Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1636
  • Last Modified:

Please provide a set of ADFIND/ADMOD commands to disable all the USER accounts in a specific OU and remove their group memberships leaving only Domain Users behind?

Greetings folks -

I have an OU that I use for separated employees.  I'd like to use the ADFIND and ADMOD tools to find all the USER accounts in this OU and ensure they are all disabled.  I'd also like to remove the group memberships of these same USER accounts leaving only Domain Users behind.

I'm seeking a set of commands to accomplish this task.  I'd appreciate the help in the crafting them.

Only USER objects should be touched, no computer objects.  The OU doesn't have any computer objects by default but your commands should ensure only USER objects are selected for safety reasons.

Thanks in advance for the help.
0
amendala
Asked:
amendala
  • 3
  • 3
2 Solutions
 
KenMcFCommented:
Take a look at Joes blog about how to do this

http://blog.joeware.net/2008/09/05/1453/

adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod useraccountcontrol::{{.:SET:2}}

or using the shortcut

adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod -sc ad-disable

so for all users in an OU

adfind -b "OU=Disabled_Users,DC=Domain,DC=LOCAL" -f "(&(objectcategory=person)(objetclass=user))" | admod -sc ad-disable

0
 
amendalaAuthor Commented:
Thanks for your reply Ken.  The last command in your post seems to take care of the disabling piece - that's one half ot the question.  Any advice on groups?  I know that's a tougher problem.

Essentially, all my domain security groups are in one OU.  I need to go through all of those and remove members from them if the member is contained in another OU.

So let's say I had an OU named "Separated Employees" and another OU named "Security Groups".  If a user account is in the OU "Separated Employees", I'd like to remove it from any groups in "Security Groups".

Thanks for your help.
0
 
KenMcFCommented:
the groups are going to be a little more difficult. I am not sure if this can be done with ADMod one thig your could try is to pipe adfind to adfind to admod

I can do it easy in powershell using either the Quest adcmdllets or MS cmdlets.

For a single user

$User = get-qaduser SAMACCOUNTNAME
foreach ($grp in $($user.memberof)){
    Remove-QADGroupMember -Identity $grp -Member $User}

Or for all users in an OU

get-qaduser -searchroot "OU=Disabled_Users,DC=Domain,DC=LOCAL" | Foreach {
foreach ($grp in $($_.memberof)){
    Remove-QADGroupMember -Identity $grp -Member $User}
}

0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
amendalaAuthor Commented:
For the group piece, powershell is just fine.  I suppose I should've said that originally.  :)  If you care to write that up, please stick with the built-in MS cmdlets.

Thanks for your help!
0
 
KenMcFCommented:
Here is a powershell example using the MS cmdlets.


$Users = get-aduser -searchbase "OU=test_Users,DC=domain,DC=Local" -filter * -properties memberof
Foreach ($user in $Users){
Disable-ADAccount $user
foreach ($grp in $($user.memberof)){
    $grp
    Remove-ADGroupMember -Identity $grp -Member $User.samaccountname -confirm:$False}
}

Open in new window

0
 
amendalaAuthor Commented:
That'll work.  Though I did have to modify some of the adfind and admod commands provided originally.  I've posted updated/corrected versions here.

To use the shortcut for ad-disable you need to utilize the -adcsv switch and output the useraccountcontrol attribute per the documentation.

Thanks for your help!

---
UPDATED ADFIND/ADMOD
---
To find and disable all user account objects in a specific OU, you can use the folllowing ADFIND/ADMOD combination command:

adfind -h localhost -adcsv -b "OU=MyOUName,DC=MyDomain,DC=lcl" -f "&(objectcategory=person)(objectclass=user)" useraccountcontrol | admod -h localhost -sc ad-disable -unsafe

Be cautious of the -unsafe switch I've added to the command.  I tested the command thoroughly with strict safety values before committing to the use of the -unsafe switch.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now