?
Solved

Set Manager attribute to null when account is disabled using Powershell

Posted on 2009-04-04
3
Medium Priority
?
1,296 Views
Last Modified: 2012-05-06
We would like to run a nightly job that sets the "manager" attribute to NULL if the account is disabled.  A Powershell script is preferred.  Can someone help?
0
Comment
Question by:sanderson321
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 10

Expert Comment

by:Rudram
ID: 24073189
* How about a VB Script that would enumerate the domain and look for all disabled accounts and then if found, set their "Manager" attribute in the Organization tab as NULL (basically the CLEAR function of ADUC User account property)

* While entering the domain name, provide the FQDN of the domain.

Hope this helps (^_^)
Option Explicit
 
Const ADS_PROPERTY_CLEAR = 1
 
Dim strDomain, objComputer, objUser, oRoot,strDefaultNamingContext, username, objUser1
 
Do
  strDomain = inputbox( "Please enter a domainname", "Input" )
Loop until strDomain <> ""
 
     'Finding our default naming context
    Set oRoot = GetObject("LDAP://rootDSE")
    strDefaultNamingContext = oRoot.Get("defaultNamingContext")
    Set oRoot = Nothing
 
 
ListUsers( strDomain )
 
Sub ListUsers( strDomain )
	Set objComputer = GetObject("WinNT://" & strDomain )
	objComputer.Filter = Array( "User" )
	
	
	For Each objUser In objComputer
 
		username = ""&objuser.name
	
            	If objUser.AccountDisabled = TRUE Then
 
			Set objUser1 = GetObject(getLdapUN(username))
			
			objUser1.PutEx ADS_PROPERTY_CLEAR,"manager",0
			objuser1.Setinfo
		End If
	Next
	
	MsgBox "The Script has finished working"
End Sub
 
'Function module for getLdapUN()
Function getLdapUN(strUN)
Dim oConnect, Command, strLdapQuery, Rs
getLdapUN = False
Set oConnect = CreateObject("ADODB.Connection")
Set Command = CreateObject("ADODB.Command")
'--- search for object in AD ---
strldapquery = "<LDAP://" & strDefaultNamingContext & ">;" & _
"(&(objectCategory=person)(objectClass=user)(sAMAccountName=" & _
strUN & "));ADsPath,cn;subtree"
 
oConnect.Provider = "ADsDSOObject"
oConnect.Open "Active Directory Provider"
Set Command.ActiveConnection = oConnect
Command.CommandText = strldapquery 'strSQL
Set Rs = Command.Execute 'Execute the query
 
'WScript.Echo "Records: " & Rs.RecordCount
If Rs.RecordCount > 0 Then
    getLdapUN = rs("AdsPath")
End If
 
Set oConnect = Nothing
Set Command = Nothing
End Function

Open in new window

0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 24076278

If you're using the parts native to PowerShell (DirectoryServices) then....

Chris
# Create a search filter for disabled accounts with Manager still set
$LdapFilter = "(&(objectClass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.804:=2)(manager=*))"
 
# Create a searcher for the current domain
$Searcher = New-Object System.DirectoryServices.DirectorySearcher($Null, $LdapFilter)
$Searcher.PageSize = 100
$Searcher.PropertiesToLoad.AddRange(@("distinguishedNamed", "manager"))
 
ForEach ($User in $Searcher.FindAll()) {
  $User = $User.GetDirectoryEntry()
  $User.PutEx(1, "manager", $Null)
  $User.SetInfo()
}

Open in new window

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24076314

And if you happen to prefer to use Quest's tools...

http://www.quest.com/activeroles-server/arms.aspx

Then...

Chris

PS both of these options will leave you with the manager attribute unset (we're not inserting a blank value in its place)
Get-QADUser -Manager * -Disabled | Set-QADUser -objectAttributes @{manager=''}

Open in new window

0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
The viewer will be introduced to the technique of using vectors in C++. The video will cover how to define a vector, store values in the vector and retrieve data from the values stored in the vector.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question