#111367 - 2004-01-07 10:26 AM
Bulk disabling user accounts in NT SAM
|
Mfarah
Fresh Scripter
Registered: 2003-09-24
Posts: 27
Loc: London
|
Hi all
Does anyone know of a script or software that can automate the process of disabling accounts in an NT Domain SAM.
I have a text file of approximetely two thousand accounts that I wish to remove from my NT Domain. In intend to delete them by using the NT Resource Kit utility Addusers, which works very well for deletion.
However, prior to the deletiion, I would like to disable them, and Adddusers does not support this. Does anyone have any suggestions or a even better a pointer to a script that can do this for me 
Thanks
Michael
|
|
Top
|
|
|
|
|
#111370 - 2004-01-07 02:24 PM
Re: Bulk disabling user accounts in NT SAM
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
Here is the script that I use to bulk disable accounts. Our process is to find unused accounts (that's a different script) and scrub the list, making sure that the accounts are safe to disable. I then use this script to disable the accounts and rename them. They are renamed with a "0x_" pre-pended to the username, where the "x" is the current quarter so I can easily sort disabled accounts. After 90 days of being disabled I highlight all of the disabled accounts and delete them.
Code:
Break On
; Create Object to the Users Container - Disabled accounts are moved here.
$objUsers=GetObject("LDAP://CN=Users,DC=yourcompany,DC=com")
; Create WinNT Object to the domain - Used to rename accounts.
$objDomain=GetObject("WinNT://@DOMAIN")
; Open logfile for script results for writing.
$logfile=@SCRIPTDIR+"\dis_user_log.txt"
$nul=open(1,$logfile,5)
; Open textfile containing list of usernames to disable.
$database=@SCRIPTDIR+"\dis_user.txt"
$nul=open(2,$database,2)
$user=readline(2)
; Parse through usernames.
do
; Get user object.
$objUser=GetObject("WinNT://@DOMAIN/$user,user")
if @error
$nul=WriteLine(1, $user+" Invalid Username"+chr(13)+chr(10))
$user+" Invalid Username" ?
else
; Translate WinNT ADsPath to LDAP ADsPath
$ADsPath = TranslateName (3,"",3,"@DOMAIN\"+$objUser.Name,1)
$ADUser = GetObject("LDAP://"+$ADsPath)
$sUser=Split($ADUser.Name,"=") $sUser[1] = "03_"+$sUser[1] $sUser=Join($sUser,"=")
; Update Description field and Disable account.
$objUser.Description=$objUser.Description+" (Disabled @DATE)"
$objUser.AccountDisabled=1
$objUser.SetInfo
; $enames the user account.
$nul=$objDomain.MoveHere($objUser.ADsPath, "02_"+$objUser.Name)
$nul=$objUsers.MoveHere($ADUser.ADsPath, $sUser)
if @error
$nul=WriteLine(1, $user+" Not disabled error encountered"+chr(13)+chr(10))
$user+" not disabled error encountered" ?
else
$nul=WriteLine(1, $user+" Disabled"+chr(13)+chr(10))
$user+" disabled" ?
endif
endif
$user=readline(2)
until @error
$nul=close(1)
$nul=close(2)
get $
exit
Function TranslateName ($InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType)
Dim $InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType
Dim $NameTranslate, $ReturnName, $Error, $ErrorText
$Error = 0
$ErrorText = ""
$ReturnName = ""
$NameTranslate = CREATEOBJECT ("NameTranslate")
if @Error = 0
$NameTranslate.Init ($InitType, $BindName)
if @Error = 0
$NameTranslate.Set ($LookupNameType, $LookupName)
if @Error = 0
$ReturnName = $NameTranslate.Get($ReturnNameType)
endif
endif
endif
$TranslateName = $ReturnName
If @ERROR<0 Exit VAL("&"+Right(DecToHex(@ERROR),4)) EndIf
Endfunction
|
|
Top
|
|
|
|
|
#111371 - 2004-01-07 02:46 PM
Re: Bulk disabling user accounts in NT SAM
|
Mfarah
Fresh Scripter
Registered: 2003-09-24
Posts: 27
Loc: London
|
Hi Kent
Thanks for the response. If you are talking about the /d switch in Addusers, this switch dumps accounts to a file. The d switch creates accounts as disabled, which is good if you are creating accounts and want them disabled. However, my accounts already exist and I need to diable them.
