in Line 1)
strOU = "OU=Disabled,OU=My Users,DC=domain,DC=com"
boolDisableAccount = True
 
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOOBject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
strBase = "<LDAP://" & strOU & ">"
strFilter = "(&(objectCategory=person)(objectClass=user))"
strAttributes = "distinguishedName"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 1000
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
    strUserDN = objRecordSet.Fields("distinguishedName")
    set objUser = GetObject("LDAP://" & strUserDN)
    if boolDisableAccount then
        objUser.AccountDisabled = True
    else
        objUser.AccountDisabled = False
    end if
    objUser.SetInfo
    objRecordSet.MoveNext
Loop

Open in new window

0
 
2LLAuthor Commented:
Rejoinder, thank you very much for your help. It's worked. Can you explain to me the line on the enable user account script.
       if boolDisableAccount then
             objUser.AccountDisabled = True
Because when I ran your original script it does not enable any user account at all, I have to removed the line above, and it worked from there.
0
 
rejoinderCommented:
To enable accounts, set the value on line 2 to this...
boolDisableAccount = False

Then when the script does the logic at the point to enable/disable an account it will ask for the value of boolDisableAccount.  If the setting is true, the account get disabled, if false, then the account will get enabled.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.