Set Manager attribute to null when account is disabled using Powershell

Posted on 2009-04-04
Last Modified: 2012-05-06
We would like to run a nightly job that sets the "manager" attribute to NULL if the account is disabled.  A Powershell script is preferred.  Can someone help?
Question by:sanderson321
  • 2
LVL 10

Expert Comment

Comment Utility
* How about a VB Script that would enumerate the domain and look for all disabled accounts and then if found, set their "Manager" attribute in the Organization tab as NULL (basically the CLEAR function of ADUC User account property)

* While entering the domain name, provide the FQDN of the domain.

Hope this helps (^_^)
Option Explicit


Dim strDomain, objComputer, objUser, oRoot,strDefaultNamingContext, username, objUser1


  strDomain = inputbox( "Please enter a domainname", "Input" )

Loop until strDomain <> ""

     'Finding our default naming context

    Set oRoot = GetObject("LDAP://rootDSE")

    strDefaultNamingContext = oRoot.Get("defaultNamingContext")

    Set oRoot = Nothing

ListUsers( strDomain )

Sub ListUsers( strDomain )

	Set objComputer = GetObject("WinNT://" & strDomain )

	objComputer.Filter = Array( "User" )



	For Each objUser In objComputer

		username = ""&


            	If objUser.AccountDisabled = TRUE Then

			Set objUser1 = GetObject(getLdapUN(username))


			objUser1.PutEx ADS_PROPERTY_CLEAR,"manager",0


		End If



	MsgBox "The Script has finished working"

End Sub

'Function module for getLdapUN()

Function getLdapUN(strUN)

Dim oConnect, Command, strLdapQuery, Rs

getLdapUN = False

Set oConnect = CreateObject("ADODB.Connection")

Set Command = CreateObject("ADODB.Command")

'--- search for object in AD ---

strldapquery = "<LDAP://" & strDefaultNamingContext & ">;" & _

"(&(objectCategory=person)(objectClass=user)(sAMAccountName=" & _

strUN & "));ADsPath,cn;subtree"

oConnect.Provider = "ADsDSOObject"

oConnect.Open "Active Directory Provider"

Set Command.ActiveConnection = oConnect

Command.CommandText = strldapquery 'strSQL

Set Rs = Command.Execute 'Execute the query

'WScript.Echo "Records: " & Rs.RecordCount

If Rs.RecordCount > 0 Then

    getLdapUN = rs("AdsPath")

End If

Set oConnect = Nothing

Set Command = Nothing

End Function

Open in new window

LVL 70

Accepted Solution

Chris Dent earned 500 total points
Comment Utility

If you're using the parts native to PowerShell (DirectoryServices) then....

# Create a search filter for disabled accounts with Manager still set

$LdapFilter = "(&(objectClass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.804:=2)(manager=*))"

# Create a searcher for the current domain

$Searcher = New-Object System.DirectoryServices.DirectorySearcher($Null, $LdapFilter)

$Searcher.PageSize = 100

$Searcher.PropertiesToLoad.AddRange(@("distinguishedNamed", "manager"))

ForEach ($User in $Searcher.FindAll()) {

  $User = $User.GetDirectoryEntry()

  $User.PutEx(1, "manager", $Null)



Open in new window

LVL 70

Expert Comment

by:Chris Dent
Comment Utility

And if you happen to prefer to use Quest's tools...



PS both of these options will leave you with the manager attribute unset (we're not inserting a blank value in its place)
Get-QADUser -Manager * -Disabled | Set-QADUser -objectAttributes @{manager=''}

Open in new window


Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
The goal of the video will be to teach the user the concept of local variables and scope. An example of a locally defined variable will be given as well as an explanation of what scope is in C++. The local variable and concept of scope will be relat…
The viewer will learn how to use the return statement in functions in C++. The video will also teach the user how to pass data to a function and have the function return data back for further processing.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now