Disabling user accounts for terminated employees 1

[DanMIS]

Our company has about 50 people a week leave. I need to disable their accounts.

The names are given to me in a text file. Is there a command line tool or script to disable these users, rather than finding each in AD?

Thanks,
Dan

CCA Citrix 4.0
MCP 2003
70-290 Passed
70-291 Passed

 

[itsp1965]

You can use the dsmod command in a batch file that would call the list of usernames (stored in a text file) and have them disabled

 

[markdmac]

Here is sample code that will prompt for a login name and disable the account.

'==========================================================================
'
' NAME: DisableAccount.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: [URL unfurl="true"]http://www.thespidersparlor.com[/URL]
' DATE  : 7/27/2007
' COPYRIGHT (c) 2007 All Rights Reserved
'
' COMMENT: 
'
'    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
'    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED To
'    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
'    PARTICULAR PURPOSE.
'
'    IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE SUPPLIERS 
'    BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
'    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
'    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
'    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
'    OF THIS CODE OR INFORMATION.
'
'==========================================================================

Const ADS_UF_ACCOUNTDISABLE = 2

strUser = InputBox("Enter user name to disable","Disable Account")

UserDN = SearchDistinguishedName(strUser)

Set objUser = GetObject _
("LDAP://" & UserDN)
intUAC = objUser.Get("userAccountControl")
 
objUser.Put "userAccountControl", intUAC OR ADS_UF_ACCOUNTDISABLE
objUser.SetInfo


Public Function SearchDistinguishedName(ByVal vSAN)
    ' Function:     SearchDistinguishedName
    ' Description:  Searches the DistinguishedName for a given SamAccountName
    ' Parameters:   ByVal vSAN - The SamAccountName to search
    ' Returns:      The DistinguishedName Name
    Dim oRootDSE, oConnection, oCommand, oRecordSet

    Set oRootDSE = GetObject("LDAP://rootDSE")
    Set oConnection = CreateObject("ADODB.Connection")
    oConnection.Open "Provider=ADsDSOObject;"
    Set oCommand = CreateObject("ADODB.Command")
    oCommand.ActiveConnection = oConnection
    oCommand.CommandText = "<LDAP://" & oRootDSE.get("defaultNamingContext") & _
        ">;(&(objectCategory=User)(samAccountName=" & vSAN & "));distinguishedName;subtree"
    Set oRecordSet = oCommand.Execute
    On Error Resume Next
    SearchDistinguishedName = oRecordSet.Fields("DistinguishedName")
    On Error GoTo 0
    oConnection.Close
    Set oRecordSet = Nothing
    Set oCommand = Nothing
    Set oConnection = Nothing
    Set oRootDSE = Nothing
End Function

You can modify the above to read from your text file instead if you like. Refer to my FAQ faq329-4871 for sample code on the subject.


I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[DanMIS]

Mark,

Thank you for your help. People like you help people like me look good!

I understand the bulk of your code above, but don't understand this section completely (I added the numbers):
*********************
1. Set objUser = GetObject _
("LDAP://" & UserDN)
2. intUAC = objUser.Get("userAccountControl")

3. objUser.Put "userAccountControl", intUAC OR ADS_UF_ACCOUNTDISABLE
4. objUser.SetInfo
**********************

Specifically, can you explain line number 3? I understand where you are getting the two values, but don't understand why you just wouldn't set it to "2".

Thanks,
Dan


CCA Citrix 4.0
MCP 2003
70-290 Passed
70-291 Passed

 

[markdmac]

Take a look at the Microsoft script center, you will see that this is the recommended way to disable an account.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[DanMIS]

Mark - thanks again. Between your answers here and the link to the FAQ I have it working well enough. Ideally I'd like it to write a text file outlining that it disabled ABC account, or if it failed on that line, but that gives me something to figure out this afternoon!

I changed some items as shown below. The file I have with the user names is called DisableList.txt. I added a message box at the end so the user will know it finished.

I also modified the script and saved with a different name to enable the same list, in case the list is incorrect for some reason. I did that one by changing the value of useraccountcontrol to 0.


Dan

****************************************
Const ADS_UF_ACCOUNTDISABLE = 2
On Error Resume Next

'open the file system object
Set oFSO = CreateObject("Scripting.FileSystemObject")
set WSHShell = wscript.createObject("wscript.shell")

'open the data file
Set oTextStream = oFSO.OpenTextFile("DisableList.txt")

'make an array from the data file
DisabledUserList = Split(oTextStream.ReadAll, vbNewLine)

'close the data file
oTextStream.Close
intNumAcc=0

For Each strUser In DisabledUserList

intNumAcc=intNumAcc+1
UserDN = SearchDistinguishedName(strUser)

Set objUser = GetObject _
("LDAP://" & UserDN)
intUAC = objUser.Get("userAccountControl")

objUser.Put "userAccountControl", intUAC OR ADS_UF_ACCOUNTDISABLE
objUser.SetInfo

Next

Public Function SearchDistinguishedName(ByVal vSAN)
' Function: SearchDistinguishedName
' Description: Searches the DistinguishedName for a given SamAccountName
' Parameters: ByVal vSAN - The SamAccountName to search
' Returns: The DistinguishedName Name
Dim oRootDSE, oConnection, oCommand, oRecordSet

Set oRootDSE = GetObject("LDAP://rootDSE")
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Open "Provider=ADsDSOObject;"
Set oCommand = CreateObject("ADODB.Command")
oCommand.ActiveConnection = oConnection
oCommand.CommandText = "<LDAP://" & oRootDSE.get("defaultNamingContext") & _
">;(&(objectCategory=User)(samAccountName=" & vSAN & "));distinguishedName;subtree"
Set oRecordSet = oCommand.Execute
On Error Resume Next
SearchDistinguishedName = oRecordSet.Fields("DistinguishedName")
On Error GoTo 0
oConnection.Close
Set oRecordSet = Nothing
Set oCommand = Nothing
Set oConnection = Nothing
Set oRootDSE = Nothing
End Function

wscript.echo intNumAcc & " users disabled."

****************************************

Dan

CCA Citrix 4.0
MCP 2003
70-290 Passed
70-291 Passed

 

[markdmac]

Take a look in the same FAQ at the script to create the WSLIST file. It has sample code to create a text file and write text to it.

Under your code:
objUser.Put "userAccountControl", intUAC OR ADS_UF_ACCOUNTDISABLE
objUser.SetInfo

Add the following:
If Err.Number = 0 Then
report = report & strUser & " was disabled " & now & "." & vbCrLf
Else
report = report & "Error disabling " & strUser & vbCrLf
Err.Clear
End If

You then only need to write "report" to the text file at the end of processing.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.