1. Thanks for this script.

    I am a bit stuck though.

    As I understand it I run the first script and it identifies users that should be disabled and creates a text file.

    Then I run the second script and it looks at those text files and disables the corresponding user account.

    The first script is working after some modification for my environment and some extra code to cause it to ignore DNs containing certain text strings.

    I can’t figure out how the second script utilizes those text files to know what to disable.

    Am I way off base?



  2. Doug

    In our environment, I have implemented a proxy system. This enables me to restrict access rights for our technicians so that they can only make most changes using a front end script. I have front end scripts for things such as resetting passwords (we have to use a randomly created password for all password resets to comply with PCI rules), creating users, disabling users, etc… These front end scripts all write to a text file in a designated location.

    The next step of the process is to handle these files. I have an automated process that looks for new files created (it finds new files created in about five seconds or so). When it finds a new file, it grabs the information from the file and writes it to a database. It then processes the script using the fields it wrote to a database and allows me to document who requested what change in AD when without an expensive AD monitoring tool.

    I know this sounds like a very complicated method, but it has worked really well for us and allowed me to create a poor man’s method for managing AD without giving techs too many permissions. (It also enables me to make sure that things such as new users or disabling users happens in a very consistent manner by forcing techs to use my front end scripts to do the work.) You can find out more about this proxy method by reading the book referenced above (Windows Administration Resource Kit: Productivity Solutions for IT Professionals)

    I have recently moved a lot of this over to PowerShell now, so I will do a blog article shortly about my new PowerShell proxy system, as well as the new scripts I use now for disabling users automatically. It is much simpler (and a lot less code) using PowerShell now.

  3. Thanks Doug.

    The second script is the one that I am trying to understand.

    I don’t need to bother with the proxy stuff I don’t think.

    How does the second script know where to look for the text files created by the first script?

    The text files are created in C:\Proxy\Test but in the second script I don’t see any reference to that directory.

    Thanks Much 🙂


  4. Doug

    Well, this vbscript method really only works well with the proxy system because it writes straight to file. You could combine the two scripts into a single script by replacing the write to file section with the script that actually makes the modification.

    Honestly today, I much prefer PowerShell for this as it is much easier to accomplish what I want to accomplish. I have written a new blog article today about using PowerShell to disable inactive users. Let me know if that helps.

  5. I have yet to bite into Powershell but it is the way of the future.

    I am modifying the first script to disable and move the accounts as long as they are not in several OUs I have specified and log it to a file.
    I also am modding it to ignore disabled accounts and accounts where the password never expires (Service accounts)

    I appreciate the work you put into this and making it available.

    Send me an E-Mail at my yahoo account and I can give you a link to my download page for Copyrite XP for free.

    It’s a really nice GUI for Robocopy and a $19.95 value.
    It works well with all MS OS from 2000 up to Server 2012, Windows 8 32/64.

    Your script saved me well over that amount 🙂

    Thanks Doug,


Comments are closed.