Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Please provide a set of ADFIND/ADMOD commands to disable all the USER accounts in a specific OU and remove their group memberships leaving only Domain Users behind?

Posted on 2011-09-15
6
Medium Priority
?
1,513 Views
Last Modified: 2012-05-12
Greetings folks -

I have an OU that I use for separated employees.  I'd like to use the ADFIND and ADMOD tools to find all the USER accounts in this OU and ensure they are all disabled.  I'd also like to remove the group memberships of these same USER accounts leaving only Domain Users behind.

I'm seeking a set of commands to accomplish this task.  I'd appreciate the help in the crafting them.

Only USER objects should be touched, no computer objects.  The OU doesn't have any computer objects by default but your commands should ensure only USER objects are selected for safety reasons.

Thanks in advance for the help.
0
Comment
Question by:amendala
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 2000 total points
ID: 36548600
Take a look at Joes blog about how to do this

http://blog.joeware.net/2008/09/05/1453/

adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod useraccountcontrol::{{.:SET:2}}

or using the shortcut

adfind -default -f samaccountname=joewareupdatesvc useraccountcontrol -adcsv | admod -sc ad-disable

so for all users in an OU

adfind -b "OU=Disabled_Users,DC=Domain,DC=LOCAL" -f "(&(objectcategory=person)(objetclass=user))" | admod -sc ad-disable

0
 

Author Comment

by:amendala
ID: 36550389
Thanks for your reply Ken.  The last command in your post seems to take care of the disabling piece - that's one half ot the question.  Any advice on groups?  I know that's a tougher problem.

Essentially, all my domain security groups are in one OU.  I need to go through all of those and remove members from them if the member is contained in another OU.

So let's say I had an OU named "Separated Employees" and another OU named "Security Groups".  If a user account is in the OU "Separated Employees", I'd like to remove it from any groups in "Security Groups".

Thanks for your help.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 36550783
the groups are going to be a little more difficult. I am not sure if this can be done with ADMod one thig your could try is to pipe adfind to adfind to admod

I can do it easy in powershell using either the Quest adcmdllets or MS cmdlets.

For a single user

$User = get-qaduser SAMACCOUNTNAME
foreach ($grp in $($user.memberof)){
    Remove-QADGroupMember -Identity $grp -Member $User}

Or for all users in an OU

get-qaduser -searchroot "OU=Disabled_Users,DC=Domain,DC=LOCAL" | Foreach {
foreach ($grp in $($_.memberof)){
    Remove-QADGroupMember -Identity $grp -Member $User}
}

0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:amendala
ID: 36552097
For the group piece, powershell is just fine.  I suppose I should've said that originally.  :)  If you care to write that up, please stick with the built-in MS cmdlets.

Thanks for your help!
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 2000 total points
ID: 36552742
Here is a powershell example using the MS cmdlets.


$Users = get-aduser -searchbase "OU=test_Users,DC=domain,DC=Local" -filter * -properties memberof
Foreach ($user in $Users){
Disable-ADAccount $user
foreach ($grp in $($user.memberof)){
    $grp
    Remove-ADGroupMember -Identity $grp -Member $User.samaccountname -confirm:$False}
}

Open in new window

0
 

Author Comment

by:amendala
ID: 36563464
That'll work.  Though I did have to modify some of the adfind and admod commands provided originally.  I've posted updated/corrected versions here.

To use the shortcut for ad-disable you need to utilize the -adcsv switch and output the useraccountcontrol attribute per the documentation.

Thanks for your help!

---
UPDATED ADFIND/ADMOD
---
To find and disable all user account objects in a specific OU, you can use the folllowing ADFIND/ADMOD combination command:

adfind -h localhost -adcsv -b "OU=MyOUName,DC=MyDomain,DC=lcl" -f "&(objectcategory=person)(objectclass=user)" useraccountcontrol | admod -h localhost -sc ad-disable -unsafe

Be cautious of the -unsafe switch I've added to the command.  I tested the command thoroughly with strict safety values before committing to the use of the -unsafe switch.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question