Powershell - Disable and Move user

  We have quite a bit of mobility with our students.  When a student leaves we typically hold on to their accounts for a while.  It seems more often than not, we get them back a couple months later.  Typically we just disable them and move them to an Organizational Unit(OU) to keep Active Directory(AD) clean.  Again, as in my last post, this is pretty simple in Active Directory Users and Computers(ADUC).  The issue I run into is I don't always have ADUC open and with Windows 7 and newer it seems to take a little longer than it should to open.  Fortunately, I usually have the Powershell ISE open.

Here's what I do:

 $user = Read-Host "Please enter the user to disable(Logon Name)"  

This lets us enter in the person we want to disable through a prompt.  Once the username is entered, the below command disables the user.

 Disable-ADAccount -Identity $user  

If you know the user's logon name or have the Distinguished Name you could skip the Read-Host and just enter the username in place of the $user variable

The last step is to move the disabled account to a different OU.

 Move-ADObject -Identity $user -TargetPath "OU=ToDelete,OU=Students,DC=test,DC=com"  

This works well and does everything I need.  However, it's 3 lines and I try to keep things as short as possible.  I haven't put in enough time to get it to 1 line, so I'll settle for 2.

 $user = Read-Host "Please enter the user to disable(Logon Name)"  
 Disable-ADAccount -Identity $user | Move-ADObject -TargetPath "OU=ToDelete,OU=Students,DC=test,DC=com"  

Hope this helps someone.

Powershell - Unlock AD Accounts

   One of the first issues I have encountered is when the school year starts and all the students come back.  We reset everyone's password just before school starts to help reduce the forgotten password issues.  While this has shown to reduce password issues, with 2000+ kids, some are bound to forget.  In order to make this quick and simple, I turned to powershell.  While Active Directory Users and Computers(ADUC) is quite easy to unlock accounts, I wanted to make it a little quicker.  Here's what I used:

Search-ADAccount -LockedOut

This command searches through all of Active Directory and returns the accounts locked out.  From there I can run:


Unlock-ADAccount -Identity <SAMAccountName> or <Distinguished Name>

The Search-ADAccount commmand returns the SAMAccountName and Distinguished Name which the Unlock cmdlet can handle either one:

Unlock-ADAccount -Identity AndyE

Unlock-ADAccount -Identity "CN=AndyE,OU=Users,DC=domain,DC=com"


While these are nice for handling one account at a time, I run into situations where there is a line of students outside my door with locked out accounts.

I needed a faster way to to unlock accounts than one at a time.  Luckily, with the pipline symbol I can combine more than one command.  This ultimately led to me using:

Search-ADAccount -LockedOut | Unlock-ADAccount

If you maybe haven't noticed, I prefer one liners to get things done.  I have written fairly complex scripts for creating users and other tasks.  I still prefer the quickest and easiest way to accomplish a task.  I'm sure there are probably more elaborate ways to handle these issues, these commands are what works for me and my environment.