locked
Need a script to remove OCS 2007 attributes from all active directory domain users. RRS feed

  • Question

  • Hi ,

    We have a request from customer to remove all OCS 2007 attributes from all active directory users. OCS server has been decommissioned but "unprep" was not executed. OCS server is not available. Please let me know if there is a way to remove only OCS 2007 attributes from all user accounts in active directory. AD is windows 2008 R2.

    Thanks,

    Umesh.S.K

    Wednesday, May 20, 2015 2:51 PM

All replies

  • If you are looking to remove attributes from AD Schema, that is not possible.  You can only disable them.

    If you want their values set to null, that is a different story.


    Nosh Mernacaj, Identity Management Specialist

    Wednesday, May 20, 2015 4:53 PM
  • If attributes can't be removed, atleast could you please let me know how to disable them?

    Thanks,

    Umesh.S.K

    Thursday, May 21, 2015 6:32 AM
  • You have to go to the AD Schema, and for each one, right click --> Disable.

    To open AD SChema, open ADSIEDIT as Domain Admin

    Select Schema

    Browse to the attributes you need and disable them

    Can you tell me why you want to do this though? I am not sure I see a reason behind it.


    Nosh Mernacaj, Identity Management Specialist

    Thursday, May 21, 2015 12:43 PM
  • Hi Nosh,

    Thanks for the reply. Customer wants to use Jabber communicator. It is getting conflict with OCS 2007 attributes.So want to cleanup this.

    However, one question, can I disable these attributes globally which should apply for all users?

    Regards,

    Umesh.S.K


    • Edited by Umesh S K Thursday, May 21, 2015 3:18 PM
    Thursday, May 21, 2015 3:09 PM
  • I don't know much about jabber, but I don't see the point of removing the attributes.

    Can you provide a little more information, what is conflicting, errors, etc.


    Nosh Mernacaj, Identity Management Specialist

    Thursday, May 21, 2015 3:12 PM
  • Hi Nosh,

    I am not sure what error messages customer is getting. And more over, OCS or Jabber not managed by us. Request is to remove or disble those attributes for all users in domain.

    As you suggested, I will see if disabling attributes in schema will be applied for all users in domain.

    Thanks,

    Umesh.S.K

    Thursday, May 21, 2015 3:40 PM
  • Before making any changes to AD, I would ask the third party to get better results on the failures, etc.


    Nosh Mernacaj, Identity Management Specialist

    Thursday, May 21, 2015 3:46 PM
  • Hi,

    When I tried to disable (by setting isdefunct = True) for one of the schema attribute of OCS, I am getting the below error message.

    ERROR_DS_EXISTS_IN_MAY_HAVE
    8386 (0x20C2)

    Schema deletion failed: attribute is used in may-contain.

    Any idea how to fix this?

    Thanks,

    Umesh.S.K

    Friday, May 22, 2015 12:24 PM
  • I do know how to fix this.

    1. It seems that the attributes have values and by definition you cannot disable an attribute if it has values.

    So you need to set the attribute to NULL for everyone in the AD.  A VB or Powershell script would do.

    There are plenty of samples on the web. I don't want to put a link here, because I cannot vet on something I pickled up on the web. But it is quiet easy.  Look for script to update an AD Attribute.

    2. After that, you can try disabling the attribute again.


    Nosh Mernacaj, Identity Management Specialist

    Friday, May 22, 2015 12:40 PM
  • Hi Nosh,

    I don't know how to write script. If you can provide me couple of links for sample scripts which makes these OCS attributes to null, it would be of great help.

    Thanks,

    Umesh.S.K

    Friday, May 22, 2015 1:30 PM
  • Please modify the script to match your environment and test in a NON-PROD environment.

    You have to understand that there will not be anything 100% READY TO USE, Plug and play and you have to do a little work.

    Here is an example:

    http://blogs.technet.com/b/heyscriptingguy/archive/2010/10/14/use-powershell-and-active-directory-cmdlets-to-update-users-in-active-directory.aspx


    Nosh Mernacaj, Identity Management Specialist

    Friday, May 22, 2015 1:40 PM