[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Disable or enable a group of accounts

Posted on 2011-09-26
13
Medium Priority
?
228 Views
Last Modified: 2012-05-12
I will appreciate it if someone can show me how to disable/enable a group of user accounts without having to do it individually.  I have a large number of user accounts that may require disabling and potentially enabling within a short time.  Given the short time frame, disabling/enabling the accounts individually is just not doable, hence my request.

Thanks for all your help, experts.
0
Comment
Question by:Silver_Power
  • 6
  • 5
  • 2
13 Comments
 
LVL 26

Expert Comment

by:gtworek
ID: 36598731
There are two ways depending on what do you actually need:
1. change the group type from security to distribution one. If any ACLs use this group it will work as "disabled". Of course users will work normal way after doing this.
2. list your group members and disable them with simple loop in powershell script.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36598748
Are those users in a some special group ? If so, you can use DS Tools for that on a DC or workstation with Administrative Tools installed

to disable users from it-group group use

dsquery group -name "it-group" | dsget group -members -expand | dsget user -disabled yes

to enable them use

dsquery group -name "it-group" | dsget group -members -expand | dsget user -disabled no

if they are in different group, put them in a flat text file(one user's login per line) save on a C-drive and run this syntax

disabling
for /r %i in (c:\users.txt) do dsquery user -samid %i | dsget user -disabled yes

enabling
for /r %i in (c:\users.txt) do dsquery user -samid %i | dsget user -disabled no


Regards,
Krzysztof
0
 

Author Comment

by:Silver_Power
ID: 36598913
Gtworek,  can you please expand on option one more.  Also how do I change the group type?

Krzysztof, I will try your suggestion tomorrow and get back to you.  Can I also use a CSV file with dsquery?
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 26

Expert Comment

by:gtworek
ID: 36598934
Changing the group type will not disable your accounts. If you add some users to group and then assign rights using ACLs you can doubleclick your group in AD and change the group type from "Security" to "Distribution". Your users will lost access rights after re-logon. In many scenarios this is what admins really need and it is why I suggested it.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36599035
Nope, but DSQUERY works with flat text file
For CSV you need to use other tools like CSVDE or 3rd party tool ADFIND

Krzysztof
0
 

Author Comment

by:Silver_Power
ID: 36599060
Krzysztof, is that "%1" or "%i" ?  thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36599153
In this example it is %i to work with batch processing
if you want to get a parameter from command line into batch then you have to use %1

Krzysztof

0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36708294
Hi,

does it work for you or did you experience some issues ?

Krzysztof
0
 

Author Comment

by:Silver_Power
ID: 36709131
Hi Krzysztof,

No it does not work.  This is the message I get:

"dsquery group -name testgrp   | dsget group -members -expand   | dsget user -disabled yes
dsget failed:Value for 'Target object for this command' has incorrect format.
type dsget /? for help.

Any idea.

0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 2000 total points
ID: 36709459
"dsquery group -name testgrp   | dsget group -members -expand   | dsget user -disabled yes
in this syntax are extra spaces and in the last command part I made a mistake :/ (sorry for that), you should use

instead of dsget user should be dsmod user :)

Correct syntax
 
dsquery group -name testgrp | dsget group -members -expand | dsmod user -disabled yes

Open in new window


Krzysztof
0
 

Author Comment

by:Silver_Power
ID: 36712476
Hi Krzysztof,

It works.  Thanks so much.  And you too Gtworek, didn't get the chance to pursue your solution, but it did look promising.

0
 

Author Closing Comment

by:Silver_Power
ID: 36712483
That was a simple and consice solution, exactly what I was looking for.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36714746
You're welcome :)

Krzysztof
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question