[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Group together disabled Windows accounts in a folder / container

Posted on 2014-01-20
8
Medium Priority
?
279 Views
Last Modified: 2014-02-22
Q1:
We have a number of disabled Windows (domain as well
as local) accounts.  How can we move/group these accounts
to a container/folder in the server?

Q2:
Is there any way to prevent Wintel administrator from
accidentally enabling those accounts back?  Or is it possible
to set an audit event on this folder such that if there's
changes to it (or those accounts are re-enabled back),
it will be logged in Event Viewer with possibly an alert
generated?

I'm trying to fulfill IT security's requirement.
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 800 total points
ID: 39794496
Answers are below..

Q1. You can accomplish this using powershell script to collect all of the Disbaled users and then move then to a specific OU. Use the syntax below...

Import-module activedirectory
get-aduser -filter * -properties * | ? {$_.enabled -eq $false} | foreach {move-adobject -identity $_.DistinguishedName -TargetPath "OU=Disabled,DC=Domain,DC=com"

Open in new window


Make sure that you change the "OU" part of the script to the name of your OU in your domain where you want them to be moved to. You will also need to change the domain portion as well.


Q2. If your Wintel administrators are domain admins then you cannot stop what they can do to the OU or the objects inside of it. If they have simply been delegated rights like password reset, unlocking accounts etc you can remove delegation on the OU for this specific User or Group they are part of.

Will.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 320 total points
ID: 39794750
On Q2: You can setup auditing, yes. Maybe it's even already on by default? Try it: http://technet.microsoft.com/en-us/library/dd772693(v=ws.10).aspx shows the event IDs.
0
 

Author Comment

by:sunhux
ID: 39796036
> "OU=Disabled,DC=Domain,DC=com"

Just to clarify with Will: so instead of Disabled, I can just name the OU/folder
that hold the disabled accounts (including local accounts?) as
OU=DontEnable_UnlesswithApproval  &  the domain name
is something like DC=mydomain.local  ?

Is there any length limitation with the OU/folder name & 
can special characters be used?

Lastly, do we need to pre-create the OU or just run the Powershell
script command & it will create it?  Pardon me as I'm very new to
PowerShell
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 38

Assisted Solution

by:Mahesh
Mahesh earned 480 total points
ID: 39802266
You can't stop domain administrators from enabling accounts as stated earlier

However you can trigger email alert if administrator  enabled user account in AD

You can attach task to specific event so that if that event is generated (Ex: Event ID 5722 - user account enabled), an email will triggered to configured person.

You can logon to DC, find out required event and right click and select attach a task and within task you can get  send email \ start a program (script)  options which can trigger email and you will come to know.

However this is not full proof task, better option is you can set alert through email if you have some kind of event viewer management solution such as MS SCOM or AD audit plus from Manage engine

Mahesh
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 400 total points
ID: 39802438
Local accounts can't be moved because local machines don't have any concept of an OU for local accounts.
0
 

Author Comment

by:sunhux
ID: 39805674
Ok, thanks; it's clear now that only the disabled domain accounts
could be moved to the OU.

2 clarifications:
For the Powershell script given, do we need to pre-create the OU
or just that script & it will create the OU if it's not present?

What's the length of an OU name & can it contain special
characters like _  ?
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39880245
You need to create OU in advance.

Special characters are acceptable with OU
Maximum length of OU name is 64 characters
http://support.microsoft.com/kb/909264

Mahesh
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question