Disable AD accounts usind sAMAccountName

[BiggerDave]

I need a script to disable users in AD by there sAMAccountName, also I want it to reference a txt file that contains the list of sAMAccountNames.. Please Help

 

[dm4ever]

What have you tried so far?

--------------------------------------------------------------------------------
dm4ever
My philosophy: K.I.S.S - Keep It Simple Stupid

 

[BiggerDave]

Hi,
I have found a script that will disable using the Common Name, however i am a total begginer when it comes to this stuff and dont have a clue how to tweak it to use the sAMAccountName... Script is as follows

' This VBScript code will disable a user object

' and move it to a new OU.

'

' Some of the code used here derives from:

' Active Directory Cookbook, 2nd edition

' by Robbie Allen and Laura Hunter, published by OReilly Media.

' The required format of the input file (in this case C:\Accounts.TXT) is DN as the example below shows:



' CN=Mick Jagger,OU=Old,DC=blah,DC=com

' CN=blah,OU=other,DC=blah,DC=com

' CN=Keith Moon,OU=Old,DC=blah,DC=com

' CN=Roger Daltrey,OU=other,DC=blah,DC=com





' ------ SCRIPT CONFIGURATION ------

' Set to FALSE to disable account or TRUE to enable account

strDisableAccount = TRUE

' strNewParentDN = "LDAP://OU=Disabled Accounts,DC=blah,DC=com"

' ------ END CONFIGURATION ---------



Const ForReading = 1



Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objFile = objFSO.OpenTextFile("C:\Accounts.txt", ForReading)



While not objFile.AtEndOfStream



WScript.Echo vbCrLf

strUserDN = objFile.Readline

WScript.Echo strUserDN '& vbCrLf



On Error Resume Next



set objUser = GetObject("LDAP://" & strUserDN)



'If Err.number <> 0 Then

If Err.number = -2147016656 Then

WScript.Echo "Error: check status of object :" & strUserDN

'wScript.Echo Err.Description, apgSeverityError, Err.Number

End If





if objUser.AccountDisabled = TRUE then

WScript.Echo "Account for " & objUser.Get("cn") & " currently disabled - not moved"

else

WScript.Echo "Account currently enabled"

if strDisableAccount = TRUE then

objUser.AccountDisabled = strDisableAccount

WScript.Echo "Previous Description: " & objUser.Get("description")

objUser.Put "description", "#### Disabled via script 13/04/2007"

objUser.SetInfo

WScript.Echo "Account disabled"






end if

end if



set objUser = nothing





Wend



objFile.Close

 

[dm4ever]

Look at these:

http://www.microsoft.com/technet/scriptcenter/scripts/misc/searchad/mssevb04.mspx

http://www.microsoft.com/technet/scriptcenter/scripts/misc/searchad/mssevb23.mspx

If you look at both you should be able to put them together to do what you want. Make an effort to try it and put it together and if you run into problems, post back what you have.

--------------------------------------------------------------------------------
dm4ever
My philosophy: K.I.S.S - Keep It Simple Stupid

 

[BiggerDave]

Ok I can get this script to find a sAMAccountName, however I cant get it to Process a list of accounts from a file.. Can you see where I am going wrong????

On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2



Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("C:\Accounts.txt", ForReading)
objConnection.Provider = ("ADsDSOObject")
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection
objCommand.CommandText = "SELECT samAccountName FROM " & _
"'LDAP://ou=root,dc=allianz-uk,dc=co,dc=uk' " & _
"WHERE samAccountName = 'objfile.Readline'"
objCommand.Properties("SearchScope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute

If objRecordSet.RecordCount = 0 Then
Wscript.Echo "The samAccount name is not being used."
Else
Wscript.Echo "The samAccount name is being used."
End If

 

[sotghalz]

Try this:

Const ADS_UF_ACCOUNTDISABLE = 2

Set objUser = GetObject _
("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
intUAC = objUser.Get("userAccountControl")

objUser.Put "userAccountControl", intUAC OR ADS_UF_ACCOUNTDISABLE
objUser.SetInfo

 

[dm4ever]

This is not a complete solution to what you have asked...yet
See if this works and then try to understand what's going on.

Notice that I added AdsPath in the Select statement which would allow you to bind to the user as shown in the second link previously posted.

On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2

Set objFSO = CreateObject("Scripting.FileSystemObject")
' open your text file
Set objFile = objFSO.OpenTextFile("C:\Accounts.txt", ForReading)
' read your file and break into an array
arrTemp = Split(objFile.ReadAll)
objFile.Close
' loop through your array
For i = 0 To UBound(arrTemp)
	userName = arrTemp(i)
	' if the line is not empty call function
	If Not userName = "" Then
		' call GetUser function
		GetUser userName
	End If
Next

