For users, the object code is U. When specifying users, don’t use the "recursive" field, and don’t use a semi-colon at the end. You can use a DisplayName, a sAMAccountName, or a distinguished name (starting with LDAP://) to refer to a user account.
For groups, the object code is G. When specifying users, you can optionally specify ";true" (without the quotes) as a third field. This will also process any member groups (and their members) in the current group. You can use a DisplayName, a sAMAccountName or a distinguished name (starting with LDAP://) to refer to a group.
So an example users2disable.txt file would be :
U;peter.vaneeckhoutte
U;LDAP://cn=Partner1,ou=Partner Company A,dc=domain,dc=com
G;LDAP://cn=Partners B,ou=Partner Groups,dc=domain,dc=com;true
In this example, user "peter.vaneeckhoutte" will be disabled, user "Partner1" will be disabled, and all members in group "Partners B" will be disabled, including members of any nested child groups within the "Partners B" group.
As you can see, you can only specify one entry per line. Make sure to pick your user and group definitions in such a way that the tool can only find 1 object that matches with the entry. If not, the tool will use the first match, so this might result in unwanted behavior.
The users2ignore.txt file only accepts usernames. You don’t need to use an ignore file, but I would strongly advise you to do so, and to put your admin accounts in there. Otherwise, if you don’t set up your users2disable.txt file the right way, you might be able to disable all users, or disable you admin accounts. The users2ignore.txt file does not require a specific structure per line, you only need to put a reference to a user account (one per line) in the file. These references can be a DisplayName, sAMAccountName, distinguished name (starting with LDAP://) or a guid (which is nice if you have the good habit of renaming certain admin accounts – after all, the guid will always be the same)
An example users2ignore.txt file could look like this :
Administrator
server.administrator
ae99d5da-f2ff-41b9-a41c-d0bc470c49c9
After setting up these 2 files, you are ready to run the tool. Open a command prompt. If you launch the tool without parameters, you’ll get a quick syntax overview:
As you can see, only the input file "disable_entries.txt" is mandatory. The ignore file is optional, and so is the –execute parameter. Without specifying this parameter, nothing will happen to AD. The tool will run in simulation mode, so you can see what it will do when running with the –execute parameter turned on. This allows you to test, or to prevent disasters when you run the tool without paying attention. So keep in mind : by default, the tool will run in simulation mode. If you do not specify –execute, nothing will happen.
When you’ve played with the tool and when you are sure that the tool does what you need it to do, you can use the task scheduler to let the tool run as many times as you want. You could for example let the tool run at 6pm (if you are sure that you don’t want any external people to be able to connect to your network after 6pm)
The user account that is used to run the script (or to run the scheduled task) must have the rights to read AD (find user object, read group membership) and to disable a user account. (write permissions on the userAccountControl attribute)
The script automatically creates a log file, prefixed with the name of the month. The current version (starting from v1.0.0.136) will remove all log files older than 6 months automatically.
This version is still in beta – so if you have questions, comments, feature requests, bugs, etc – mail me directly peter [dot] ve [at] telenet [dot] be
© 2007 – 2021, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.
Free tool – PVE Active Directory Disable Users