Solved

Group together disabled Windows accounts in a folder / container

Posted on 2014-01-20
8
274 Views
Last Modified: 2014-02-22
Q1:
We have a number of disabled Windows (domain as well
as local) accounts.  How can we move/group these accounts
to a container/folder in the server?

Q2:
Is there any way to prevent Wintel administrator from
accidentally enabling those accounts back?  Or is it possible
to set an audit event on this folder such that if there's
changes to it (or those accounts are re-enabled back),
it will be logged in Event Viewer with possibly an alert
generated?

I'm trying to fulfill IT security's requirement.
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 200 total points
ID: 39794496
Answers are below..

Q1. You can accomplish this using powershell script to collect all of the Disbaled users and then move then to a specific OU. Use the syntax below...

Import-module activedirectory
get-aduser -filter * -properties * | ? {$_.enabled -eq $false} | foreach {move-adobject -identity $_.DistinguishedName -TargetPath "OU=Disabled,DC=Domain,DC=com"

Open in new window


Make sure that you change the "OU" part of the script to the name of your OU in your domain where you want them to be moved to. You will also need to change the domain portion as well.


Q2. If your Wintel administrators are domain admins then you cannot stop what they can do to the OU or the objects inside of it. If they have simply been delegated rights like password reset, unlocking accounts etc you can remove delegation on the OU for this specific User or Group they are part of.

Will.
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 80 total points
ID: 39794750
On Q2: You can setup auditing, yes. Maybe it's even already on by default? Try it: http://technet.microsoft.com/en-us/library/dd772693(v=ws.10).aspx shows the event IDs.
0
 

Author Comment

by:sunhux
ID: 39796036
> "OU=Disabled,DC=Domain,DC=com"

Just to clarify with Will: so instead of Disabled, I can just name the OU/folder
that hold the disabled accounts (including local accounts?) as
OU=DontEnable_UnlesswithApproval  &  the domain name
is something like DC=mydomain.local  ?

Is there any length limitation with the OU/folder name & 
can special characters be used?

Lastly, do we need to pre-create the OU or just run the Powershell
script command & it will create it?  Pardon me as I'm very new to
PowerShell
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 120 total points
ID: 39802266
You can't stop domain administrators from enabling accounts as stated earlier

However you can trigger email alert if administrator  enabled user account in AD

You can attach task to specific event so that if that event is generated (Ex: Event ID 5722 - user account enabled), an email will triggered to configured person.

You can logon to DC, find out required event and right click and select attach a task and within task you can get  send email \ start a program (script)  options which can trigger email and you will come to know.

However this is not full proof task, better option is you can set alert through email if you have some kind of event viewer management solution such as MS SCOM or AD audit plus from Manage engine

Mahesh
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 100 total points
ID: 39802438
Local accounts can't be moved because local machines don't have any concept of an OU for local accounts.
0
 

Author Comment

by:sunhux
ID: 39805674
Ok, thanks; it's clear now that only the disabled domain accounts
could be moved to the OU.

2 clarifications:
For the Powershell script given, do we need to pre-create the OU
or just that script & it will create the OU if it's not present?

What's the length of an OU name & can it contain special
characters like _  ?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39880245
You need to create OU in advance.

Special characters are acceptable with OU
Maximum length of OU name is 64 characters
http://support.microsoft.com/kb/909264

Mahesh
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question