-----provide ad\exchange\lync\sharepoint\crm\sc\o365 and other Microsoft product implementation and outsourcing, qq:185426445. Phone 18666943750
Demand 1: Listen to a friend said their ad inside the OU is automatically built by the LDAP program, more people, 7, 80,000, the organization is more, the wonderful thing is that their program will only be created, will not be deleted, accumulate, there are many useless OU, want to bulk delete, but found the following problems:
1, found that every deletion of the default "Prevent accidental deletion of objects" property, or can not be deleted, such as:
650) this.width=650; "Width=" 769 "height=" 533 "title=" QQ picture 20150211220510.png "style=" WIDTH:713PX;HEIGHT:487PX; "alt= "Wkiol1tbyswrkcpcaajyvz2yujc907.jpg" src= "Http://s3.51cto.com/wyfs02/M02/59/AB/wKioL1TbYsWRKCpCAAJYVZ2yuJc907.jpg"/>
2, in fact, there is a problem, he did not mention, I am here by the way, delete the time if the deleted OU also have child objects, you will be prompted to delete.
650) this.width=650; "Width=" 1028 "height=" 517 "title=" qq picture 20150211220855.jpg "style=" WIDTH:715PX;HEIGHT:443PX; "alt = "Wkiom1tbyyphy0yjaaikk21uv98083.jpg" src= "Http://s3.51cto.com/wyfs02/M01/59/AE/wKiom1TbYyPhy0YjAAIkk21uV98083.jpg"/>
Solution Ideas:
For Issue 1, we can identify all the corresponding OUs and sub-OUs, and then bulk Modify the OU properties to "prevent accidental deletion of objects".
For problem 2, we can order the corresponding OU to delete, because some of the OU is Chinese, some are English, the DistinguishedName property is more confusing, we can take the CanonicalName property, we will find that this property is exactly the same as distinguishedname attribute to the contrary, in descending order, the sub-OU will always be in front of the parent node OU, so that we can delete the OU as normal.
In combination with the above mentioned ideas, we follow the following script batch modification, found that the corresponding OU have been deleted, such as:
Import-module ActiveDirectory
$ou =get-adorganizationalunit-searchbase "ou= staff, dc=contoso,dc=com"-filter ' name-like "*"-properties * | Sort-object Canonicalname-desc
$ou | Set-adorganizationalunit-protectedfromaccidentaldeletion $false
$ou | Remove-adorganizationalunit-confirm: $false
650) this.width=650; "Width=" 981 "height=" 588 "title=" QQ picture 20150211220510.png "style=" width:721px;height:490px; "alt= "Wkiom1tbacdtyvyqaajwqr408v0995.jpg" src= "Http://s3.51cto.com/wyfs02/M00/59/AE/wKiom1TbaCDTyVyQAAJwQR408V0995.jpg"/>
The OU and the child nodes were found to be deleted normally.
Requirement 2: Check out the locked AD account and enable it.
Search-adaccount-lockedout | Unlock-adaccount
650) this.width=650; "Width=" 714 "height=" 524 "title=" QQ picture 20150211220510.png "style=" width:721px;height:528px; "alt= "Wkiol1tbb9prgy5iaafmmoqaidy440.jpg" src= "Http://s3.51cto.com/wyfs02/M02/59/AB/wKioL1Tbb9PRGY5IAAFMMoqaiDY440.jpg"/>
The same as our query password will never expire account,
Search-adaccount-passwordneverexpires
Query all disabled ad accounts, computers, service accounts
Search-adaccount-accountdisabled
Query the ad account that is disabled,
Search-adaccount-accountdisabled-usersonly
Query the disabled computer account,
Search-adaccount-accountdisabled-computersonly
Query an expired AD account, computer, service account
Search-adaccount-accountexpired
This article is from the "Zhou Ping Microsoft Technology Exchange Platform" blog, please be sure to keep this source http://yuntcloud.blog.51cto.com/1173839/1613857
PowerShell Management Series (20) PowerShell Operations for batch deletion of OUs and unlocked locked accounts