Solved

Disable list off users account in Active directory 2008

Posted on 2013-12-11
12
906 Views
Last Modified: 2013-12-17
Hi Guys,

Q 1 : Could you please help me I need to disable a single user in Active directory using PS Script
Q 2 . I have a list of users around 300 users in-active account need to be disable and move to disable OU . could you please help me to find a script or way to do it quickly

Thank you in Advance
0
Comment
Question by:Rabihhaj
12 Comments
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
For 1 you can use the Disable-adaccount cmdlet   http://technet.microsoft.com/en-us/library/ee617197.aspx

disable-adaccount -identity username

I'll have to test for #2 there are some scripts in technet script gallery that do it but I always test first.  The pseduo code is import-csv then pipe that to disable and move.    If someone doesn't get it by morning I'll test in my lab

Thanks

Mike
0
 
LVL 14

Expert Comment

by:Ram Balachandran
Comment Utility
For finding the inactive users use following script, 90 mean 90 days - change as required

Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | ?{$_.enabled -eq $true} | %{Get-ADUser $_.ObjectGuid} | select name, givenname, surname | export-csv c:\report\unusedaccounts.csv -NoTypeInformation

Open in new window


The Following script will disable a specified user, log their current group membership, move them to a specified container, remove them from their groups except Domain Users and hide the user in the GAL.  Script requires Quest AD Tools Installed http://www.quest.com/powershell/  This was tested on a Windows 7 and Windows XP Device..



#Add Quest PowerShell Tools 
Add-PSSnapin Quest.ActiveRoles.ADManagement 
  
#Import CSV File 
$list = Import-Csv "c:\report\unusedaccounts.csv" 
  
#Sets the OU where to move the disabled users 
$DisabledOU = 'company.org/Disabled/Decommissioned_Users' 
  
foreach($entry in $list) { 
#Date and Time 
$datetime = [datetime]::Now.ToString("ddd MM/dd/yyyy HH:mm:ss") 
  
#Export Current User Groups With Date/Time Stamp 
$UserID = $entry.SamAccountName 
$ADGroup=(get-Qadmemberof $userID)  
$username = get-qaduser $userID | select -expandproperty name 
ECHO $datetime','$UserID','$Username','$ADGroup|Add-content c:\scripts\DisableUser\Log.csv -Force 
  
#Disable and Move the User(s) 
Disable-QADUser $UserID 
Start-Sleep -s 2  
Move-QADObject -Identity $UserID -NewParentContainer $DisabledOU  
Start-Sleep -s 2 
  
#Hide Users in the GAL 
Set-QADUser -Identity $UserID -ObjectAttributes @{MSExchHideFromAddressLists=$true} 
  
#Remove all groups except Domain Users - By Default Domain Users will remain 
Remove-QADMemberOf $UserID -RemoveAll 
} 

Open in new window

l
Modify excel file to make it as below

SamAccountName
someuseraccount
someuseraccount2
someuseraccount3
someuseraccount4

Change the Disabled OU as required

Ref 1
Ref2
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
You can do this all natively with built-in Powershell Commands...
1. Disable single user using powershell
import-module activedirectory
set-aduser -Identity <username> -Enabled $false

Open in new window


*note: where i have listed "yourCSVhere" you can use the same CSV file in both locations. just make sure that you have all of the headings that are required for the script.

2. Disable multiple users and move to OU
Import-Module activedirectory
$UserList = import-csv "c:\yourCSVhere.csv"
foreach ($User in $UserList) {
$User.sAMAccountName
Set-ADUser -Identity $User.sAMAccountName -Enabled $false
}
$UserList = Import-Csv "c:\yourCSVhere.csv"
foreach ($User in $UserList) {
$User.DN
$User.OU
Move-ADObject -Identity $User.DN -TargetPath $User.OU
}

Open in new window


You need to construct your CSV in the following format...

Column A sAMAccountName  
Column B DN
Column C OU

Example Below...
Column A bthompson              
Column B CN=Brian Thompson,OU=test,DC=domain,DC=com
Column C OU=Testmove,DC=domain,DC=com

I had to outline the csv file this way as there is not eoungh white space left to right. But you would have sAMAccountName DN OU for the top 3 heading and then the respective user info underneith.

If you have any questions let me know.
0
 

Author Comment

by:Rabihhaj
Comment Utility
Hi all,  

How about if I want to disable a list of users not moving them to a OU. What script will be?
 I will follow the format for spec01 csv file.

I will try this in the next 2 hours and let you know

Thank you in advance

Thanks Rabih
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
All you need to do is use the first half of the script i posted originally. See below...

CSV file format
sAMAccountName
jsmith
marcp
etc...

Import-Module activedirectory
$UserList = import-csv "c:\yourCSVhere.csv"
foreach ($User in $UserList) {
$User.sAMAccountName
Set-ADUser -Identity $User.sAMAccountName -Enabled $false
}

Open in new window

0
 

Author Comment

by:Rabihhaj
Comment Utility
Hi Spec01

I created the CSV file and now going to run those 6 command lines

How do i type it in PS, is that through BAT file individually
Sorry, this is the first time to have more than one line involved in the scripts

Thanks
Rabih
0
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
Comment Utility
Copy the script above and put it in notepad. Save the file as .PS1 file extension. When you are in powershell navigate to the directory where you saved the powershell file and type .\name.ps1 (where name = the filename that you saved it as).

This will then run the script and your user in the csv file will be disabled.

Will.
0
 

Author Comment

by:Rabihhaj
Comment Utility
HI Spec01 ,

Last Question, How about if i have email address or Display name instead  user Logon name

What i should change in the script ?

Thank you in advance

Rabih
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
You require the sAMAccountName to modify attributes. If you look at the requirements sAMAccountName is the first positional parameter.

Will.
0
 

Author Comment

by:Rabihhaj
Comment Utility
Hi will,
Thank you very much for your help. All working now and happy .

Now if I need to ask you questions how can I chat with you in here.


What I need, I know a separate question but related to it.

While I am doing this script, I need to add a comment in description name in each user profile, and that description is different from each other etc. (Incident number)

Is any way I can do that or add it in csv file and run it.
Also, could you please send me attributes name in active directory etc logon name is samacountname. How do I know all these.

Thanks
Rabih
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
If you need to reach me you can re-post a new question and Forward me the link to the new question to my email.

spec01<dot>83@gmail.com

You can get all of the attributes for AD by using the followng command...

Get-ADUser -filter * -properties * | get-member

Will.
0
 

Author Closing Comment

by:Rabihhaj
Comment Utility
Good to work with you again
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now