Set Manager attribute to null when account is disabled using Powershell

We would like to run a nightly job that sets the "manager" attribute to NULL if the account is disabled.  A Powershell script is preferred.  Can someone help?
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

Chris DentConnect With a Mentor PowerShell DeveloperCommented:

If you're using the parts native to PowerShell (DirectoryServices) then....

# Create a search filter for disabled accounts with Manager still set
$LdapFilter = "(&(objectClass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.804:=2)(manager=*))"
# Create a searcher for the current domain
$Searcher = New-Object System.DirectoryServices.DirectorySearcher($Null, $LdapFilter)
$Searcher.PageSize = 100
$Searcher.PropertiesToLoad.AddRange(@("distinguishedNamed", "manager"))
ForEach ($User in $Searcher.FindAll()) {
  $User = $User.GetDirectoryEntry()
  $User.PutEx(1, "manager", $Null)

Open in new window

* How about a VB Script that would enumerate the domain and look for all disabled accounts and then if found, set their "Manager" attribute in the Organization tab as NULL (basically the CLEAR function of ADUC User account property)

* While entering the domain name, provide the FQDN of the domain.

Hope this helps (^_^)
Option Explicit
Dim strDomain, objComputer, objUser, oRoot,strDefaultNamingContext, username, objUser1
  strDomain = inputbox( "Please enter a domainname", "Input" )
Loop until strDomain <> ""
     'Finding our default naming context
    Set oRoot = GetObject("LDAP://rootDSE")
    strDefaultNamingContext = oRoot.Get("defaultNamingContext")
    Set oRoot = Nothing
ListUsers( strDomain )
Sub ListUsers( strDomain )
	Set objComputer = GetObject("WinNT://" & strDomain )
	objComputer.Filter = Array( "User" )
	For Each objUser In objComputer
		username = ""&
            	If objUser.AccountDisabled = TRUE Then
			Set objUser1 = GetObject(getLdapUN(username))
			objUser1.PutEx ADS_PROPERTY_CLEAR,"manager",0
		End If
	MsgBox "The Script has finished working"
End Sub
'Function module for getLdapUN()
Function getLdapUN(strUN)
Dim oConnect, Command, strLdapQuery, Rs
getLdapUN = False
Set oConnect = CreateObject("ADODB.Connection")
Set Command = CreateObject("ADODB.Command")
'--- search for object in AD ---
strldapquery = "<LDAP://" & strDefaultNamingContext & ">;" & _
"(&(objectCategory=person)(objectClass=user)(sAMAccountName=" & _
strUN & "));ADsPath,cn;subtree"
oConnect.Provider = "ADsDSOObject"
oConnect.Open "Active Directory Provider"
Set Command.ActiveConnection = oConnect
Command.CommandText = strldapquery 'strSQL
Set Rs = Command.Execute 'Execute the query
'WScript.Echo "Records: " & Rs.RecordCount
If Rs.RecordCount > 0 Then
    getLdapUN = rs("AdsPath")
End If
Set oConnect = Nothing
Set Command = Nothing
End Function

Open in new window

Chris DentPowerShell DeveloperCommented:

And if you happen to prefer to use Quest's tools...



PS both of these options will leave you with the manager attribute unset (we're not inserting a blank value in its place)
Get-QADUser -Manager * -Disabled | Set-QADUser -objectAttributes @{manager=''}

Open in new window

All Courses

From novice to tech pro — start learning today.