Re: How can I disable all users in AD while keeping the admin accounts active?


"200mg" <ntalbot77@xxxxxxxxx> wrote in message
news:1153855909.575461.180360@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
okay, the first suggestion does work, however we have our users in
several different containers, is there a way to filter them out of the
containers with an end result of just one long list of users we can
select and disable.

I don't believe that can be done. Perhaps a VBScript program is your best
bet. Below is an example. I retrieve all user objects that are not members
of Administrators, Domain Admins, or Enterprise Admins. I retrieve the
AdsPath for the users so I can bind to each user object. I use the
AccountDisabled property method.

Since the same script slightly modified can be used to re-enable the
accounts (objUser.AccountDisabled = False), I spit out the names of accounts
that are already disabled, since these will end up enabled by mistake. I
would test the script by commenting out the lines that disable the accounts
(the AccountDisabled and SetInfo statements) and just output the names of
the accounts to be disabled. To spit out the names, use either of these
statements in the Do While loop.

Wscript.Echo objUser.sAMAccountName
Wscript.Echo objUser.distinguishedName

Assuming a lot of output, run the script at a command prompt with the
cscript host and redirect the output to a text file you can later browse.
For example, if the VBScript program is DisableUsers.vbs, use the command
below to redirect all output to the file report.txt:

cscript DisableUsers.vbs > report.txt

This assumes you are in the directory where DisableUsers.vbs resides. The
program follows:
================
Option Explicit

Dim objRootDSE, strDNSDomain, adoCommand, adoConnection
Dim strBase, strFilter, strAttributes, strQuery, adoRecordset
Dim objUser, strAdsPath

' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE";)
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Search entire domain.
strBase = "<LDAP://"; & strDNSDomain & ">"

' Filter on all user objects that are not members of the groups
' Administrators, Domain Admins, or Enterprise Admins.
' The default locations for these groups are assumed.
strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(!memberOf=cn=Administrators,cn=Builtin," & strDNSDomain & ")" _
& "(!memberOf=cn=Domain Admins,cn=Users," & strDNSDomain & ")" _
& "(!memberOf=cn=Enterprise Admins,cn=Users," & strDNSDomain & "))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "AdsPath"

' Construct the LDAP query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strAdsPath = adoRecordset.Fields("AdsPath").Value
' Bind to user object.
Set objUser = GetObject(strAdsPath)
' Check if user already disabled.
If (objUser.AccountDisabled = True) Then
Wscript.Echo objUser.distinguishedName & " already disabled."
Else
' Disable the account.
objUser.AccountDisabled = True
' Save changes.
objUser.SetInfo
End If
adoRecordset.MoveNext
Loop
adoRecordset.Close
adoConnection.Close

' Clean up.
Set objRootDSE = Nothing
Set adoCommand = Nothing
Set adoConnection = Nothing
Set adoRecordset = Nothing

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net


.

Relevant Pages

  • Re: Last Logon Time Stamp
    ... > I am new to script. ... > I need to list out inactive accounts more than 90 days in both AD accounts ... Use ADO to retrieve lastLogonTimeStamp for all users. ... And here is a sample program that retrieves the distinguishedName for all ...
    (microsoft.public.windows.server.scripting)
  • Re: Script to delete computer accounts not working
    ... thanks for the initial script as well. ... computer accounts that are disabled and haven't been modified for 30 days. ... Set objCommand = CreateObject ...
    (microsoft.public.scripting.vbscript)
  • Re: Running a script against an OU
    ... Do I need to place a forward slash between Computer and Accounts? ... run the script against an OU called lab1? ... the WinNT provider is blind to OU's, so you must use the LDAP provider to ... bind to the OU. ...
    (microsoft.public.scripting.vbscript)
  • Re: AD Attribute query!
    ... The scripting approach for modifying the CN attribute (using the MoveHere ... GAL will be surname, firstname as well.. ... However the script underneath it, only adjusts the display name, it does ... other accounts were created, it is rather difficult to speculate why ...
    (microsoft.public.windows.server.active_directory)
  • Re: Display All Locked Accounts in an OU
    ... > I have this script below I used from its source ... > particular OU and its sub-ou's for locked out accounts. ... you need only look at one domain controller. ... > Dim objRootDSE, strConfig, objConnection, objCommand, strQuery ...
    (microsoft.public.windows.server.scripting)