|
|
Top
|
|
|
|
|
#111372 - 2004-01-07 02:47 PM
Re: Bulk disabling user accounts in NT SAM
|
Mfarah
Fresh Scripter
Registered: 2003-09-24
Posts: 27
Loc: London
|
Thanks for the script Chris. Tell me, does this work for NT Domains ?
|
|
Top
|
|
|
|
|
#111373 - 2004-01-07 03:19 PM
Re: Bulk disabling user accounts in NT SAM
|
Mfarah
Fresh Scripter
Registered: 2003-09-24
Posts: 27
Loc: London
|
Chris
I tried running the script and get an error that states
Quote:
Array Reference out of bounds on line 20
Could this be a problem with the format of the text file containing the users. Is there any specific format I need to follow. Currently I have them listed one per line with only the user name referenced.
I would appreciate any help.
Thanks
|
|
Top
|
|
|
|
|
#111374 - 2004-01-07 03:28 PM
Re: Bulk disabling user accounts in NT SAM
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
The following edits should allow it to work properly in an NT domain...
Code:
Break On
; Create Object to the Users Container - Disabled accounts are moved here.
;$objUsers=GetObject("LDAP://CN=Users,DC=yourcompany,DC=com")
; Create WinNT Object to the domain - Used to rename accounts.
$objDomain=GetObject("WinNT://@DOMAIN")
; Open logfile for script results for writing.
$logfile=@SCRIPTDIR+"\dis_user_log.txt"
$nul=open(1,$logfile,5)
; Open textfile containing list of usernames to disable.
$database=@SCRIPTDIR+"\dis_user.txt"
$nul=open(2,$database,2)
$user=readline(2)
; Parse through usernames.
do
; Get user object.
$objUser=GetObject("WinNT://@DOMAIN/$user,user")
if @error
$nul=WriteLine(1, $user+" Invalid Username"+chr(13)+chr(10))
$user+" Invalid Username" ?
else
; ; Translate WinNT ADsPath to LDAP ADsPath
; $ADsPath = TranslateName (3,"",3,"@DOMAIN\"+$objUser.Name,1)
; $ADUser = GetObject("LDAP://"+$ADsPath)
; $sUser=Split($ADUser.Name,"=") $sUser[1] = "03_"+$sUser[1] $sUser=Join($sUser,"=")
; Update Description field and Disable account.
$objUser.Description=$objUser.Description+" (Disabled @DATE)"
$objUser.AccountDisabled=1
$objUser.SetInfo
; Renames the user account.
$nul=$objDomain.MoveHere($objUser.ADsPath, "02_"+$objUser.Name)
; $nul=$objUsers.MoveHere($ADUser.ADsPath, $sUser)
if @error
$nul=WriteLine(1, $user+" Not disabled error encountered"+chr(13)+chr(10))
$user+" not disabled error encountered" ?
else
$nul=WriteLine(1, $user+" Disabled"+chr(13)+chr(10))
$user+" disabled" ?
endif
endif
$user=readline(2)
until @error
$nul=close(1)
$nul=close(2)
get $
exit
|
|
Top
|
|
|
|
|
#111376 - 2004-01-07 04:00 PM
Re: Bulk disabling user accounts in NT SAM
|
Mfarah
Fresh Scripter
Registered: 2003-09-24
Posts: 27
Loc: London
|
Hi Chris
Thanks again, for clarity here is the script that I ended up using which worked.
Code:
Break On
; Create Object to the Users Container - Disabled accounts are moved here.
$objUsers=GetObject("LDAP://CN=Users,DC=domain,DC=com")
; Create WinNT Object to the domain - Used to rename accounts.$objDomain=GetObject("WinNT://@DOMAIN")
; Open logfile for script results for writing.
$logfile=@SCRIPTDIR+"\dis_user_log.txt"$nul=open(1,$logfile,5)
; Open textfile containing list of usernames to disable.
$database=@SCRIPTDIR+"\addusersdt.txt"$nul=open(2,$database,2)$user=readline(2)
; Parse through usernames.
do
; Get user object.
$objUser=GetObject("WinNT://@DOMAIN/$user,user")
if @error
$nul=WriteLine(1, $user+"Invalid Username"+chr(13)+chr(10))
$user+" Invalid Username" ?
else
; Translate WinNT ADsPath to LDAP ADsPath
;$ADsPath = TranslateName (3,"",3,"@DOMAIN\"+$objUser.Name,1)
;$ADUser = GetObject("LDAP://"+$ADsPath)
;$sUser=Split($ADUser.Name,"=") $sUser[1] = "03_"+$sUser[1] $sUser=Join($sUser,"=")
; Update Description field and Disable account.
