Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Disable list off users account in Active directory 2008

Posted on 2013-12-11
12
Medium Priority
?
953 Views
Last Modified: 2013-12-17
Hi Guys,

Q 1 : Could you please help me I need to disable a single user in Active directory using PS Script
Q 2 . I have a list of users around 300 users in-active account need to be disable and move to disable OU . could you please help me to find a script or way to do it quickly

Thank you in Advance
0
Comment
Question by:Rabihhaj
12 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39713062
For 1 you can use the Disable-adaccount cmdlet   http://technet.microsoft.com/en-us/library/ee617197.aspx

disable-adaccount -identity username

I'll have to test for #2 there are some scripts in technet script gallery that do it but I always test first.  The pseduo code is import-csv then pipe that to disable and move.    If someone doesn't get it by morning I'll test in my lab

Thanks

Mike
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39713326
For finding the inactive users use following script, 90 mean 90 days - change as required

Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | ?{$_.enabled -eq $true} | %{Get-ADUser $_.ObjectGuid} | select name, givenname, surname | export-csv c:\report\unusedaccounts.csv -NoTypeInformation

Open in new window


The Following script will disable a specified user, log their current group membership, move them to a specified container, remove them from their groups except Domain Users and hide the user in the GAL.  Script requires Quest AD Tools Installed http://www.quest.com/powershell/  This was tested on a Windows 7 and Windows XP Device..



#Add Quest PowerShell Tools 
Add-PSSnapin Quest.ActiveRoles.ADManagement 
  
#Import CSV File 
$list = Import-Csv "c:\report\unusedaccounts.csv" 
  
#Sets the OU where to move the disabled users 
$DisabledOU = 'company.org/Disabled/Decommissioned_Users' 
  
foreach($entry in $list) { 
#Date and Time 
$datetime = [datetime]::Now.ToString("ddd MM/dd/yyyy HH:mm:ss") 
  
#Export Current User Groups With Date/Time Stamp 
$UserID = $entry.SamAccountName 
$ADGroup=(get-Qadmemberof $userID)  
$username = get-qaduser $userID | select -expandproperty name 
ECHO $datetime','$UserID','$Username','$ADGroup|Add-content c:\scripts\DisableUser\Log.csv -Force 
  
#Disable and Move the User(s) 
Disable-QADUser $UserID 
Start-Sleep -s 2  
Move-QADObject -Identity $UserID -NewParentContainer $DisabledOU  
Start-Sleep -s 2 
  
#Hide Users in the GAL 
Set-QADUser -Identity $UserID -ObjectAttributes @{MSExchHideFromAddressLists=$true} 
  
#Remove all groups except Domain Users - By Default Domain Users will remain 
Remove-QADMemberOf $UserID -RemoveAll 
} 

Open in new window

l
Modify excel file to make it as below

SamAccountName
someuseraccount
someuseraccount2
someuseraccount3
someuseraccount4

Change the Disabled OU as required

Ref 1
Ref2
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39714222
You can do this all natively with built-in Powershell Commands...
1. Disable single user using powershell
import-module activedirectory
set-aduser -Identity <username> -Enabled $false

Open in new window


*note: where i have listed "yourCSVhere" you can use the same CSV file in both locations. just make sure that you have all of the headings that are required for the script.

2. Disable multiple users and move to OU
Import-Module activedirectory
$UserList = import-csv "c:\yourCSVhere.csv"
foreach ($User in $UserList) {
$User.sAMAccountName
Set-ADUser -Identity $User.sAMAccountName -Enabled $false
}
$UserList = Import-Csv "c:\yourCSVhere.csv"
foreach ($User in $UserList) {
$User.DN
$User.OU
Move-ADObject -Identity $User.DN -TargetPath $User.OU
}

Open in new window


You need to construct your CSV in the following format...

Column A sAMAccountName  
Column B DN
Column C OU

Example Below...
Column A bthompson              
Column B CN=Brian Thompson,OU=test,DC=domain,DC=com
Column C OU=Testmove,DC=domain,DC=com

I had to outline the csv file this way as there is not eoungh white space left to right. But you would have sAMAccountName DN OU for the top 3 heading and then the respective user info underneith.

If you have any questions let me know.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Rabihhaj
ID: 39714913
Hi all,  

How about if I want to disable a list of users not moving them to a OU. What script will be?
 I will follow the format for spec01 csv file.

I will try this in the next 2 hours and let you know

Thank you in advance

Thanks Rabih
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39714975
All you need to do is use the first half of the script i posted originally. See below...

CSV file format
sAMAccountName
jsmith
marcp
etc...

Import-Module activedirectory
$UserList = import-csv "c:\yourCSVhere.csv"
foreach ($User in $UserList) {
$User.sAMAccountName
Set-ADUser -Identity $User.sAMAccountName -Enabled $false
}

Open in new window

0
 

Author Comment

by:Rabihhaj
ID: 39715858
Hi Spec01

I created the CSV file and now going to run those 6 command lines

How do i type it in PS, is that through BAT file individually
Sorry, this is the first time to have more than one line involved in the scripts

Thanks
Rabih
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 39716232
Copy the script above and put it in notepad. Save the file as .PS1 file extension. When you are in powershell navigate to the directory where you saved the powershell file and type .\name.ps1 (where name = the filename that you saved it as).

This will then run the script and your user in the csv file will be disabled.

Will.
0
 

Author Comment

by:Rabihhaj
ID: 39720584
HI Spec01 ,

Last Question, How about if i have email address or Display name instead  user Logon name

What i should change in the script ?

Thank you in advance

Rabih
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39720621
You require the sAMAccountName to modify attributes. If you look at the requirements sAMAccountName is the first positional parameter.

Will.
0
 

Author Comment

by:Rabihhaj
ID: 39724877
Hi will,
Thank you very much for your help. All working now and happy .

Now if I need to ask you questions how can I chat with you in here.


What I need, I know a separate question but related to it.

While I am doing this script, I need to add a comment in description name in each user profile, and that description is different from each other etc. (Incident number)

Is any way I can do that or add it in csv file and run it.
Also, could you please send me attributes name in active directory etc logon name is samacountname. How do I know all these.

Thanks
Rabih
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39724904
If you need to reach me you can re-post a new question and Forward me the link to the new question to my email.

spec01<dot>83@gmail.com

You can get all of the attributes for AD by using the followng command...

Get-ADUser -filter * -properties * | get-member

Will.
0
 

Author Closing Comment

by:Rabihhaj
ID: 39724919
Good to work with you again
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question