Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Please provide a set of ADFIND/ADMOD commands to disable all the USER accounts in a specific OU and remove their group memberships leaving only Domain Users behind?

Posted on 2011-09-15
6
Medium Priority
?
1,548 Views
Last Modified: 2012-05-12
Greetings folks -

I have an OU that I use for separated employees.  I'd like to use the ADFIND and ADMOD tools to find all the USER accounts in this OU and ensure they are all disabled.  I'd also like to remove the group memberships of these same USER accounts leaving only Domain Users behind.

I'm seeking a set of commands to accomplish this task.  I'd appreciate the help in the crafting them.

Only USER objects should be touched, no computer objects.  The OU doesn't have any computer objects by default but your commands should ensure only USER objects are selected for safety reasons.

Thanks in advance for the help.
0
Comment
Question by:amendala
  • 3
  • 3
6 Comments
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 2000 total points
ID: 36548600
Take a look at Joes blog about how to do this

http://blog.joeware.net/2008/09/05/1453/

adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod useraccountcontrol::{{.:SET:2}}

or using the shortcut

adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod -sc ad-disable

so for all users in an OU

adfind -b "OU=Disabled_Users,DC=Domain,DC=LOCAL" -f "(&(objectcategory=person)(objetclass=user))" | admod -sc ad-disable

0
 

Author Comment

by:amendala
ID: 36550389
Thanks for your reply Ken.  The last command in your post seems to take care of the disabling piece - that's one half ot the question.  Any advice on groups?  I know that's a tougher problem.

Essentially, all my domain security groups are in one OU.  I need to go through all of those and remove members from them if the member is contained in another OU.

So let's say I had an OU named "Separated Employees" and another OU named "Security Groups".  If a user account is in the OU "Separated Employees", I'd like to remove it from any groups in "Security Groups".

Thanks for your help.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 36550783
the groups are going to be a little more difficult. I am not sure if this can be done with ADMod one thig your could try is to pipe adfind to adfind to admod

I can do it easy in powershell using either the Quest adcmdllets or MS cmdlets.

For a single user

$User = get-qaduser SAMACCOUNTNAME
foreach ($grp in $($user.memberof)){
    Remove-QADGroupMember -Identity $grp -Member $User}

Or for all users in an OU

get-qaduser -searchroot "OU=Disabled_Users,DC=Domain,DC=LOCAL" | Foreach {
foreach ($grp in $($_.memberof)){
    Remove-QADGroupMember -Identity $grp -Member $User}
}

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:amendala
ID: 36552097
For the group piece, powershell is just fine.  I suppose I should've said that originally.  :)  If you care to write that up, please stick with the built-in MS cmdlets.

Thanks for your help!
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 2000 total points
ID: 36552742
Here is a powershell example using the MS cmdlets.


$Users = get-aduser -searchbase "OU=test_Users,DC=domain,DC=Local" -filter * -properties memberof
Foreach ($user in $Users){
Disable-ADAccount $user
foreach ($grp in $($user.memberof)){
    $grp
    Remove-ADGroupMember -Identity $grp -Member $User.samaccountname -confirm:$False}
}

Open in new window

0
 

Author Comment

by:amendala
ID: 36563464
That'll work.  Though I did have to modify some of the adfind and admod commands provided originally.  I've posted updated/corrected versions here.

To use the shortcut for ad-disable you need to utilize the -adcsv switch and output the useraccountcontrol attribute per the documentation.

Thanks for your help!

---
UPDATED ADFIND/ADMOD
---
To find and disable all user account objects in a specific OU, you can use the folllowing ADFIND/ADMOD combination command:

adfind -h localhost -adcsv -b "OU=MyOUName,DC=MyDomain,DC=lcl" -f "&(objectcategory=person)(objectclass=user)" useraccountcontrol | admod -h localhost -sc ad-disable -unsafe

Be cautious of the -unsafe switch I've added to the command.  I tested the command thoroughly with strict safety values before committing to the use of the -unsafe switch.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question