How to delete disabled users in bulk from Active Directory

Obtain the two utilities, adfind and admod, from joeware.net.

From a command line, run the following:

  • adfind -bit -default -rb “OU=SomeRelativeOU” -f “&(samaccounttype=805306368)(userAccountControl:AND:=2)” -adcsv | admod -rm -safety 300

The above uses adfind to query AD for all ‘normal’ users which are disabled and are located in the SomeRelativeOU OU, relative to the default naming context (i.e. CN=TLD,CN=ORG,CN=MY), and presents them in a format acceptable for admod via use of the -adcsv switch. Admod recieves the data via the pipe, and executes the removal of them via the -rm switch. The ‘-safety 300′ switch indicates that admod is to perform its operation on no more than 300 objects. You must make sure that admod is not fed more objects than whatever you specify with the -safety switch, or else it will report an error indicating such and quit.

You can check to see how many objects you’re going to affect by using adfind to query the count of items, with the -c switch, like this:

  • adfind -bit -default -rb “OU=SomeRelativeOU” -f “&(samaccounttype=805306368)(userAccountControl:AND:=2)” -c

To be safe, before performing a deletion, you should export all of the attributes of the items you’re going to delete and place into a text file. If you somehow mess up and need to recreate some or all of them, this may make the process a little easier.

  • adfind -bit -default -rb “OU=SomeRelativeOU” -f “&(samaccounttype=805306368)(userAccountControl:AND:=2)” >> someTextFile.txt

If you’re really adventurous, and think you really know what you’re doing, you can use the -unsafe switch with admod to tell it to perform its operations on an unlimited number of objects.

1 comment:

  1. D.Ashok Kumar, 14. January 2008, 5:30

    You can also try out relatively cheap and effective tools in Active Directory Management and Reporting like ManageEngine ADManager Plus. Which helps you to generate a report on inactive users for the number of days specified. Disable them and move to a different ou FROM THE REPORTS.
    Also generate a report on all disable users and delete them.
    Try: http://www.admanagerplus.com