Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Disable list off users account in Active directory 2008

Posted on 2013-12-11
12
Medium Priority
?
950 Views
Last Modified: 2013-12-17
Hi Guys,

Q 1 : Could you please help me I need to disable a single user in Active directory using PS Script
Q 2 . I have a list of users around 300 users in-active account need to be disable and move to disable OU . could you please help me to find a script or way to do it quickly

Thank you in Advance
0
Comment
Question by:Rabihhaj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39713062
For 1 you can use the Disable-adaccount cmdlet   http://technet.microsoft.com/en-us/library/ee617197.aspx

disable-adaccount -identity username

I'll have to test for #2 there are some scripts in technet script gallery that do it but I always test first.  The pseduo code is import-csv then pipe that to disable and move.    If someone doesn't get it by morning I'll test in my lab

Thanks

Mike
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39713326
For finding the inactive users use following script, 90 mean 90 days - change as required

Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | ?{$_.enabled -eq $true} | %{Get-ADUser $_.ObjectGuid} | select name, givenname, surname | export-csv c:\report\unusedaccounts.csv -NoTypeInformation

Open in new window


The Following script will disable a specified user, log their current group membership, move them to a specified container, remove them from their groups except Domain Users and hide the user in the GAL.  Script requires Quest AD Tools Installed http://www.quest.com/powershell/  This was tested on a Windows 7 and Windows XP Device..



#Add Quest PowerShell Tools 
Add-PSSnapin Quest.ActiveRoles.ADManagement 
  
#Import CSV File 
$list = Import-Csv "c:\report\unusedaccounts.csv" 
  
#Sets the OU where to move the disabled users 
$DisabledOU = 'company.org/Disabled/Decommissioned_Users' 
  
foreach($entry in $list) { 
#Date and Time 
$datetime = [datetime]::Now.ToString("ddd MM/dd/yyyy HH:mm:ss") 
  
#Export Current User Groups With Date/Time Stamp 
$UserID = $entry.SamAccountName 
$ADGroup=(get-Qadmemberof $userID)  
$username = get-qaduser $userID | select -expandproperty name 
ECHO $datetime','$UserID','$Username','$ADGroup|Add-content c:\scripts\DisableUser\Log.csv -Force 
  
#Disable and Move the User(s) 
Disable-QADUser $UserID 
Start-Sleep -s 2  
Move-QADObject -Identity $UserID -NewParentContainer $DisabledOU  
Start-Sleep -s 2 
  
#Hide Users in the GAL 
Set-QADUser -Identity $UserID -ObjectAttributes @{MSExchHideFromAddressLists=$true} 
  
#Remove all groups except Domain Users - By Default Domain Users will remain 
Remove-QADMemberOf $UserID -RemoveAll 
} 

Open in new window

l
Modify excel file to make it as below

SamAccountName
someuseraccount
someuseraccount2
someuseraccount3
someuseraccount4

Change the Disabled OU as required

Ref 1
Ref2
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39714222
You can do this all natively with built-in Powershell Commands...
1. Disable single user using powershell
import-module activedirectory
set-aduser -Identity <username> -Enabled $false

Open in new window


*note: where i have listed "yourCSVhere" you can use the same CSV file in both locations. just make sure that you have all of the headings that are required for the script.

2. Disable multiple users and move to OU
Import-Module activedirectory
$UserList = import-csv "c:\yourCSVhere.csv"
foreach ($User in $UserList) {
$User.sAMAccountName
Set-ADUser -Identity $User.sAMAccountName -Enabled $false
}
$UserList = Import-Csv "c:\yourCSVhere.csv"
foreach ($User in $UserList) {
$User.DN
$User.OU
Move-ADObject -Identity $User.DN -TargetPath $User.OU
}

Open in new window


You need to construct your CSV in the following format...

Column A sAMAccountName  
Column B DN
Column C OU

Example Below...
Column A bthompson              
Column B CN=Brian Thompson,OU=test,DC=domain,DC=com
Column C OU=Testmove,DC=domain,DC=com

I had to outline the csv file this way as there is not eoungh white space left to right. But you would have sAMAccountName DN OU for the top 3 heading and then the respective user info underneith.

If you have any questions let me know.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:Rabihhaj
ID: 39714913
Hi all,  

How about if I want to disable a list of users not moving them to a OU. What script will be?
 I will follow the format for spec01 csv file.

I will try this in the next 2 hours and let you know

Thank you in advance

Thanks Rabih
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39714975
All you need to do is use the first half of the script i posted originally. See below...

CSV file format
sAMAccountName
jsmith
marcp
etc...

Import-Module activedirectory
$UserList = import-csv "c:\yourCSVhere.csv"
foreach ($User in $UserList) {
$User.sAMAccountName
Set-ADUser -Identity $User.sAMAccountName -Enabled $false
}

Open in new window

0
 

Author Comment

by:Rabihhaj
ID: 39715858
Hi Spec01

I created the CSV file and now going to run those 6 command lines

How do i type it in PS, is that through BAT file individually
Sorry, this is the first time to have more than one line involved in the scripts

Thanks
Rabih
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 39716232
Copy the script above and put it in notepad. Save the file as .PS1 file extension. When you are in powershell navigate to the directory where you saved the powershell file and type .\name.ps1 (where name = the filename that you saved it as).

This will then run the script and your user in the csv file will be disabled.

Will.
0
 

Author Comment

by:Rabihhaj
ID: 39720584
HI Spec01 ,

Last Question, How about if i have email address or Display name instead  user Logon name

What i should change in the script ?

Thank you in advance

Rabih
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39720621
You require the sAMAccountName to modify attributes. If you look at the requirements sAMAccountName is the first positional parameter.

Will.
0
 

Author Comment

by:Rabihhaj
ID: 39724877
Hi will,
Thank you very much for your help. All working now and happy .

Now if I need to ask you questions how can I chat with you in here.


What I need, I know a separate question but related to it.

While I am doing this script, I need to add a comment in description name in each user profile, and that description is different from each other etc. (Incident number)

Is any way I can do that or add it in csv file and run it.
Also, could you please send me attributes name in active directory etc logon name is samacountname. How do I know all these.

Thanks
Rabih
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39724904
If you need to reach me you can re-post a new question and Forward me the link to the new question to my email.

spec01<dot>83@gmail.com

You can get all of the attributes for AD by using the followng command...

Get-ADUser -filter * -properties * | get-member

Will.
0
 

Author Closing Comment

by:Rabihhaj
ID: 39724919
Good to work with you again
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question