Disable or enable a group of accounts

I will appreciate it if someone can show me how to disable/enable a group of user accounts without having to do it individually.  I have a large number of user accounts that may require disabling and potentially enabling within a short time.  Given the short time frame, disabling/enabling the accounts individually is just not doable, hence my request.

Thanks for all your help, experts.
Silver_PowerAsked:
Who is Participating?
 
Krzysztof PytkoConnect With a Mentor Active Directory EngineerCommented:
"dsquery group -name testgrp   | dsget group -members -expand   | dsget user -disabled yes
in this syntax are extra spaces and in the last command part I made a mistake :/ (sorry for that), you should use

instead of dsget user should be dsmod user :)

Correct syntax
 
dsquery group -name testgrp | dsget group -members -expand | dsmod user -disabled yes

Open in new window


Krzysztof
0
 
gtworekCommented:
There are two ways depending on what do you actually need:
1. change the group type from security to distribution one. If any ACLs use this group it will work as "disabled". Of course users will work normal way after doing this.
2. list your group members and disable them with simple loop in powershell script.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Are those users in a some special group ? If so, you can use DS Tools for that on a DC or workstation with Administrative Tools installed

to disable users from it-group group use

dsquery group -name "it-group" | dsget group -members -expand | dsget user -disabled yes

to enable them use

dsquery group -name "it-group" | dsget group -members -expand | dsget user -disabled no

if they are in different group, put them in a flat text file(one user's login per line) save on a C-drive and run this syntax

disabling
for /r %i in (c:\users.txt) do dsquery user -samid %i | dsget user -disabled yes

enabling
for /r %i in (c:\users.txt) do dsquery user -samid %i | dsget user -disabled no


Regards,
Krzysztof
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Silver_PowerAuthor Commented:
Gtworek,  can you please expand on option one more.  Also how do I change the group type?

Krzysztof, I will try your suggestion tomorrow and get back to you.  Can I also use a CSV file with dsquery?
0
 
gtworekCommented:
Changing the group type will not disable your accounts. If you add some users to group and then assign rights using ACLs you can doubleclick your group in AD and change the group type from "Security" to "Distribution". Your users will lost access rights after re-logon. In many scenarios this is what admins really need and it is why I suggested it.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Nope, but DSQUERY works with flat text file
For CSV you need to use other tools like CSVDE or 3rd party tool ADFIND

Krzysztof
0
 
Silver_PowerAuthor Commented:
Krzysztof, is that "%1" or "%i" ?  thanks
0
 
Krzysztof PytkoActive Directory EngineerCommented:
In this example it is %i to work with batch processing
if you want to get a parameter from command line into batch then you have to use %1

Krzysztof

0
 
Krzysztof PytkoActive Directory EngineerCommented:
Hi,

does it work for you or did you experience some issues ?

Krzysztof
0
 
Silver_PowerAuthor Commented:
Hi Krzysztof,

No it does not work.  This is the message I get:

"dsquery group -name testgrp   | dsget group -members -expand   | dsget user -disabled yes
dsget failed:Value for 'Target object for this command' has incorrect format.
type dsget /? for help.

Any idea.

0
 
Silver_PowerAuthor Commented:
Hi Krzysztof,

It works.  Thanks so much.  And you too Gtworek, didn't get the chance to pursue your solution, but it did look promising.

0
 
Silver_PowerAuthor Commented:
That was a simple and consice solution, exactly what I was looking for.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
You're welcome :)

Krzysztof
0
All Courses

From novice to tech pro — start learning today.