?
Solved

Disable or enable a group of accounts

Posted on 2011-09-26
13
Medium Priority
?
221 Views
Last Modified: 2012-05-12
I will appreciate it if someone can show me how to disable/enable a group of user accounts without having to do it individually.  I have a large number of user accounts that may require disabling and potentially enabling within a short time.  Given the short time frame, disabling/enabling the accounts individually is just not doable, hence my request.

Thanks for all your help, experts.
0
Comment
Question by:Silver_Power
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
13 Comments
 
LVL 26

Expert Comment

by:gtworek
ID: 36598731
There are two ways depending on what do you actually need:
1. change the group type from security to distribution one. If any ACLs use this group it will work as "disabled". Of course users will work normal way after doing this.
2. list your group members and disable them with simple loop in powershell script.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36598748
Are those users in a some special group ? If so, you can use DS Tools for that on a DC or workstation with Administrative Tools installed

to disable users from it-group group use

dsquery group -name "it-group" | dsget group -members -expand | dsget user -disabled yes

to enable them use

dsquery group -name "it-group" | dsget group -members -expand | dsget user -disabled no

if they are in different group, put them in a flat text file(one user's login per line) save on a C-drive and run this syntax

disabling
for /r %i in (c:\users.txt) do dsquery user -samid %i | dsget user -disabled yes

enabling
for /r %i in (c:\users.txt) do dsquery user -samid %i | dsget user -disabled no


Regards,
Krzysztof
0
 

Author Comment

by:Silver_Power
ID: 36598913
Gtworek,  can you please expand on option one more.  Also how do I change the group type?

Krzysztof, I will try your suggestion tomorrow and get back to you.  Can I also use a CSV file with dsquery?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 26

Expert Comment

by:gtworek
ID: 36598934
Changing the group type will not disable your accounts. If you add some users to group and then assign rights using ACLs you can doubleclick your group in AD and change the group type from "Security" to "Distribution". Your users will lost access rights after re-logon. In many scenarios this is what admins really need and it is why I suggested it.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36599035
Nope, but DSQUERY works with flat text file
For CSV you need to use other tools like CSVDE or 3rd party tool ADFIND

Krzysztof
0
 

Author Comment

by:Silver_Power
ID: 36599060
Krzysztof, is that "%1" or "%i" ?  thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36599153
In this example it is %i to work with batch processing
if you want to get a parameter from command line into batch then you have to use %1

Krzysztof

0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36708294
Hi,

does it work for you or did you experience some issues ?

Krzysztof
0
 

Author Comment

by:Silver_Power
ID: 36709131
Hi Krzysztof,

No it does not work.  This is the message I get:

"dsquery group -name testgrp   | dsget group -members -expand   | dsget user -disabled yes
dsget failed:Value for 'Target object for this command' has incorrect format.
type dsget /? for help.

Any idea.

0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 2000 total points
ID: 36709459
"dsquery group -name testgrp   | dsget group -members -expand   | dsget user -disabled yes
in this syntax are extra spaces and in the last command part I made a mistake :/ (sorry for that), you should use

instead of dsget user should be dsmod user :)

Correct syntax
 
dsquery group -name testgrp | dsget group -members -expand | dsmod user -disabled yes

Open in new window


Krzysztof
0
 

Author Comment

by:Silver_Power
ID: 36712476
Hi Krzysztof,

It works.  Thanks so much.  And you too Gtworek, didn't get the chance to pursue your solution, but it did look promising.

0
 

Author Closing Comment

by:Silver_Power
ID: 36712483
That was a simple and consice solution, exactly what I was looking for.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36714746
You're welcome :)

Krzysztof
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question