Group together disabled Windows accounts in a folder / container

Q1:
We have a number of disabled Windows (domain as well
as local) accounts.  How can we move/group these accounts
to a container/folder in the server?

Q2:
Is there any way to prevent Wintel administrator from
accidentally enabling those accounts back?  Or is it possible
to set an audit event on this folder such that if there's
changes to it (or those accounts are re-enabled back),
it will be logged in Event Viewer with possibly an alert
generated?

I'm trying to fulfill IT security's requirement.
sunhuxAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
Answers are below..

Q1. You can accomplish this using powershell script to collect all of the Disbaled users and then move then to a specific OU. Use the syntax below...

Import-module activedirectory
get-aduser -filter * -properties * | ? {$_.enabled -eq $false} | foreach {move-adobject -identity $_.DistinguishedName -TargetPath "OU=Disabled,DC=Domain,DC=com"

Open in new window


Make sure that you change the "OU" part of the script to the name of your OU in your domain where you want them to be moved to. You will also need to change the domain portion as well.


Q2. If your Wintel administrators are domain admins then you cannot stop what they can do to the OU or the objects inside of it. If they have simply been delegated rights like password reset, unlocking accounts etc you can remove delegation on the OU for this specific User or Group they are part of.

Will.
0
 
McKnifeConnect With a Mentor Commented:
On Q2: You can setup auditing, yes. Maybe it's even already on by default? Try it: http://technet.microsoft.com/en-us/library/dd772693(v=ws.10).aspx shows the event IDs.
0
 
sunhuxAuthor Commented:
> "OU=Disabled,DC=Domain,DC=com"

Just to clarify with Will: so instead of Disabled, I can just name the OU/folder
that hold the disabled accounts (including local accounts?) as
OU=DontEnable_UnlesswithApproval  &  the domain name
is something like DC=mydomain.local  ?

Is there any length limitation with the OU/folder name & 
can special characters be used?

Lastly, do we need to pre-create the OU or just run the Powershell
script command & it will create it?  Pardon me as I'm very new to
PowerShell
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
MaheshConnect With a Mentor ArchitectCommented:
You can't stop domain administrators from enabling accounts as stated earlier

However you can trigger email alert if administrator  enabled user account in AD

You can attach task to specific event so that if that event is generated (Ex: Event ID 5722 - user account enabled), an email will triggered to configured person.

You can logon to DC, find out required event and right click and select attach a task and within task you can get  send email \ start a program (script)  options which can trigger email and you will come to know.

However this is not full proof task, better option is you can set alert through email if you have some kind of event viewer management solution such as MS SCOM or AD audit plus from Manage engine

Mahesh
0
 
kevinhsiehConnect With a Mentor Commented:
Local accounts can't be moved because local machines don't have any concept of an OU for local accounts.
0
 
sunhuxAuthor Commented:
Ok, thanks; it's clear now that only the disabled domain accounts
could be moved to the OU.

2 clarifications:
For the Powershell script given, do we need to pre-create the OU
or just that script & it will create the OU if it's not present?

What's the length of an OU name & can it contain special
characters like _  ?
0
 
MaheshArchitectCommented:
You need to create OU in advance.

Special characters are acceptable with OU
Maximum length of OU name is 64 characters
http://support.microsoft.com/kb/909264

Mahesh
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.