$objUser.Description=$objUser.Description+" (Disabled @DATE)"
$objUser.AccountDisabled=1
$objUser.SetInfo
exit
Function TranslateName ($InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType)
Dim $InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType
Dim $NameTranslate, $ReturnName, $Error, $ErrorText
$Error = 0
$ErrorText = ""
$ReturnName = ""
$NameTranslate = CREATEOBJECT ("NameTranslate") if @Error = 0 $NameTranslate.Init ($InitType, $BindName)
if @Error = 0
$NameTranslate.Set ($LookupNameType, $LookupName)
if @Error = 0 $ReturnName = $NameTranslate.Get($ReturnNameType) endif endif endif $TranslateName = $ReturnName If @ERROR<0 Exit VAL("&"+Right(DecToHex(@ERROR),4))
EndIf
Endfunction
|
|
Top
|
|
|
|
#111378 - 2004-01-07 06:29 PM
Re: Bulk disabling user accounts in NT SAM
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
Read on..
Look at the /e switch..
Kent
|
|
Top
|
|
|
|
|
#111379 - 2004-01-09 11:40 AM
Correction to code
|
Mfarah
Fresh Scripter
Registered: 2003-09-24
Posts: 27
Loc: London
|
There was actually some code missing at the end of this script. Here is a revised version.
Code:
Break On
; Create Object to the Users Container - Disabled accounts are moved here.
$objUsers=GetObject("LDAP://CN=Users,DC=hayshps,DC=com")
; Create WinNT Object to the domain - Used to rename accounts.$objDomain=GetObject("WinNT://@DOMAIN")
; Open logfile for script results for writing.
$logfile=@SCRIPTDIR+"\dis_user_log.txt"$nul=open(1,$logfile,5)
; Open textfile containing list of usernames to disable.
$database=@SCRIPTDIR+"\C_Post.txt"$nul=open(2,$database,2)$user=readline(2)
; Parse through usernames.
do
; Get user object.
$objUser=GetObject("WinNT://@DOMAIN/$user,user")
if @error
$nul=WriteLine(1, $user+"Invalid Username"+chr(13)+chr(10))
$user+" Invalid Username" ?
else
; Translate WinNT ADsPath to LDAP ADsPath
;$ADsPath = TranslateName (3,"",3,"@DOMAIN\"+$objUser.Name,1)
;$ADUser = GetObject("LDAP://"+$ADsPath)
;$sUser=Split($ADUser.Name,"=") $sUser[1] = "03_"+$sUser[1] $sUser=Join($sUser,"=")
; Update Description field and Disable account.
$objUser.Description=$objUser.Description+" (Disabled @DATE)"
$objUser.AccountDisabled=1
$objUser.SetInfo
if @error
$nul=WriteLine(1, $user+"Not disabled error encountered"+chr(13)+chr(10))
$user+" not disabled error encountered" ?
else
$nul=WriteLine(1, $user+"Disabled"+chr(13)+chr(10))
$user+" disabled" ?
endif
endif
$user=readline(2)
until @error
$nul=close(1)
$nul=close(2)
get $
exit
Function TranslateName ($InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType)
Dim $InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType
Dim $NameTranslate, $ReturnName, $Error, $ErrorText
$Error = 0
$ErrorText = ""
$ReturnName = ""
$NameTranslate = CREATEOBJECT ("NameTranslate") if @Error = 0 $NameTranslate.Init ($InitType, $BindName)
if @Error = 0
$NameTranslate.Set ($LookupNameType, $LookupName)
if @Error = 0 $ReturnName = $NameTranslate.Get($ReturnNameType) endif endif endif $TranslateName = $ReturnName If @ERROR<0 Exit VAL("&"+Right(DecToHex(@ERROR),4))
EndIf
Endfunction
|
|
Top
|
|
|
|
#111381 - 2004-01-13 11:32 AM
Re: Bulk disabling user accounts in NT SAM
|
otf
Getting the hang of it
Registered: 2003-11-21
Posts: 53
Loc: Scotland
|
Quote:
Our process is to find unused accounts (that's a different script)
don't suppose you could point me in that direction of such a script?
i've searched through the forum, can't find i'm affraid.
thanks, otf
|
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
0 registered
and 1003 anonymous users online.
|
|
|
