Please provide a set of ADFIND/ADMOD commands to disable all the USER accounts in a specific OU and remove their group memberships leaving only Domain Users behind?

Posted on 2011-09-15
Last Modified: 2012-05-12
Greetings folks -

I have an OU that I use for separated employees.  I'd like to use the ADFIND and ADMOD tools to find all the USER accounts in this OU and ensure they are all disabled.  I'd also like to remove the group memberships of these same USER accounts leaving only Domain Users behind.

I'm seeking a set of commands to accomplish this task.  I'd appreciate the help in the crafting them.

Only USER objects should be touched, no computer objects.  The OU doesn't have any computer objects by default but your commands should ensure only USER objects are selected for safety reasons.

Thanks in advance for the help.
Question by:amendala
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 27

Assisted Solution

KenMcF earned 500 total points
ID: 36548600
Take a look at Joes blog about how to do this

adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod useraccountcontrol::{{.:SET:2}}

or using the shortcut

adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod -sc ad-disable

so for all users in an OU

adfind -b "OU=Disabled_Users,DC=Domain,DC=LOCAL" -f "(&(objectcategory=person)(objetclass=user))" | admod -sc ad-disable


Author Comment

ID: 36550389
Thanks for your reply Ken.  The last command in your post seems to take care of the disabling piece - that's one half ot the question.  Any advice on groups?  I know that's a tougher problem.

Essentially, all my domain security groups are in one OU.  I need to go through all of those and remove members from them if the member is contained in another OU.

So let's say I had an OU named "Separated Employees" and another OU named "Security Groups".  If a user account is in the OU "Separated Employees", I'd like to remove it from any groups in "Security Groups".

Thanks for your help.
LVL 27

Expert Comment

ID: 36550783
the groups are going to be a little more difficult. I am not sure if this can be done with ADMod one thig your could try is to pipe adfind to adfind to admod

I can do it easy in powershell using either the Quest adcmdllets or MS cmdlets.

For a single user

$User = get-qaduser SAMACCOUNTNAME
foreach ($grp in $($user.memberof)){
    Remove-QADGroupMember -Identity $grp -Member $User}

Or for all users in an OU

get-qaduser -searchroot "OU=Disabled_Users,DC=Domain,DC=LOCAL" | Foreach {
foreach ($grp in $($_.memberof)){
    Remove-QADGroupMember -Identity $grp -Member $User}

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 36552097
For the group piece, powershell is just fine.  I suppose I should've said that originally.  :)  If you care to write that up, please stick with the built-in MS cmdlets.

Thanks for your help!
LVL 27

Accepted Solution

KenMcF earned 500 total points
ID: 36552742
Here is a powershell example using the MS cmdlets.

$Users = get-aduser -searchbase "OU=test_Users,DC=domain,DC=Local" -filter * -properties memberof
Foreach ($user in $Users){
Disable-ADAccount $user
foreach ($grp in $($user.memberof)){
    Remove-ADGroupMember -Identity $grp -Member $User.samaccountname -confirm:$False}

Open in new window


Author Comment

ID: 36563464
That'll work.  Though I did have to modify some of the adfind and admod commands provided originally.  I've posted updated/corrected versions here.

To use the shortcut for ad-disable you need to utilize the -adcsv switch and output the useraccountcontrol attribute per the documentation.

Thanks for your help!

To find and disable all user account objects in a specific OU, you can use the folllowing ADFIND/ADMOD combination command:

adfind -h localhost -adcsv -b "OU=MyOUName,DC=MyDomain,DC=lcl" -f "&(objectcategory=person)(objectclass=user)" useraccountcontrol | admod -h localhost -sc ad-disable -unsafe

Be cautious of the -unsafe switch I've added to the command.  I tested the command thoroughly with strict safety values before committing to the use of the -unsafe switch.

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question