Solved

Disable or enable a group of accounts

Posted on 2011-09-26
13
213 Views
Last Modified: 2012-05-12
I will appreciate it if someone can show me how to disable/enable a group of user accounts without having to do it individually.  I have a large number of user accounts that may require disabling and potentially enabling within a short time.  Given the short time frame, disabling/enabling the accounts individually is just not doable, hence my request.

Thanks for all your help, experts.
0
Comment
Question by:Silver_Power
  • 6
  • 5
  • 2
13 Comments
 
LVL 26

Expert Comment

by:gtworek
ID: 36598731
There are two ways depending on what do you actually need:
1. change the group type from security to distribution one. If any ACLs use this group it will work as "disabled". Of course users will work normal way after doing this.
2. list your group members and disable them with simple loop in powershell script.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36598748
Are those users in a some special group ? If so, you can use DS Tools for that on a DC or workstation with Administrative Tools installed

to disable users from it-group group use

dsquery group -name "it-group" | dsget group -members -expand | dsget user -disabled yes

to enable them use

dsquery group -name "it-group" | dsget group -members -expand | dsget user -disabled no

if they are in different group, put them in a flat text file(one user's login per line) save on a C-drive and run this syntax

disabling
for /r %i in (c:\users.txt) do dsquery user -samid %i | dsget user -disabled yes

enabling
for /r %i in (c:\users.txt) do dsquery user -samid %i | dsget user -disabled no


Regards,
Krzysztof
0
 

Author Comment

by:Silver_Power
ID: 36598913
Gtworek,  can you please expand on option one more.  Also how do I change the group type?

Krzysztof, I will try your suggestion tomorrow and get back to you.  Can I also use a CSV file with dsquery?
0
 
LVL 26

Expert Comment

by:gtworek
ID: 36598934
Changing the group type will not disable your accounts. If you add some users to group and then assign rights using ACLs you can doubleclick your group in AD and change the group type from "Security" to "Distribution". Your users will lost access rights after re-logon. In many scenarios this is what admins really need and it is why I suggested it.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36599035
Nope, but DSQUERY works with flat text file
For CSV you need to use other tools like CSVDE or 3rd party tool ADFIND

Krzysztof
0
 

Author Comment

by:Silver_Power
ID: 36599060
Krzysztof, is that "%1" or "%i" ?  thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36599153
In this example it is %i to work with batch processing
if you want to get a parameter from command line into batch then you have to use %1

Krzysztof

0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36708294
Hi,

does it work for you or did you experience some issues ?

Krzysztof
0
 

Author Comment

by:Silver_Power
ID: 36709131
Hi Krzysztof,

No it does not work.  This is the message I get:

"dsquery group -name testgrp   | dsget group -members -expand   | dsget user -disabled yes
dsget failed:Value for 'Target object for this command' has incorrect format.
type dsget /? for help.

Any idea.

0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 500 total points
ID: 36709459
"dsquery group -name testgrp   | dsget group -members -expand   | dsget user -disabled yes
in this syntax are extra spaces and in the last command part I made a mistake :/ (sorry for that), you should use

instead of dsget user should be dsmod user :)

Correct syntax
 
dsquery group -name testgrp | dsget group -members -expand | dsmod user -disabled yes

Open in new window


Krzysztof
0
 

Author Comment

by:Silver_Power
ID: 36712476
Hi Krzysztof,

It works.  Thanks so much.  And you too Gtworek, didn't get the chance to pursue your solution, but it did look promising.

0
 

Author Closing Comment

by:Silver_Power
ID: 36712483
That was a simple and consice solution, exactly what I was looking for.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36714746
You're welcome :)

Krzysztof
0

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now