Server2003, enable / disable user login via powershell
Hi all,
Newbie, in Africa for short time only and probably haven't done all the homework I should have.
Unix and OO background but just learning powershell.
I need to be able to enable / disable local user accounts on a local server in a school; no clusters, pretty much stand-alone. I presume if I can get the user object it has a member / method for enabling / disabling, but I don't understand how to get
the user object. In particular, I don't understand the two-character abbreviations used in front of params to queries.
If I bring up active directory users and computers, what I see is:
techna-school
Tech/na school
Students
The users I want to enable/disable are members of the "Students" group above, and for RDP / security purposes are members of the "Learners" group. The server is not in any "official" (i.e. DNS recognized) domain, just gets
net access as a normal user via dialup and DHCP.
I'm guessing I need something kinda like the following to get at the user objects, but I haven't a clue what the "ou", "dc", or anything else needed are supposed to be as I don't have an MS server background.
$learners = [ADSI] "LDAP://ou=Learners,dc=techna-school"
Any help would be much appreciated.
Thanks,
Gary
From the sounds of it, you have domain accounts not local accounts. The difference is domain accounts can log onto any machine within your domain, whereas local accounts can only log onto the local machine they where created on. Since your users are using
thin clients, it is most liekly a domain account they are using.
For using AD cmdlets on Server 2003, you need some things in place, this article might help you
Thanks for the info and pointer.
I'm a little leery of going through that process as I don't have a test system to work on, but I appreciate the pointer; may delve into that later.
In the meantime, I've managed to get the user objects using Get-WmiObject, but an attempt to modify them via Set-WmiInstance fails:
$learners = Get-WmiObject -query "Select Name,Disabled From Win32_UserAccount"
foreach ($learner in $learners) {
Set-WmiInstance -InputObject $learner -Argument @{Disabled=$True} -PutType UpdateOnly
Set-WmiInstance : Invalid Object
Seems pretty straight-forward so I suspect it is a simple error but I'm not seeing it.
Similar Messages
-
Active Directory User which can Create a User but not Allowed to Enable Disabled Users
Hi Guys, we have a requirement to create a User Group in Active Directory which will grant its members permission to 'Create Users' but not be allowed to 'Enable' 'Disabled Users'.
We have tried delegating control and assigning permissions by going to 'Security Tab>Advanced'.
It seems like when a group is granted permission to create users, it will also be allowed to enable, disabled users.
Kindly advise if it is possible to create a user group with permissions to 'Create Users' but not be allowed to 'Enable', 'Disabled Users'.Hi,
According to my experience, you can assign permission with create/delete user objects. If you want to disable/enbale
a user, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority.
In general, if you just give a user group the permission to create user objects, it cannot disable or enable user accounts. Please make sure that the permission you assigned is correct and the
user group are not the member of Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory.
Best regards,
Susie -
How to you prevent disabling remote login via managed preferences?
this doesn't seem to be an obvious setting.
i want to disable our users from disabling remote login on their machines. some of them know how to do this.
everyone has moblie home accounts, btw.
hope someone can help!
thanks in advance.thanks for your response, Tony.
your 2nd suggestion is more towards what i am looking to do.
we have WGM with User, Computer, Groups, and Computer Groups. right now, we aren't managing any preferences and we do make the users local admins on their machines after their first login/Home Sync.
i was hoping to add a manifest to WGM in Preferences/Details, but i am not sure if this is possible and if it is, i don't know how to do it.
we have users in remote sites that connect to our network via vpn and sometimes i need to remotely access their machines. but i can't on those that turn it off, obviously.
thanks again! -
Updating date while enabling/Disabling user in AD
Hi All,
We are using FIM 2010 R2 SP1 and integrated with AD.
All integration is done through synch rule and no coding.
Now we have a new requirement to update date in AD while enabling and disabling user.
Kindly suggest, how it can be achieved through synch rule.
