Please help.

you might want to try a couple of alternatives:

cusrmgr.exe from the Win2k resource kit can do this. Here's a link:

CUSRMGR SYNTAX

Check out the SetProperties Functions and the +s Property switch ...

2) ADSI can do this as well. All you'd need is a Windows 2000 workstation for that ... think there are even examples on da-board here ... let us know if you want to pursue this course of action ...

-Shawn

We have domain called “ABC” , as the domain LAN administrator told me that active directory installed on this domain and he placed my account on a specific group has admin privilege over all this domain.

In addition he added my account to the domain controller of this domain

Now, I logged on to this domain & did the following (in DOS mood).

CUSRMGR –u Test1 +s AccountDisabled –m domain controller name

Then I am getting “CUsrMgr Ver 1.0 jan98 by G.Zanzen © MCS central Europe)

After this I logged to the domain with Test1 account and it worked & it logged me in while it shouldn’t.

Thank you.

[ 30 December 2001: Message edited by: attiahia ]

I still need your help please.

Please excuse me if the following questions seem to you silly, I am totally new to AD & I didn’t tack any course about it.

The user who I want to disable/enable his account is in the following path (I got this path from the domain LAN administrator)

LDAP://ABCD-00730-nd05.zain.com/CN=noor NIaa.,OU=Test,OU=Messaging,DC=zain,DC=com

My question are:
In $sysinfo = createobject("adsysteminfo")

Should I put this path as ("adsysteminfo") ?

How can I get this path through the script? I mean can I search for it if I have only the users account which I want to disable his account?

In $user = getobject("LDAP://"+$sysinfo.username)
Should I place the user account in username?
Thank you.

For the following line :
$sysinfo = createobject("adsysteminfo")
Adsysteminfo is an AD object. It's the name you have to use to call it.
$Sysinfo is a handle to adsysteminfo (in fact, a clone of it, as you'll never be allowed by the system to get your hand on the orignal object, only a memory copy stored in a variable)
The Adsysteminfo object has multiple properties and method. They are called like this :
$Object_Handle.property
$Object_Handle.method("parameters")
Actually, the most used properties are :
.Username
.Computername
.GetAnyDC (not really sure of the correct syntax)

Beware, ADsysteminfo isd dependant of the current user on the current workstation.
The respective values will be different with another user or computer

.Username will return the following value :
CN=Current User Name,OU=Test,OU=Messaging,DC=zain,DC=com

.Computername will return the following value :
CN=Current Computer Name,OU=Test,DC=zain,DC=com
(all are examples, of course)

For $user = getobject("LDAP://"+$sysinfo.username)
In fact, this is exactly the same :
$user = getobject("LDAP://CN=Current User Name,OU=Test,OU=Messaging,DC=zain,DC=com")

The $User variable will be the current user, but as an object, so with methods and properties. In your case, the user object we'll get have the AccountDisable property.

Everything you need, no ?
And as i don't think you'll do this with the user code and password you want to disable, here's what you need
a copy/paste will be enough :

code:

---

$user = GetObject("LDAP:// CN=noor NIaa.,OU=Test,OU=Messaging,DC=zain,DC=com")
$user.AccountDisabled = 1 ;disabled the account
$user.SetInfo    ; Needed to update the new informations

---

[ 30 December 2001: Message edited by: Alex.H ]

Following is what I did.
As I told you that The user who I want to disable/enable his account is in the following path (I got this path from the domain LAN administrator) LDAP://ABCD-00730-nd05.zain.com/CN=noor NIaa.,OU=Test,OU=Messaging,DC=zain,DC=com

$sysinfo = createobject("adsysteminfo")
$user = getobjec("LDAP://"+$sysinfo.username)
do I have to insert ABCD-00730-nd05.zain.com after LDAP:// ?

You said that .Username (property) will return current user name, actually I have a list of users accounts who I want to disable their accounts. My script is reading these account one by one and then I want to pass it to the disable/enable command. Should I search for each account in AD data base to get the path then disable/enable it?

I got this error “;Script error : unknown command !$user.AccountDisabled = 1”

How can I know the AD objects and properties for each abject? I searched in MSDN (msdn.microsoft.com/library) for ADO programmers guide, object model & reference and all what I found was about ActiveX.

Your support is highly appreciated.

break on
$sysinfo = createobject("adsysteminfo")
if $sysinfo
 ?"username=" $sysinfo.username
 ?"@SERROR"
endif
exit 1

-Shawn

[ 31 December 2001: Message edited by: attiahia ]

break on

$user = GetObject("LDAP://CN=noor NIaa.,OU=Test,OU=Messaging,DC=zain,DC=com")
if $user
 ?"setting info..."
 $user.AccountDisabled = 1 ; disabled the account
 ?"@ERROR: @SERROR"
 $user.SetInfo    ; Needed to update the new informations
 ?"@ERROR: @SERROR"
else
 ?"@ERROR ; @SERROR"
endif

exit 1

What you get when you run this ?

-Shawn

[ 31 December 2001: Message edited by: Shawn ]

Thanks a lot.

It's all you need now to get complete LDAP context name of a given user name from any computer in your office
Beware, only * can be use as wildcard, nothing else
The little thing to do after is to remove
",AccountName=...,IsContainer=0,IsGroup=0" and you have everything to do a getobject("LDAP://" ...)
You can directly do this in the udf. Remove the lines after the comment "; To get rid of " LDAP://" adding the informations relative to ",AccountName=*", ",IsContainer=*" and ",IsGroup=*"

- Shawn,
Finally, it was a good idea to convert 3 vbscript and mix them in one UDF

[ 31 December 2001: Message edited by: Alex.H ]

Also how can I find all AD objects and properties, method for each object.

Thank you.

Alex.H
The example which I received from you (via e-mail) was useful for me and I sent you some questions about it, please let me know if you did not receive it or you want me to place the same questions here in the board.

Thank you.

speaking from gained registry knowledge i would expect that replacing the 1 with a 0 would do the trick

but that is just a lucky quess

Alex T

[ 02 January 2002: Message edited by: Ch3lsea ]

For informations about users and other AD objects: http://msdn.microsoft.com/library/en-us/netdir/adsi/persistent_object_interfaces.asp

[ 02 January 2002: Message edited by: Alex.H ]

I used your function/code to disable/enable the user e-mail account on domain has active directory and it worked excellence.

Can I use the same code to disable/enable the user internet account?

The domain administrator told me that internet accounts are authenticated from database deferent than the e-mail users data base.

Thank you.

[ 16 January 2002: Message edited by: attiahia ]

I have a list with 100 users who I want to disable their e-mail account AND their internet account.

what I did was that reading the user from this list and pass it to your function which fined the OU path for it and then disable the account, this part worked excellent.

I thought this part will disable the e-mail account and internet account but it Did Not.

What I understood is that when the user want to log in to the internet, he will be authenticated from deferent LDAP server and I got the name of this server (i.e st8en1.dhw.zain.com.st).

So, In your first code and specifically in the following line:
$AdoCommand.CommandText ="Select AdsPath, samAccountName, GroupType from 'LDAP://"+GetObject("LDAP://rootDSE").Get("defaultNamingContext")+"' "+$filter

I tried to replace ("LDAP://rootDSE") with ("LDAP://st8en1.dhw.zain.com.st ")
But it seems to me that it did not work.

Please help.

In case it's not working (don't see why, but everything can happen), replace "st8en1.dhw.zain.com.st" with the server netbios name.