Re: How can I disable all users in AD while keeping the admin accounts active?

From: "Richard Mueller" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 25 Jul 2006 11:23:31 -0500

"200mg" <ntalbot77@xxxxxxxxx> wrote in message
news:1153836354.265076.299720@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

How can I disable all users in AD while keeping the admin accounts
active? We have a huge forest and I can't seem to find a way to
restrict login capability to all users whil;e keeping the domain admins
active.

If you have W2k3, where you can change properties of users in bulk in ADUC,
you can filter so that only users that are not members of either the group
"Administrators" or "Domain Admins" show up. The filter would be (watch line
wrapping, this is one line):

(&(objectCategory=person)(objectClass=user)(!memberOf=cn=Administrators,cn=Builtin,dc=MyDomain,dc=com)(!memberOf=cn=Domain
Admins,cn=Users,dc=MyDomain,dc=com))

& is the And operator, ! is the Not operator. You must specify the
Distinguished Names of the groups whose members you are excluding. You apply
this LDAP query on the "View" menu, "Filter Options", "Create custom
filter", "Customize", "Advanced".

Otherwise, you can code a VBScript program using ADO to retrieve the
distinguishedName attributes of all users that are not members of the
groups. The filter would be the same as above. You would loop through the
resulting recordset, bind to each user, and use the AccountDisabled property
method of the user object. A similar script could enable all users.

You may also want to exclude members of "Enterprise Admins".

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

.

Follow-Ups:
- Re: How can I disable all users in AD while keeping the admin accounts active?
  - From: 200mg

References:
- How can I disable all users in AD while keeping the admin accounts active?
  - From: 200mg

Prev by Date: Re: ADAM custom password policy
Next by Date: Re: dns server unable to open active directory
Previous by thread: Re: How can I disable all users in AD while keeping the admin accounts active?
Next by thread: Re: How can I disable all users in AD while keeping the admin accounts active?
Index(es):
- Date
- Thread

Relevant Pages

Re: Domain Admin Access across Trusted domains
... > users to a Domain Local security group, I can't add that Domain Local ... Much, not all, can be conferred my making members of the ... same as making them members of Domain Admins. ... >>> The trust is a two way external trust. ...
(microsoft.public.win2000.security)
Re: SQL Domain Group Permissions
... Most settings can be retrieved by any authenticated user. ... the group "Domain Admins" is added to the local ... Administrators group with the computer is joined to the domain. ... members of Domain Admins to retrieve more information on the computers. ...
(microsoft.public.sqlserver.security)
Re: Finding users of a specific group and listing memberships of t
... report generated by the system that lists members of the Domain Admin group. ... Dim strGroupDN, objGroup, objMember, objMemberGroup, objFileSystem, ... >> Hi...I am trying to write a script that will list users of a specific ... >> Domain Admins group, I want it to list all those users group memberships. ...
(microsoft.public.windows.server.scripting)
Re: Restricting access to AD located in another domain
... you should use the Delegation Wizard ... I am not so sure that granting the Help Desk ... If they need to be members of the local Administrators on all of the WIN2000 ... HelpDesk security group and the Domain Admins. ...
(microsoft.public.win2000.active_directory)
Re: Export Member from a Security Group
... each DN will be in it's own cell. ... Microsoft MVP Scripting and ADSI ... all the members in one cell with all of the information I don't need like ... You can use the command line utility csvde, ...
(microsoft.public.win2000.active_directory)