Here is the script that I use to bulk disable accounts. Our process is to find unused accounts (that's a different script) and scrub the list, making sure that the accounts are safe to disable. I then use this script to disable the accounts and rename them. They are renamed with a "0x_" pre-pended to the username, where the "x" is the current quarter so I can easily sort disabled accounts. After 90 days of being disabled I highlight all of the disabled accounts and delete them.
Code:
Break On
; Create Object to the Users Container - Disabled accounts are moved here.
$objUsers=GetObject("LDAP://CN=Users,DC=yourcompany,DC=com")
; Create WinNT Object to the domain - Used to rename accounts.
$objDomain=GetObject("WinNT://@DOMAIN")
; Open logfile for script results for writing.
$logfile=@SCRIPTDIR+"\dis_user_log.txt"
$nul=open(1,$logfile,5)
; Open textfile containing list of usernames to disable.
$database=@SCRIPTDIR+"\dis_user.txt"
$nul=open(2,$database,2)
$user=readline(2)
; Parse through usernames.
do
; Get user object.
$objUser=GetObject("WinNT://@DOMAIN/$user,user")
if @error
$nul=WriteLine(1, $user+" Invalid Username"+chr(13)+chr(10))
$user+" Invalid Username" ?
else
; Translate WinNT ADsPath to LDAP ADsPath
$ADsPath = TranslateName (3,"",3,"@DOMAIN\"+$objUser.Name,1)
$ADUser = GetObject("LDAP://"+$ADsPath)
$sUser=Split($ADUser.Name,"=") $sUser[1] = "03_"+$sUser[1] $sUser=Join($sUser,"=")
; Update Description field and Disable account.
$objUser.Description=$objUser.Description+" (Disabled @DATE)"
$objUser.AccountDisabled=1
$objUser.SetInfo
; $enames the user account.
$nul=$objDomain.MoveHere($objUser.ADsPath, "02_"+$objUser.Name)
$nul=$objUsers.MoveHere($ADUser.ADsPath, $sUser)
if @error
$nul=WriteLine(1, $user+" Not disabled error encountered"+chr(13)+chr(10))
$user+" not disabled error encountered" ?
else
$nul=WriteLine(1, $user+" Disabled"+chr(13)+chr(10))
$user+" disabled" ?
endif
endif
$user=readline(2)
until @error
$nul=close(1)
$nul=close(2)
get $
exit
Function TranslateName ($InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType)
Dim $InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType
Dim $NameTranslate, $ReturnName, $Error, $ErrorText
$Error = 0
$ErrorText = ""
$ReturnName = ""
$NameTranslate = CREATEOBJECT ("NameTranslate")
if @Error = 0
$NameTranslate.Init ($InitType, $BindName)
if @Error = 0
$NameTranslate.Set ($LookupNameType, $LookupName)
if @Error = 0
$ReturnName = $NameTranslate.Get($ReturnNameType)
endif
endif
endif
$TranslateName = $ReturnName
If @ERROR<0 Exit VAL("&"+Right(DecToHex(@ERROR),4)) EndIf
Endfunction