Function GetUser(strUserName)
	Set objConnection = CreateObject("ADODB.Connection")
	Set objCommand = CreateObject("ADODB.Command")
	objConnection.Provider = ("ADsDSOObject")
	objConnection.Open "Active Directory Provider"
	objCommand.ActiveConnection = objConnection
	objCommand.CommandText = "Select samAccountName, AdsPath From " & _
	    "'LDAP://ou=root,dc=allianz-uk,dc=co,dc=uk' " & _
	        "Where samAccountName = '" & strUserName & "'"
	objCommand.Properties("SearchScope") = ADS_SCOPE_SUBTREE
	Set objRecordSet = objCommand.Execute
	
	If objRecordSet.RecordCount = 0 Then
	    Wscript.Echo "The samAccount name is not being used."
	Else
	    Wscript.Echo "The samAccount name is being used."
	End If
End Function

--------------------------------------------------------------------------------
dm4ever
My philosophy: K.I.S.S - Keep It Simple Stupid

 

[BiggerDave]

Ok I cant seem to get this to work, how about a basic script to get the Common Name from the sAMAccountName and export output to a text file....

 

[dm4ever]

Function GetUser(strUserName)
On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2

Set objRoot = GetObject("LDAP://rootDSE")
strDomain = objRoot.Get("defaultNamingContext")
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = ("ADsDSOObject")
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection
objCommand.CommandText = "SELECT samAccountName, AdsPath FROM " & _
"'LDAP://" & strDomain & "' " & _
"WHERE samAccountName = '" & strUserName & "'"
objCommand.Properties("SearchScope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute

If objRecordSet.RecordCount = 0 Then
Wscript.Echo "The samAccount name is not being used."
Else
Wscript.Echo "The samAccount name is being used."
End If
End Function

--------------------------------------------------------------------------------
dm4ever
My philosophy: K.I.S.S - Keep It Simple Stupid

 

[BiggerDave]

I have come up with this script but it wont seem to disable a user account, not sure where i am going wrong can you take a look???

'==========================================================
'Script to Disable User Accounts
'
'Required to disable Old User Accounts
'
'Author:
'
'Created: 15/4/2007
'
'Modified:
'
'Version History:
'
'===========================================================

Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8

Set mFso = CreateObject("Scripting.FileSystemObject")
Set wshShell = CreateObject("Wscript.Shell")

'File containing User Accounts to Disable
strUserFile = "User_Accounts.txt"

'Log File
strLogFile = "user_DisabledLog.txt"

'Open file containing all User Accounts to Disable
Set tsFile = mFspenTextFile (strUserFile, ForReading)

'Create Log File
If Not mFso.FileExists(strLogFile) Then
Set tsLogFile = mFso.CreateTextFile (strLogFile, ForWriting)
Else
Set tsLogFile = mFspenTextFile (strLogFile, ForAppending)
End If

tsLogFile.WriteLine
tsLogFile.WriteLine "**********************************************"
tsLogFile.WriteLine "Script Run on " & Now
tsLogFile.WriteLine "**********************************************"


'Call Routine to Disable User Account
Disable

tsFile.Close

tsLogFile.Close


MsgBox "Done"



'====================================================================
Sub Disable
'====================================================================

On Error Resume Next

Do

strUser = tsFile.ReadLine
Userr = strUser & "$"

'Search AD for the Computer
Set Conn = CreateObject("ADODB.Connection")
Set RS = CreateObject("ADODB.Recordset")
Set oRoot = GetObject("LDAP://rootDSE")
sDomain = oRoot.Get("defaultNamingContext")
Set oDomain = GetObject("LDAP://" & sDomain)
sBase = "<" & oDomain.ADsPath & ">" 'should be <LDAP://DC=Test,DC=co,DC=uk>
sFilter = "(&(objectCategory=user)(objectClass=user)(sAMAccountName=" & "))" ' search for NT Accountname
sQuery = sBase & ";" & sFilter & ";adsPath;subTree"
Conn.Open "Data Source=Active Directory Provider;Provider=ADsDSOObject"
Set RS = Conn.Execute(sQuery)
Set oUser = GetObject(RS("adsPath"))

oUser.AccountDisabled = True 'disabled the account
oUser.SetInfo

If Err.Description = "Object required" Then
tsLogFile.WriteLine strUser & " has NOT been disabled"
Else
tsLogFile.WriteLine oUser.Name & " has been disabled"
End If

'---- To enabled an account
'oUser.AccountDisabled = False 'enabled the account
'oUser.SetInfo

Set oUser = Nothing

Err.Clear

Loop While tsFile.AtEndOfStream = FALSE

End Sub

 

[tsuji]

[1] The first execution of the loop may well not be desired if the file is empty.
>Do
> 'etc etc
>Loop While tsFile.AtEndOfStream = FALSE

should better be this.
[tt]
Do While tsFile.AtEndOfStream = FALSE
'etc etc
Loop
[/tt]
[2] Take this line out.
> Userr = strUser & "$"

Do you know what this means? It means you are setting a samaccountname of a computer (not a user). And, since you have this.

>sFilter = "(&(objectCategory=user)(objectClass=user)(sAMAccountName=" & "))" ' search for NT Accountname

I would suppose you search for a user account. That is contraditory. Hence, you have to take the first line (the one which appending "$") out.