Thanks,
MannHi Mann.Cool,
You can't set a date dynamically thought sync rule. Instead, I suggest you parse useraccountcontrol and set an custom attribute with value enabled/disabled.
See
http://idmgnt.wordpress.com/xpath-custom-expression/ (Check if an account is enable or not)
Once is done:
Create two new sets "Enabled users" and "Disabled users"
Create a WF with T4F Function Evaluator, to set your date attribute (http://oxfordcomputergroup.com/technology/software-tools-components )
Create the mpr
Let me know if you want more details
Regards,
Sylvain -
To disable user login on a solaris 10 server
Hello Everybody
I want to know how to disable further users login, if suppose there are 10 users already login on a server & I don't want any more user to login on a server without getting those exsisting users to logoff.
RegardsI suppose you could write a wrapper script that uses who to count the number of connections and then:
touch /etc/nologin
to disable further logons at some arbitrary number. Then you could stick the script into cron and let it do it's thing.
alan -
Problem in GTC - Enable/Disable user task
Hi,
I am trying to enable a user for a GTC, but I encounter the following errors while doing so:
10/08/25 02:19:23 Running GENERICADAPTER
10/08/25 02:19:23 Target Class = com.thortech.xl.gc.runtime.GCAdapterLibrary
ERROR,25 Aug 2010 02:19:23,959,[OIMCP.DATC],Class/Method: DBProvisioningTransportProvider/sendData encounter some problems: The table PS_RSTR_FMSU_VW does not exist in the target database schema oimuser
com.thortech.xl.gc.exception.DBException: The table PS_RSTR_FMSU_VW does not exist in the target database schema oimuser
at com.thortech.xl.gc.impl.common.DBFacade.getType(Unknown Source)
at com.thortech.xl.gc.impl.common.DBFacade.getSchema(Unknown Source)
at com.thortech.xl.gc.impl.prov.DBProvisioningTransportProvider.getSchema(Unknown Source)
at com.thortech.xl.gc.impl.prov.DBProvisioningTransportProvider.sendData(Unknown Source)
at com.thortech.xl.gc.runtime.GCAdapterLibrary.executeFunctionality(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpFMSUSER_GTC.GENERICADAPTER(adpFMSUSER_GTC.java:125)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpFMSUSER_GTC.implementation(adpFMSUSER_GTC.java:70)
at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
Also, the user 'oimuser' has sufficient privileges for the view 'PS_RSTR_FMSU_VW'. The data in the view is accessible and can be read when logged-in as oimuser in SQL developer.
Please help me in resolving this issue.
Regards.Since this is a view, the user does not have Write permissions.
Regards. -
Restrict local user login via GPO
I need a way to restrict domain user's access to the PCs in my department. All users at the company are put into company wide general user groups and then, as a department, we put them into separate user groups per department OU. I want to restrict access
to all users except the users in my OU user groups but there are hundreds of other user groups created by other departments so direct exclusion per group is out. I need a way to restrict everyone except my users via a group policy object.
Any help is appreciated.Hi,
Please follow the below steps for denying logon to all users, except the users who are the members of groups in your department OU,
1. Create a new group called "MyExcludedGroups" (To whom we are going to add the groups, for excluding logon to your department computers).
2. Check the below steps for adding the groups to "MyExcludedGroups" group using powershell,
- Go to Start -> Open Windows Powershell using Run as Administrator
- In the powershell type, set-executionpolicy unrestricted (for allowing commands to execute)
- Type the command import-module activedirectory (to enable and execute AD cmdlets)
- For example to add the groups in "ou=test1,dc=mydomain,dc=com" to "MyExcludedGroups" group, type the below commands,
$test1=Get-ADGroup -Filter * -SearchBase "ou=test1,dc=mydomain,dc=com"
Add-GroupMember -Identity MyExcludedGroups -Members $test1
Similarly you can run the commands on each OU to add the groups to "MyExcludedGroups" group.
