PowerShell Management Series (20) PowerShell Operations for batch deletion of OUs and unlocked locked accounts

-----provide ad\exchange\lync\sharepoint\crm\sc\o365 and other Microsoft product implementation and outsourcing, qq:185426445. Phone 18666943750

Demand 1: Listen to a friend said their ad inside the OU is automatically built by the LDAP program, more people, 7, 80,000, the organization is more, the wonderful thing is that their program will only be created, will not be deleted, accumulate, there are many useless OU, want to bulk delete, but found the following problems:

1, found that every deletion of the default "Prevent accidental deletion of objects" property, or can not be deleted, such as:

650) this.width=650; "Width=" 769 "height=" 533 "title=" QQ picture 20150211220510.png "style=" WIDTH:713PX;HEIGHT:487PX; "alt= "Wkiol1tbyswrkcpcaajyvz2yujc907.jpg" src= "Http://s3.51cto.com/wyfs02/M02/59/AB/wKioL1TbYsWRKCpCAAJYVZ2yuJc907.jpg"/>

2, in fact, there is a problem, he did not mention, I am here by the way, delete the time if the deleted OU also have child objects, you will be prompted to delete.

650) this.width=650; "Width=" 1028 "height=" 517 "title=" qq picture 20150211220855.jpg "style=" WIDTH:715PX;HEIGHT:443PX; "alt = "Wkiom1tbyyphy0yjaaikk21uv98083.jpg" src= "Http://s3.51cto.com/wyfs02/M01/59/AE/wKiom1TbYyPhy0YjAAIkk21uV98083.jpg"/>

Solution Ideas:

For Issue 1, we can identify all the corresponding OUs and sub-OUs, and then bulk Modify the OU properties to "prevent accidental deletion of objects".

For problem 2, we can order the corresponding OU to delete, because some of the OU is Chinese, some are English, the DistinguishedName property is more confusing, we can take the CanonicalName property, we will find that this property is exactly the same as distinguishedname attribute to the contrary, in descending order, the sub-OU will always be in front of the parent node OU, so that we can delete the OU as normal.

In combination with the above mentioned ideas, we follow the following script batch modification, found that the corresponding OU have been deleted, such as:

Import-module ActiveDirectory
$ou =get-adorganizationalunit-searchbase "ou= staff, dc=contoso,dc=com"-filter ' name-like "*"-properties * | Sort-object Canonicalname-desc
$ou | Set-adorganizationalunit-protectedfromaccidentaldeletion $false
$ou | Remove-adorganizationalunit-confirm: $false

650) this.width=650; "Width=" 981 "height=" 588 "title=" QQ picture 20150211220510.png "style=" width:721px;height:490px; "alt= "Wkiom1tbacdtyvyqaajwqr408v0995.jpg" src= "Http://s3.51cto.com/wyfs02/M00/59/AE/wKiom1TbaCDTyVyQAAJwQR408V0995.jpg"/>

The OU and the child nodes were found to be deleted normally.

Requirement 2: Check out the locked AD account and enable it.

Search-adaccount-lockedout | Unlock-adaccount

650) this.width=650; "Width=" 714 "height=" 524 "title=" QQ picture 20150211220510.png "style=" width:721px;height:528px; "alt= "Wkiol1tbb9prgy5iaafmmoqaidy440.jpg" src= "Http://s3.51cto.com/wyfs02/M02/59/AB/wKioL1Tbb9PRGY5IAAFMMoqaiDY440.jpg"/>

The same as our query password will never expire account,

Search-adaccount-passwordneverexpires

Query all disabled ad accounts, computers, service accounts

Search-adaccount-accountdisabled

Query the ad account that is disabled,

Search-adaccount-accountdisabled-usersonly

Query the disabled computer account,

Search-adaccount-accountdisabled-computersonly

Query an expired AD account, computer, service account

Search-adaccount-accountexpired

This article is from the "Zhou Ping Microsoft Technology Exchange Platform" blog, please be sure to keep this source http://yuntcloud.blog.51cto.com/1173839/1613857

PowerShell Management Series (20) PowerShell Operations for batch deletion of OUs and unlocked locked accounts