Mass Disable in AD VIA SCript

atnextc
atnextc used Ask the Experts™
on
I am in need of a script that can disable user accounts in AD based on the users "description" not the username so dsmod is out of the question.  Any help is greatly appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Premkumar YogeswaranSr. Analyst - System Administrator

Commented:
Hi,
Using Saved queiries you can achieve this task...!

http://www.windowsecurity.com/articles/Using-Saved-Queries.html

Select Start | Administrative Tools | Active Directory Users and Computers
On the left pane, you will see the Saved Queries Node
Right Click Select New

Name: Test
Query Root: (Select OU or Domain)
Define Query:
Find: Common Quieres
User Tab:
Description: Start With : (TYPE NAME)
Click OK

Now list of users with same description shows..

Now select all and disable...
Premkumar YogeswaranSr. Analyst - System Administrator

Commented:
Refer the link in the above post once:

Saved query is one of the advantages in Server 2003.

All the best

Cheers:
Prem

Author

Commented:
I should add that I wanted this to be done automatically.....I have over 500 to disable, I have a text file with the "descriptions" listed in it....any way that it can be read form that fiel and then disable the account?
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Premkumar YogeswaranSr. Analyst - System Administrator

Commented:

Author

Commented:
unfortunately that would require the "usernames" to be in a text file which is what i'm trying to prevent.  I need to be able to automatically disable users based on their Description in AD and not their username
Premkumar YogeswaranSr. Analyst - System Administrator

Commented:
Now already it is 11 PM..  Feel Sleepy
Sorry i will check for your solution and let you know soon...!

Author

Commented:
thanks for your help

Commented:
This script looks for a user with description "Loser on the 3rd Floor" in the active directory domain "fabrikam.com", find it DN and binds it and check if it is disabled, if not disables it.

Am I on the right track.

Will let you know of about the doing this for a mass number of user in the morning.
Will also add some error handling as well.

12:50 AM here..I should sleep too.

Prem should be fast asleep by now.

Cheer.

Shahid

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 

objCommand.CommandText = _
    "SELECT distinguishedName FROM 'LDAP://dc=fabrikam,dc=com' WHERE objectCategory='user' " & _
        "AND description = 'Loser on the 3rd floor'" 
Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
Do Until objRecordSet.EOF
    strDN = objRecordSet.Fields("distinguishedName").Value
    objRecordSet.MoveNext
Loop

Set objUser = GetObject("LDAP://" & strDN)
Wscript.Echo objUser.Name

strDisableAccount = FALSE

If objUser.AccountDisabled = TRUE then
   WScript.Echo "Account for " & objUser.Get("cn") & " currently disabled"
Else
   WScript.Echo "Account currently enabled"
   If strDisableAccount = TRUE then
      objUser.AccountDisabled = strDisableAccount
      objUser.SetInfo
      WScript.Echo "Account disabled"
   End If
End If

Open in new window

Author

Commented:
I tried the above script and changed the ldap information where needed and the description but it doesnt do anything no errors no messages, no disabling accounts nothing.
Henrik JohanssonSystems engineer
Top Expert 2008

Commented:
Use the standard tools dsquery and dsmod as below should solve your issue. The command will process the whole current domain, but can with adding the DN of a OU as parameter to dsquery process only a subpart of the domain.
for /F "tokens=*" %a in ('dsquery user -desc "some description"') do dsmod user %a -disabled yes

Open in new window

Author

Commented:
@henjoh how would I then get it to look at my text file because what I have listed is the description?
Systems engineer
Top Expert 2008
Commented:
I missed the comment about having the description in a text file.
Changed the code snippet as below to handle the text file for description input (one or multiple lines with one description on each line). A minor change to previous post is to use %% as variable prefix instead of the single % to make it possibly to copy it into a bat/cmd-file instead of nead to running it directly in the command prompt.
I see that I also forgot the "-limit 0" parameter to get rid of the default limit of 100 records in the result of dsquery.
@echo off
for /F "tokens=*" %%a in (descfile.txt) do (
  for /F "tokens=*" %%b in ('dsquery user -limit 0 -desc "%%a"') do dsmod user %%b -disabled yes
)

Open in new window

Author

Commented:
ok i see where the second variable is the user but I don't have that information....I only have the description of the users which in this case is phone numbers.  I just need this script to be able to read the phone numbers "description" for the user, one per line of course, and then search ad for that Description and disable any user that matches that description.


I think your script assumes I know the usernames in question

if im mistaken please let me know.

I tried this on only one name and it didn't work.

Author

Commented:
ok i re ran it and it seemed to work

let me try with 5 or so and see what happens.

Author

Commented:
just to complicate things a bit more can I have it log what it did when it finishes?

Author

Commented:
awesome thats exactly what I needed but again logging would be great just to have a paper trail.
Henrik JohanssonSystems engineer
Top Expert 2008

Commented:
The %%a and %%b is variables used by the for loops to process each line in the text file and dsquery command.
Changed the second for loop to have each processed user to be logged.

@echo off 
for /F "tokens=*" %%a in (descfile.txt) do ( 
  for /F "tokens=*" %%b in ('dsquery user -limit 0 -desc "%%a"') do (
    echo %date% %time% %%b >> c:\logfile.txt
    dsmod user %%b -disabled yes
  )
)

Open in new window

Author

Commented:
thank you again for the accurate and quick help I'm bank this one in my script folder

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial