locked
Powershell Script for AD maintenance RRS feed

  • Question

  • For every user account in a CSV file (listed by logon name), I want to...

    1. Disable the account
    2. Move the account to an OU called "DisabledAccounts"
    3. List all of the groups the user is currently a "Member Of" in the notes field
    4. Remove the user from all groups except Domain Users
    5. Add the text "Term - mm-dd-yy:" to the user's Description field 

    How can I make this happen?

    Thursday, April 11, 2013 2:16 PM

Answers

  • A few comments.

    • The memberOf attribute is a collection of the DN's of all groups the user is a direct member of, except their "primary" group (which should be "Domain Users").
    • The "notes" field on the "Telephone" tab of ADUC corresponds to the "info" attribute, which has maximum length 1024. This may not be enough to handle many group DN's.
    • I really don't see any value to removing the user from all groups if the account is disabled (especially if you go to the bother of documenting what the memberships were).

    A typical group DN might be similar to "cn=Test Group,ou=West,dc=mydomain,dc=com". I would expect about 50 characters required for each, in which case you could possibly document 20-25 groups.

    To modify users using Set-ADUser you only need the "pre-Windows 2000 logon" name, but to move any object you need the distinguishedName. In my example below I assume your csv file has a field labeled "Name", which is the "pre-Windows 2000 logon" name, but I convert into distinguishedName. I don't know how to format dates (the variable $Date below), so someone else can deal with that:

    Import-Module ActiveDirectory
    $TargetOU = "ou=DeletedAccounts,ou=West,dc=MyDomain,dc=com"
    $Date = Get-Date -Format MM-dd-yyyy
    $Users = Import-Csv C:\MyScripts\Terminated.csv

    ForEach ($User in $Users)
    {
        # Retrieve user DN.
        $DN = $(Get-ADUser -Identity $User.Name).distinguishedName
        # Disable the user.
        Set-ADUser -Identity $DN -Enabled $False -Description "Term - $Date"
        # Move the user.
        Move-ADObject -Identity $DN -TargetPath $TargetOU
    }

    -----



    Richard Mueller - MVP Directory Services


    • Proposed as answer by Yan Li_ Monday, April 15, 2013 6:52 AM
    • Edited by Richard MuellerMVP Monday, April 15, 2013 11:52 AM Added date formatting
    • Marked as answer by Yan Li_ Friday, April 19, 2013 2:11 AM
    Thursday, April 11, 2013 5:18 PM
  • Hi,

    For question 1 and 2:

    Powershell to disable users account and move them to different OU using CSV

    http://gallery.technet.microsoft.com/scriptcenter/PowerShell-to-Disable-c55a8862

    For question 3:

    (GET-ADUSER –Identity USERNAME –Properties MemberOf | Select-Object MemberOf).MemberOf

    For question 4:

    Get-QADUser -Name $name | Remove-QADMemberOf -RemoveAll

    Regards,

    Yan Li


    Cataleya Li
    TechNet Community Support

    • Marked as answer by Yan Li_ Friday, April 19, 2013 2:11 AM
    Monday, April 15, 2013 7:00 AM

All replies

  • Well you can first make it happen, by actually doing some research. Work on each step one at a time, and try to come up with a script. Then if you are running into issue, where something isn't working correctly, you can post your code, and the issues you are having, then we can help.

    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

    Thursday, April 11, 2013 2:36 PM
  • Well you can first make it happen, by actually doing some research. Work on each step one at a time, and try to come up with a script. Then if you are running into issue, where something isn't working correctly, you can post your code, and the issues you are having, then we can help.

    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

    Yes, I'm fully aware that I could research it. But something like this would take me hours, possibly days to figure out... for someone else, this may be much quicker. Or perhaps something similar has been created, and someone else knows about it. Plus, I'm on a time-frame. If you can help, great. If not, thanks anyway.
    Thursday, April 11, 2013 2:47 PM
  • First two steps Disable User and Move to another OU -  2 sec google search

    The rest can be done with some slight modifications to the script in the ForEach Loop

    Also, looking at the script, there will need to be some changes made, depending on what you have installed. It uses the QA AD cmdlets, so if you don't have them, then you will need to use the normal cmdlets, that come with the ActiveDirectory module. I use the normal cmdlets, that come with the AD module.


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.


    • Edited by clayman2 Thursday, April 11, 2013 3:07 PM
    Thursday, April 11, 2013 3:03 PM
  • A few comments.

    • The memberOf attribute is a collection of the DN's of all groups the user is a direct member of, except their "primary" group (which should be "Domain Users").
    • The "notes" field on the "Telephone" tab of ADUC corresponds to the "info" attribute, which has maximum length 1024. This may not be enough to handle many group DN's.
    • I really don't see any value to removing the user from all groups if the account is disabled (especially if you go to the bother of documenting what the memberships were).

    A typical group DN might be similar to "cn=Test Group,ou=West,dc=mydomain,dc=com". I would expect about 50 characters required for each, in which case you could possibly document 20-25 groups.

    To modify users using Set-ADUser you only need the "pre-Windows 2000 logon" name, but to move any object you need the distinguishedName. In my example below I assume your csv file has a field labeled "Name", which is the "pre-Windows 2000 logon" name, but I convert into distinguishedName. I don't know how to format dates (the variable $Date below), so someone else can deal with that:

    Import-Module ActiveDirectory
    $TargetOU = "ou=DeletedAccounts,ou=West,dc=MyDomain,dc=com"
    $Date = Get-Date -Format MM-dd-yyyy
    $Users = Import-Csv C:\MyScripts\Terminated.csv

    ForEach ($User in $Users)
    {
        # Retrieve user DN.
        $DN = $(Get-ADUser -Identity $User.Name).distinguishedName
        # Disable the user.
        Set-ADUser -Identity $DN -Enabled $False -Description "Term - $Date"
        # Move the user.
        Move-ADObject -Identity $DN -TargetPath $TargetOU
    }

    -----



    Richard Mueller - MVP Directory Services


    • Proposed as answer by Yan Li_ Monday, April 15, 2013 6:52 AM
    • Edited by Richard MuellerMVP Monday, April 15, 2013 11:52 AM Added date formatting
    • Marked as answer by Yan Li_ Friday, April 19, 2013 2:11 AM
    Thursday, April 11, 2013 5:18 PM
  • To format the date as you want it you can modify the $Date variable like so:

    $Date = Get-Date -format MM-dd-yyyy

    Format Dates

    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.


    • Edited by clayman2 Thursday, April 11, 2013 5:41 PM
    Thursday, April 11, 2013 5:40 PM
  • Hi,

    For question 1 and 2:

    Powershell to disable users account and move them to different OU using CSV

    http://gallery.technet.microsoft.com/scriptcenter/PowerShell-to-Disable-c55a8862

    For question 3:

    (GET-ADUSER –Identity USERNAME –Properties MemberOf | Select-Object MemberOf).MemberOf

    For question 4:

    Get-QADUser -Name $name | Remove-QADMemberOf -RemoveAll

    Regards,

    Yan Li


    Cataleya Li
    TechNet Community Support

    • Marked as answer by Yan Li_ Friday, April 19, 2013 2:11 AM
    Monday, April 15, 2013 7:00 AM