Mass Disable in AD VIA SCript
I am in need of a script that can disable user accounts in AD based on the users "description" not the username so dsmod is out of the question. Any help is greatly appreciated.
Refer the link in the above post once:
Saved query is one of the advantages in Server 2003.
All the best
Cheers:
Prem
Saved query is one of the advantages in Server 2003.
All the best
Cheers:
Prem
ASKER
I should add that I wanted this to be done automatically.....I have over 500 to disable, I have a text file with the "descriptions" listed in it....any way that it can be read form that fiel and then disable the account?
ASKER
unfortunately that would require the "usernames" to be in a text file which is what i'm trying to prevent. I need to be able to automatically disable users based on their Description in AD and not their username
Now already it is 11 PM.. Feel Sleepy
Sorry i will check for your solution and let you know soon...!
Sorry i will check for your solution and let you know soon...!
ASKER
thanks for your help
This script looks for a user with description "Loser on the 3rd Floor" in the active directory domain "fabrikam.com", find it DN and binds it and check if it is disabled, if not disables it.
Am I on the right track.
Will let you know of about the doing this for a mass number of user in the morning.
Will also add some error handling as well.
12:50 AM here..I should sleep too.
Prem should be fast asleep by now.
Cheer.
Shahid
Am I on the right track.
Will let you know of about the doing this for a mass number of user in the morning.
Will also add some error handling as well.
12:50 AM here..I should sleep too.
Prem should be fast asleep by now.
Cheer.
Shahid
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://dc=fabrikam,dc=com' WHERE objectCategory='user' " & _
"AND description = 'Loser on the 3rd floor'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strDN = objRecordSet.Fields("distinguishedName").Value
objRecordSet.MoveNext
Loop
Set objUser = GetObject("LDAP://" & strDN)
Wscript.Echo objUser.Name
strDisableAccount = FALSE
If objUser.AccountDisabled = TRUE then
WScript.Echo "Account for " & objUser.Get("cn") & " currently disabled"
Else
WScript.Echo "Account currently enabled"
If strDisableAccount = TRUE then
objUser.AccountDisabled = strDisableAccount
objUser.SetInfo
WScript.Echo "Account disabled"
End If
End If
ASKER
I tried the above script and changed the ldap information where needed and the description but it doesnt do anything no errors no messages, no disabling accounts nothing.
Use the standard tools dsquery and dsmod as below should solve your issue. The command will process the whole current domain, but can with adding the DN of a OU as parameter to dsquery process only a subpart of the domain.
for /F "tokens=*" %a in ('dsquery user -desc "some description"') do dsmod user %a -disabled yesASKER
@henjoh how would I then get it to look at my text file because what I have listed is the description?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok i see where the second variable is the user but I don't have that information....I only have the description of the users which in this case is phone numbers. I just need this script to be able to read the phone numbers "description" for the user, one per line of course, and then search ad for that Description and disable any user that matches that description.
I think your script assumes I know the usernames in question
if im mistaken please let me know.
I tried this on only one name and it didn't work.
I think your script assumes I know the usernames in question
if im mistaken please let me know.
I tried this on only one name and it didn't work.
ASKER
ok i re ran it and it seemed to work
let me try with 5 or so and see what happens.
let me try with 5 or so and see what happens.
ASKER
just to complicate things a bit more can I have it log what it did when it finishes?
ASKER
awesome thats exactly what I needed but again logging would be great just to have a paper trail.
The %%a and %%b is variables used by the for loops to process each line in the text file and dsquery command.
Changed the second for loop to have each processed user to be logged.
Changed the second for loop to have each processed user to be logged.
@echo off
for /F "tokens=*" %%a in (descfile.txt) do (
for /F "tokens=*" %%b in ('dsquery user -limit 0 -desc "%%a"') do (
echo %date% %time% %%b >> c:\logfile.txt
dsmod user %%b -disabled yes
)
)ASKER
thank you again for the accurate and quick help I'm bank this one in my script folder
Using Saved queiries you can achieve this task...!
http://www.windowsecurity.com/articles/Using-Saved-Queries.html
Select Start | Administrative Tools | Active Directory Users and Computers
On the left pane, you will see the Saved Queries Node
Right Click Select New
Name: Test
Query Root: (Select OU or Domain)
Define Query:
Find: Common Quieres
User Tab:
Description: Start With : (TYPE NAME)
Click OK
Now list of users with same description shows..
Now select all and disable...