none
create a automatic disable user account GPO when user account move to this disable user group

    Question

  • Hi,

      in AD domain, I have a group "Disable Users", how to create a GPO when I move a user account into this group and this GPO will automatic to disable this user account, so I don't need to manually to disable this user account.

    Thanks


    James Liang

    • Moved by nzpcmad1 Tuesday, January 17, 2017 9:17 PM From ADFS
    Tuesday, January 17, 2017 8:58 PM

Answers

  • I would run a scheduled task that looks at all users in a specific OU, and disables any that aren't already disabled. As Gpo for this stuff will create to much mess indeed it is avoidable but not a good approach from my point of view. Below script you can use

    $QueryDC = "my domain controller"
    $DisabledOU = "my OU"
    $Domain = New-Object DirectoryServices.DirectoryEntry("LDAP://$QueryDC")
    $Searcher = New-Object System.DirectoryServices.DirectorySearcher $Domain
    $Searcher.PageSize = 75000
    $Searcher.filter = "(&(objectCategory=person)(objectClass=user)(! userAccountControl:1.2.840.113556.1.4.803:=2))"
    $Searcher.SearchScope = "Subtree"
    $SearchPropList = "sAMAccountName","userPrincipalName","userAccountControl","distinguishedName"
    foreach ($i in $SearchPropList){$Searcher.PropertiesToLoad.Add($i) | Out-null}
    $users = $Searcher.findAll()

    foreach($user in $users | $user.properties.item("distinguishedname") -contains $DisabledOU){
    Write-Host $user.properties.item("samaccountname") " should be disabled"
    Disable-User $user.properties.item("samaccountname")
    }

    • Edited by sunny.sinha Wednesday, January 18, 2017 9:56 AM
    • Marked as answer by JamesLiang Wednesday, January 18, 2017 7:37 PM
    Wednesday, January 18, 2017 9:56 AM

All replies

  • Hi James,
    You could take a look at the Group Policy Restricted Groups, when using a Restricted Groups Group Policy, any current member of the group that is not on the “Members” list will be removed. All users / domain groups that are in the “Members” list and are not members of the group will be added as members. Please see: https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx
    If you only want to disable the user account, instead of moving it out of that group, you could have a try:
    1. Enable audit policy to audit this security group, the operating system will generate audit events when a member is added to or removed from a security group. Please see: https://technet.microsoft.com/en-us/library/dd772663(v=ws.10).aspx
    2. Set up a scheduled task to run a script which is used to disable user account when the event is logged.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, January 18, 2017 9:19 AM
    Moderator
  • I would run a scheduled task that looks at all users in a specific OU, and disables any that aren't already disabled. As Gpo for this stuff will create to much mess indeed it is avoidable but not a good approach from my point of view. Below script you can use

    $QueryDC = "my domain controller"
    $DisabledOU = "my OU"
    $Domain = New-Object DirectoryServices.DirectoryEntry("LDAP://$QueryDC")
    $Searcher = New-Object System.DirectoryServices.DirectorySearcher $Domain
    $Searcher.PageSize = 75000
    $Searcher.filter = "(&(objectCategory=person)(objectClass=user)(! userAccountControl:1.2.840.113556.1.4.803:=2))"
    $Searcher.SearchScope = "Subtree"
    $SearchPropList = "sAMAccountName","userPrincipalName","userAccountControl","distinguishedName"
    foreach ($i in $SearchPropList){$Searcher.PropertiesToLoad.Add($i) | Out-null}
    $users = $Searcher.findAll()

    foreach($user in $users | $user.properties.item("distinguishedname") -contains $DisabledOU){
    Write-Host $user.properties.item("samaccountname") " should be disabled"
    Disable-User $user.properties.item("samaccountname")
    }

    • Edited by sunny.sinha Wednesday, January 18, 2017 9:56 AM
    • Marked as answer by JamesLiang Wednesday, January 18, 2017 7:37 PM
    Wednesday, January 18, 2017 9:56 AM
  • Sunny,

     Appreciate your help. it's very helpful. can you let me know what is

    userAccountControl:1.2.840.113556.1.4.803:=2  ?


    James Liang

    Wednesday, January 18, 2017 7:44 PM
  • This is specifically to match and query user account only not other accounts like confernece rooms .

    Thursday, January 19, 2017 9:49 AM
  • It's a good approach, but it should be instant. There can be very serious security risks associated with delayed (or forgotten) offboarding. So you should probably run this script manually or have some sort of automation going on that will execute all deprovisioning procedures in one go at the moment the user is terminated. This can be triggered by moving the user to a specific OU. Here's an example of what I mean: http://www.adaxes.com/active-directory_provisioning.htm

    Thursday, January 19, 2017 12:34 PM