Solved

Group together disabled Windows accounts in a folder / container

Posted on 2014-01-20
8
273 Views
Last Modified: 2014-02-22
Q1:
We have a number of disabled Windows (domain as well
as local) accounts.  How can we move/group these accounts
to a container/folder in the server?

Q2:
Is there any way to prevent Wintel administrator from
accidentally enabling those accounts back?  Or is it possible
to set an audit event on this folder such that if there's
changes to it (or those accounts are re-enabled back),
it will be logged in Event Viewer with possibly an alert
generated?

I'm trying to fulfill IT security's requirement.
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 200 total points
ID: 39794496
Answers are below..

Q1. You can accomplish this using powershell script to collect all of the Disbaled users and then move then to a specific OU. Use the syntax below...

Import-module activedirectory
get-aduser -filter * -properties * | ? {$_.enabled -eq $false} | foreach {move-adobject -identity $_.DistinguishedName -TargetPath "OU=Disabled,DC=Domain,DC=com"

Open in new window


Make sure that you change the "OU" part of the script to the name of your OU in your domain where you want them to be moved to. You will also need to change the domain portion as well.


Q2. If your Wintel administrators are domain admins then you cannot stop what they can do to the OU or the objects inside of it. If they have simply been delegated rights like password reset, unlocking accounts etc you can remove delegation on the OU for this specific User or Group they are part of.

Will.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 80 total points
ID: 39794750
On Q2: You can setup auditing, yes. Maybe it's even already on by default? Try it: http://technet.microsoft.com/en-us/library/dd772693(v=ws.10).aspx shows the event IDs.
0
 

Author Comment

by:sunhux
ID: 39796036
> "OU=Disabled,DC=Domain,DC=com"

Just to clarify with Will: so instead of Disabled, I can just name the OU/folder
that hold the disabled accounts (including local accounts?) as
OU=DontEnable_UnlesswithApproval  &  the domain name
is something like DC=mydomain.local  ?

Is there any length limitation with the OU/folder name & 
can special characters be used?

Lastly, do we need to pre-create the OU or just run the Powershell
script command & it will create it?  Pardon me as I'm very new to
PowerShell
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 120 total points
ID: 39802266
You can't stop domain administrators from enabling accounts as stated earlier

However you can trigger email alert if administrator  enabled user account in AD

You can attach task to specific event so that if that event is generated (Ex: Event ID 5722 - user account enabled), an email will triggered to configured person.

You can logon to DC, find out required event and right click and select attach a task and within task you can get  send email \ start a program (script)  options which can trigger email and you will come to know.

However this is not full proof task, better option is you can set alert through email if you have some kind of event viewer management solution such as MS SCOM or AD audit plus from Manage engine

Mahesh
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 100 total points
ID: 39802438
Local accounts can't be moved because local machines don't have any concept of an OU for local accounts.
0
 

Author Comment

by:sunhux
ID: 39805674
Ok, thanks; it's clear now that only the disabled domain accounts
could be moved to the OU.

2 clarifications:
For the Powershell script given, do we need to pre-create the OU
or just that script & it will create the OU if it's not present?

What's the length of an OU name & can it contain special
characters like _  ?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39880245
You need to create OU in advance.

Special characters are acceptable with OU
Maximum length of OU name is 64 characters
http://support.microsoft.com/kb/909264

Mahesh
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question