D Set group scope
135Active Directory users
searching for accounts locked out in the last 24 hours. By varying this value, we can control how far back we look for locked-out accounts.
The comparison operator for our search is provided by the MatchType
E
. In this case we’re looking for values greater than the reference value—lockouts that have occurred since the reference time. The search is performed by the FindByLockout- Time() method with the context, reference date, and operator as parametersF
. The usual check on the results and displaying the distinguished names completes the script. This is the easiest method to script for searching for locked-out accounts that I’ve found.If you want a super easy way of finding locked-out accounts, it doesn’t get much easier than using the AD cmdlets. The Microsoft cmdlet syntax is:
Search-ADAccount -LockedOut
and the syntax for the Quest cmdlet is very similar:
Get-QADUser -Locked
These will retrieve all locked-out accounts in the domain.
We’ve looked at searching for disabled accounts; we should now look at how to enable or disable them.
TECHNIQUE 8 Enabling and disabling accounts
Listing 5.4 showed how to disable or enable a local user account. This script shows how to perform the same action on an Active Directory account.
PROBLEM
We need to disable or enable an Active Directory account. SOLUTION
An Active Directory user account can be disabled by modifying the useraccountcon- trol attribute, as shown in listing 5.15. This is the domain equivalent of listing 5.1 in that it toggles between enabled/disabled—it’ll enable a disabled account and vice versa. We use ADSI to connect to the relevant account, retrieve the useraccountcon- trol attribute, perform a bitwise exclusive OR on it, and write it back. The bitwise exclusive OR will toggle the disabled bit to the opposite value; that is it will disable the account if enabled and enable if disabled.
$user = [ADSI]"LDAP://CN=BOSCH Herbert,OU=Austria,DC=Manticore,DC=org" $oldflag = $user.useraccountcontrol.value
$newflag = $oldflag -bxor 2
$user.useraccountcontrol = $newflag $user.SetInfo()
DISCUSSION
The AD cmdlets provide specific commands to disable and enable user accounts:
Disable-ADAccount -Identity HSorby Enable-ADAccount -Identity HSorby
Disable-QADUser -Identity "CN=BOSCH Herbert,OU=Austria,DC=Manticore,DC=org" Enable-QADUser -Identity "CN=BOSCH Herbert,OU=Austria,DC=Manticore,DC=org"
All we need is to pass the identity of the user to the cmdlet and it does the rest. I can type this faster than opening the GUI tools, especially if I know the user ID so I can use domain\userid as the identity with the Quest cmdlets. (See appendix D for an expla- nation of the differences between the two sets of cmdlets when handling identities.)
One problem that you may find is disabling an account and moving it to a holding OU pending deletion. We’ve seen how to disable it, and we’ll now turn to the move.
TECHNIQUE 9 Moving accounts
One method of organizing users in Active Directory is to have OUs based on department or location. This can enable us to apply specific group policies to those users. If the users move to a different location or department, we need to move the account to the correct OU so they receive the correct settings. When people leave the organization, their user accounts should be deleted. Many organizations will have an OU specifically for accounts that are to be deleted, so the accounts have to be moved into the correct OU.
PROBLEM
A user account has to be moved to another OU. SOLUTION
The [ADSI] accelerator gives us access to a MoveTo method, but we have to remember that it’s on the base object, so we need to include .psbase in PowerShell v1. In v2, this isn’t an issue, as it has been made visible. Listing 5.16 demonstrates how we use the MoveTo() method to move a user account into a new OU.
$newou = [ADSI]"LDAP://OU=ToBeDeleted,DC=Manticore,DC=org"
$user = [ADSI]"LDAP://CN=SMITH Samuel,OU=England,DC=Manticore,DC=org" $user.psbase.MoveTo($newou)
Using the [ADSI] type accelerator, we set variables to the user and target OU. If you were to perform $user |get-member, you wouldn’t see any methods on the object apart from two conversion methods. But by using $user.psbase | get-member, we drop into the underlying object as discussed in chapter 2. There we can see a MoveTo() method that will do just what we want. We call the method with the target OU as a parameter and the user is whisked off to his new home. If we have to move a number of accounts from an OU, we can modify the script to read the OU contents and then perform a move on the selected accounts.
WITHIN A DOMAIN ONLY The techniques in this section only work within a domain; they can’t be used for cross-domain moves.
DISCUSSION
The AD cmdlets don’t provide a cmdlet to explicitly move users between OUs, but we can use the generic cmdlets for moving AD objects. All we need to provide is the
137