Solved

Group together disabled Windows accounts in a folder / container

Posted on 2014-01-20
8
271 Views
Last Modified: 2014-02-22
Q1:
We have a number of disabled Windows (domain as well
as local) accounts.  How can we move/group these accounts
to a container/folder in the server?

Q2:
Is there any way to prevent Wintel administrator from
accidentally enabling those accounts back?  Or is it possible
to set an audit event on this folder such that if there's
changes to it (or those accounts are re-enabled back),
it will be logged in Event Viewer with possibly an alert
generated?

I'm trying to fulfill IT security's requirement.
0
Comment
Question by:sunhux
8 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 200 total points
ID: 39794496
Answers are below..

Q1. You can accomplish this using powershell script to collect all of the Disbaled users and then move then to a specific OU. Use the syntax below...

Import-module activedirectory
get-aduser -filter * -properties * | ? {$_.enabled -eq $false} | foreach {move-adobject -identity $_.DistinguishedName -TargetPath "OU=Disabled,DC=Domain,DC=com"

Open in new window


Make sure that you change the "OU" part of the script to the name of your OU in your domain where you want them to be moved to. You will also need to change the domain portion as well.


Q2. If your Wintel administrators are domain admins then you cannot stop what they can do to the OU or the objects inside of it. If they have simply been delegated rights like password reset, unlocking accounts etc you can remove delegation on the OU for this specific User or Group they are part of.

Will.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 80 total points
ID: 39794750
On Q2: You can setup auditing, yes. Maybe it's even already on by default? Try it: http://technet.microsoft.com/en-us/library/dd772693(v=ws.10).aspx shows the event IDs.
0
 

Author Comment

by:sunhux
ID: 39796036
> "OU=Disabled,DC=Domain,DC=com"

Just to clarify with Will: so instead of Disabled, I can just name the OU/folder
that hold the disabled accounts (including local accounts?) as
OU=DontEnable_UnlesswithApproval  &  the domain name
is something like DC=mydomain.local  ?

Is there any length limitation with the OU/folder name & 
can special characters be used?

Lastly, do we need to pre-create the OU or just run the Powershell
script command & it will create it?  Pardon me as I'm very new to
PowerShell
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 36

Assisted Solution

by:Mahesh
Mahesh earned 120 total points
ID: 39802266
You can't stop domain administrators from enabling accounts as stated earlier

However you can trigger email alert if administrator  enabled user account in AD

You can attach task to specific event so that if that event is generated (Ex: Event ID 5722 - user account enabled), an email will triggered to configured person.

You can logon to DC, find out required event and right click and select attach a task and within task you can get  send email \ start a program (script)  options which can trigger email and you will come to know.

However this is not full proof task, better option is you can set alert through email if you have some kind of event viewer management solution such as MS SCOM or AD audit plus from Manage engine

Mahesh
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 100 total points
ID: 39802438
Local accounts can't be moved because local machines don't have any concept of an OU for local accounts.
0
 

Author Comment

by:sunhux
ID: 39805674
Ok, thanks; it's clear now that only the disabled domain accounts
could be moved to the OU.

2 clarifications:
For the Powershell script given, do we need to pre-create the OU
or just that script & it will create the OU if it's not present?

What's the length of an OU name & can it contain special
characters like _  ?
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39880245
You need to create OU in advance.

Special characters are acceptable with OU
Maximum length of OU name is 64 characters
http://support.microsoft.com/kb/909264

Mahesh
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question