Solved

Set Manager attribute to null when account is disabled using Powershell

Posted on 2009-04-04
3
1,276 Views
Last Modified: 2012-05-06
We would like to run a nightly job that sets the "manager" attribute to NULL if the account is disabled.  A Powershell script is preferred.  Can someone help?
0
Comment
Question by:sanderson321
  • 2
3 Comments
 
LVL 10

Expert Comment

by:Rudram
ID: 24073189
* How about a VB Script that would enumerate the domain and look for all disabled accounts and then if found, set their "Manager" attribute in the Organization tab as NULL (basically the CLEAR function of ADUC User account property)

* While entering the domain name, provide the FQDN of the domain.

Hope this helps (^_^)
Option Explicit
 

Const ADS_PROPERTY_CLEAR = 1
 

Dim strDomain, objComputer, objUser, oRoot,strDefaultNamingContext, username, objUser1
 

Do

  strDomain = inputbox( "Please enter a domainname", "Input" )

Loop until strDomain <> ""
 

     'Finding our default naming context

    Set oRoot = GetObject("LDAP://rootDSE")

    strDefaultNamingContext = oRoot.Get("defaultNamingContext")

    Set oRoot = Nothing
 
 

ListUsers( strDomain )
 

Sub ListUsers( strDomain )

	Set objComputer = GetObject("WinNT://" & strDomain )

	objComputer.Filter = Array( "User" )

	

	

	For Each objUser In objComputer
 

		username = ""&objuser.name

	

            	If objUser.AccountDisabled = TRUE Then
 

			Set objUser1 = GetObject(getLdapUN(username))

			

			objUser1.PutEx ADS_PROPERTY_CLEAR,"manager",0

			objuser1.Setinfo

		End If

	Next

	

	MsgBox "The Script has finished working"

End Sub
 

'Function module for getLdapUN()

Function getLdapUN(strUN)

Dim oConnect, Command, strLdapQuery, Rs

getLdapUN = False

Set oConnect = CreateObject("ADODB.Connection")

Set Command = CreateObject("ADODB.Command")

'--- search for object in AD ---

strldapquery = "<LDAP://" & strDefaultNamingContext & ">;" & _

"(&(objectCategory=person)(objectClass=user)(sAMAccountName=" & _

strUN & "));ADsPath,cn;subtree"
 

oConnect.Provider = "ADsDSOObject"

oConnect.Open "Active Directory Provider"

Set Command.ActiveConnection = oConnect

Command.CommandText = strldapquery 'strSQL

Set Rs = Command.Execute 'Execute the query
 

'WScript.Echo "Records: " & Rs.RecordCount

If Rs.RecordCount > 0 Then

    getLdapUN = rs("AdsPath")

End If
 

Set oConnect = Nothing

Set Command = Nothing

End Function

Open in new window

0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24076278

If you're using the parts native to PowerShell (DirectoryServices) then....

Chris
# Create a search filter for disabled accounts with Manager still set

$LdapFilter = "(&(objectClass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.804:=2)(manager=*))"
 

# Create a searcher for the current domain

$Searcher = New-Object System.DirectoryServices.DirectorySearcher($Null, $LdapFilter)

$Searcher.PageSize = 100

$Searcher.PropertiesToLoad.AddRange(@("distinguishedNamed", "manager"))
 

ForEach ($User in $Searcher.FindAll()) {

  $User = $User.GetDirectoryEntry()

  $User.PutEx(1, "manager", $Null)

  $User.SetInfo()

}

Open in new window

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24076314

And if you happen to prefer to use Quest's tools...

http://www.quest.com/activeroles-server/arms.aspx

Then...

Chris

PS both of these options will leave you with the manager attribute unset (we're not inserting a blank value in its place)
Get-QADUser -Manager * -Disabled | Set-QADUser -objectAttributes @{manager=''}

Open in new window

0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what you should include to make the best professional email signature for your organization.
Read this checklist to learn more about the 15 things you should never include in an email signature.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
how to add IIS SMTP to handle application/Scanner relays into office 365.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now