3. Create a Group Policy Object (GPO) linked at the OU containing your department computers called "Deny Interactive Logon".
4. Right click and edit the GPO "Deny Interactive Logon" and navigate to the node "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment".
5. In the "User Rights Assignment" node add "Deny log on locally" permission for "MyExcludedGroups" group.
Regards,
Gopi
www.jijitechnologies.com -
Sharepoint group users enumerate via powershell
Greetings!
While I am trying to enumertae and list all site collections groups users , we also need to disaplay user's email id.
I am able to get lists of users however in some of subsite sites group same AD user's emailid propertly is returning blank.
e.g user john.s is in groups in different sites however while enumerating via script some of groups return blank value in emailid
not sure what is root cause of this and how it can be corrected. any help will be highly appreciated!
GroupUser
i:0#.w|dc\john.s
[email protected]
subsite3
http://site.org:8080/subsite3
GroupUser
i:0#.w|dc\john.s
[email protected]
subsite4
http://site.org:8080/subsite4
GroupUser
i:0#.w|dc\john.s
subsite2
http://site.org:8080/subsite2Is User Profile Synchronization service application running? Is the SID property identical?
You can try to manually sync the user with AD using the below cmdlet
Set-SPUser -Identity "domain\login" -Web <Url> -SyncFromAD
Set-SPUser
This post is my own opinion and does not necessarily reflect the opinion or view of Slalom.
thanks for response!
I tried above cmdlet.
however it resulted in error: You must specify a valid user object or user identity.
Currently we don't have User profile synchronization enabled. However the emailids have not been changed sibce these were created for these AD users. wondering why it dhows up in one of subsites whereas doesnt show email id of same user somewhere
in other subsites. -
Enable RRAS LAN Routing via Powershell
On a fresh install of windows 2012 R2 if I run the following:
Install-WindowsFeature -Name "Routing"
Install-WindowsFeature -Name "RSAT-RemoteAccess-Powershell"
Add-BgpRouter ...
I receive the error: LAN Routing not configured. Please ensure RasRoutingProtocols role services is installed and Lan Routing is configured.
This is expected and via the GUI I can enable RRAS and LAN routing. How can I enable RRAS and LAN routing with powershell only?This link may help you
https://social.technet.microsoft.com/Forums/windowsserver/en-US/5f98fa02-f960-4e51-bacf-b1c84a45dd40/rras-server-2012-core-how-to-enable-lan-routing
Regards Chen V [MCTS SharePoint 2010] -
Export 2 specific folders from users A mailbox and transfer them to user B Via Powershell
Hi
i know there is a simpler method for the user to export the folder within outlook as a PST file and send it to the other user to import... but
Is there a powershell command sequence i can use that will export folders from User A mailbox and import them into User B's mailbox remotely so they don't have to do anything.
Many Thanks
Gordoni made some progress with the following
New-MailboxExportRequest -mailbox "User A" -includeFolders "User A\\TransferFolder" -Filepath \\server\serversubfolder\transfer.pst -verbose
then using
New-MailboxImportRequest -mailbox "User B" -FilePath \\server\serversubfolder\transfer.pst -TargetRootFolder "Inbox" -includefolder "Transferfolder" -verbose -
Can you Identity users primary device assgined by the user agent via Powershell?
Hi,
I've been using the Get-CMUserDeviceAffinity to find a users primary device, however i'm experiancing problems when a user has more than 1 primary device (I have 2, my laptop and an RDS server). Is there a way to query a users
primary device filtered on the User Affinity type? i.e. User Agent assigned?
Regards,
Chris
Chris Gibsonit looks like you want Source "4", per the dbo.UserMachineSources table:
SourceID Name
1 Software Catalog
2 Administrator
3 User
4 Usage Agent
5 Device Management
6 OSD
7 Fast Install
8 Exchange Server connector
Mike Crowley | MVP
My Blog --
Baseline Technologies -
Disabling User instead of deleting
I'm using OIM 9031.
