Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Auto Disable Users in OU via Group Policy

Status
Not open for further replies.

damienenglish

Technical User
Mar 21, 2012
27
GB
Afternoon All

I am looking to come up with a way to 'auto-disable' a user account when it is put into a particular OU in Active Directory. We have an OU called 'Leavers' which contains accounts of users who have just left the company, prior to archiving out their email and various files.

When moving to the user account to the 'Leavers' OU, I would like it to do the following

1) Disable the User Account
2) Auto-Hide the User from the Global Address List (GAL)

I would also like to setup a script that will find any accounts that have been unused for 3 months, to then move the account in the 'Leavers' OU.

Is all this possible and would Group Policy be the way to go about it?

Many Thanks
 
I haven't tried anything as yet, just looking at the best way to do it. I wasn't sure if its possible to have it setup, so whenever you move a user into the OU, it disables the account immediately.

I am open to options and suggestions!

Regards
 
Yep. I would run a scheduled task that looks at all users in a specific OU, and disables any that aren't already disabled. You could certainly take other actions, too, like removing from groups, disabling the mailbox, hiding from the GAL, etc.
COMPLETELY untested, but something like this:
Code:
$QueryDC = "my domain controller"
$DisabledOU = "my OU"
$Domain = New-Object DirectoryServices.DirectoryEntry("LDAP://$QueryDC")
$Searcher = New-Object System.DirectoryServices.DirectorySearcher $Domain
$Searcher.PageSize = 75000
$Searcher.filter = "(&(objectCategory=person)(objectClass=user)(! userAccountControl:1.2.840.113556.1.4.803:=2))"
$Searcher.SearchScope = "Subtree"
$SearchPropList = "sAMAccountName","userPrincipalName","userAccountControl","distinguishedName"
foreach ($i in $SearchPropList){$Searcher.PropertiesToLoad.Add($i) | Out-null}
$users = $Searcher.findAll()

foreach($user in $users | $user.properties.item("distinguishedname") -contains $DisabledOU){
	Write-Host $user.properties.item("samaccountname") " should be disabled"
	Disable-User $user.properties.item("samaccountname")
}

Do you have your Tek-Tips.com Swag? I've got mine!

Stop by the new Tek-Tips group at LinkedIn.
 
Hi 58sniper

Many thanks for your advise. I will have a look into this today.

Kind regards
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top