Solved

Please provide a set of ADFIND/ADMOD commands to disable all the USER accounts in a specific OU and remove their group memberships leaving only Domain Users behind?

Posted on 2011-09-15
6
1,375 Views
Last Modified: 2012-05-12
Greetings folks -

I have an OU that I use for separated employees.  I'd like to use the ADFIND and ADMOD tools to find all the USER accounts in this OU and ensure they are all disabled.  I'd also like to remove the group memberships of these same USER accounts leaving only Domain Users behind.

I'm seeking a set of commands to accomplish this task.  I'd appreciate the help in the crafting them.

Only USER objects should be touched, no computer objects.  The OU doesn't have any computer objects by default but your commands should ensure only USER objects are selected for safety reasons.

Thanks in advance for the help.
0
Comment
Question by:amendala
  • 3
  • 3
6 Comments
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 500 total points
ID: 36548600
Take a look at Joes blog about how to do this

http://blog.joeware.net/2008/09/05/1453/

adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod useraccountcontrol::{{.:SET:2}}

or using the shortcut

adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod -sc ad-disable

so for all users in an OU

adfind -b "OU=Disabled_Users,DC=Domain,DC=LOCAL" -f "(&(objectcategory=person)(objetclass=user))" | admod -sc ad-disable

0
 

Author Comment

by:amendala
ID: 36550389
Thanks for your reply Ken.  The last command in your post seems to take care of the disabling piece - that's one half ot the question.  Any advice on groups?  I know that's a tougher problem.

Essentially, all my domain security groups are in one OU.  I need to go through all of those and remove members from them if the member is contained in another OU.

So let's say I had an OU named "Separated Employees" and another OU named "Security Groups".  If a user account is in the OU "Separated Employees", I'd like to remove it from any groups in "Security Groups".

Thanks for your help.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 36550783
the groups are going to be a little more difficult. I am not sure if this can be done with ADMod one thig your could try is to pipe adfind to adfind to admod

I can do it easy in powershell using either the Quest adcmdllets or MS cmdlets.

For a single user

$User = get-qaduser SAMACCOUNTNAME
foreach ($grp in $($user.memberof)){
    Remove-QADGroupMember -Identity $grp -Member $User}

Or for all users in an OU

get-qaduser -searchroot "OU=Disabled_Users,DC=Domain,DC=LOCAL" | Foreach {
foreach ($grp in $($_.memberof)){
    Remove-QADGroupMember -Identity $grp -Member $User}
}

0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:amendala
ID: 36552097
For the group piece, powershell is just fine.  I suppose I should've said that originally.  :)  If you care to write that up, please stick with the built-in MS cmdlets.

Thanks for your help!
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 500 total points
ID: 36552742
Here is a powershell example using the MS cmdlets.


$Users = get-aduser -searchbase "OU=test_Users,DC=domain,DC=Local" -filter * -properties memberof
Foreach ($user in $Users){
Disable-ADAccount $user
foreach ($grp in $($user.memberof)){
    $grp
    Remove-ADGroupMember -Identity $grp -Member $User.samaccountname -confirm:$False}
}

Open in new window

0
 

Author Comment

by:amendala
ID: 36563464
That'll work.  Though I did have to modify some of the adfind and admod commands provided originally.  I've posted updated/corrected versions here.

To use the shortcut for ad-disable you need to utilize the -adcsv switch and output the useraccountcontrol attribute per the documentation.

Thanks for your help!

---
UPDATED ADFIND/ADMOD
---
To find and disable all user account objects in a specific OU, you can use the folllowing ADFIND/ADMOD combination command:

adfind -h localhost -adcsv -b "OU=MyOUName,DC=MyDomain,DC=lcl" -f "&(objectcategory=person)(objectclass=user)" useraccountcontrol | admod -h localhost -sc ad-disable -unsafe

Be cautious of the -unsafe switch I've added to the command.  I tested the command thoroughly with strict safety values before committing to the use of the -unsafe switch.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now