I've created a custom access policy which grants user a resource (OEBS) based on his group membership.
When user is no longer a member of group, his account is deleted from assigned resource. How do I change the behavior of OIM so that user account in OEBS would be blocked instead of completely deleted?Yes, I want the account to be reanabled after the user is a member of a group again. No idea how to change the provisioning workflow...
Maybe, I should add two new tasks, for enabling/disabling user, but then I must somehow incorporate 'enable user' task into my workflow. It may require 3rd task which checks if user account already exists (e.g. is user already provisioned the resource) and depending on response code, it may launch either create or enable task... -
Disabling User specific/Default Setting
In the output of CV04n selection while 'Save Layout' how is it possible to enable/disable
'User Specific' or 'Default setting'Hi,
Did you mean Set or enable / disable? Anyways if you want to set, you can do it as follows:
1. Global: I.e. Available for all
Selection Variant: Global do not toggle the User specific box
Description: XYZ
2. User Specific: Available only for the user
Selection Variant: aaa Toggle the user specific box.
Description: uvw
If this doesn't answer your query, please explain further.
regards
C -
Howto disable direct login into DB server
Hello Experts,
I have a very old system with me(SAP 4.0B running on AIX/Oracle DB) which has 7 application servers, however there is too much load on all servers.
I wish to restrict users logging directly onto the DB server.
Is there a way to disable users login into DB servers, I know about SAP logon groups, however a user would still be able to bypass it by configuring direct connection in the saplogon.
There could be a parameter perhaps that I don't recollect right now !
Any help is appreciated.
Regards,
SiddheshHi Ermanno,
I was aware of this solution, but didn't have detailed knowledge about it , cause I am primarily a Basis guy.
I have assigned some points to you currently, I will check with my ABAPers and let you know.
Meanwhile I'll keep the question open, just in case if someone has some parameter or some other easier option available..
Thanks again.
Regards,
Siddhesh -
Enable user personalization via code
Hi,
I'm currently developing a set of automated configurations for the portal using CTC template, during these configurations I'm required to enable/disable the WD user personalization option, this can be done manually via the nwa.
can you help me with suggesting how it can be done manually?
Thanks,
Meir.Use userManager.enable method
eg userManager um=Platform.getService(userManager.class);
um.enable(usrlogin,true);
or um.enable(usrkey,false);
note: first argument should be ArraList. if you pass user login then the second arg is true else false in case of user key.
--nayan
Maybe you are looking for
-
When I connect the printer to the Airport via USB and run Bonjour, it recognizes that I have a Canon printer but does not have the mp560 as one of the choices. I spoke with Apple support but they could not help...they said they thought it was a Windo
-
How to give filter condition in expdp to filter parent and child records?
Hi, I have a requirement of export schema. Assume there is a account details table and account transactions table under schema.They have parent child relation exist. if i filter accounts from account details the corresponding transactions in account
-
IPad mini touchscreen not as responsive...
Hi, I have purchased my iPad mini last Friday and been using it since. I noticed when I am watching video and trying to adjust the volume on the screen, it's not as responsive as I experienced on my iphone. I have to try so many times for sensing my
-
Extension-BAPI_ACC_EMPLOYEE_REC_CHECK
Hi All, I need to use the exit availabe in BAPI-'BAPI_ACC_EMPLOYEE_REC_CHECK', I have created a project in CMOD for the component 'ACBAPI01' i.e. 'EXIT_SAPLACC4_001' and activated the project. Still its not getting triggered as I haven't extended th
-
Oracle Workflow - Statement of Direction and BPEL
Hi, I am starting to study Oracle BPEL and other people at my company are studying Oracle Workflow. Recently I found the following article at the OTN, regarding the Statement of Direction of Oracle Workflow: http://www.oracle.com/technology/products/