Disable AD user account

  • 110 Views
  • Last Post 01 August 2017
Jessefmoore posted this 25 July 2017

Does anyone know why I can't see logs generated by AD when I use a service account with authority to disable a user in an Active Directory using a VB script?
Thank you,
-Jesse 

Order By: Standard | Newest | Votes
Jessefmoore posted this 25 July 2017

Below are the main objects and function used to set and query user objects by our vb script. As you can see it all look standard, 
so the problem may indeed be related to  how these logs are classified by Microsoft and under what audit policy the fall. 
I thought it may be part of the very noisy “object access” audit policy , which was turned on, but nothing.  strPath = "WinNT://" + "DOMAINNAME" + "/" + strAccount                'strPath = "ADSI://" + "DOMAINNAME" + "/" + strAccount                                Set oUser = GetObject(strPath)  “get user object”Set objUser = GetObject ("LDAP://" & strUserDN)                   ‘disabling acct function”                                                 intUAC = objUser.Get("userAccountControl")                                                                If Err <> 0 Then                                                                                Logit "ERROR: " & Err.Description,"UpdateAMCUser",SALOG,LOGVERBOSE                                                                                ' Logit VBTAB & strUpdateStatus & " with error","UpdateAMCUser",USERLOG,LOGVERBOSE                                                                               objLogFile.writeline strAccount & " ERROR (not disabled)"                                                                                Err.Clear                                                                Else                                                                                Logit "disabling","UpdateAMCUser",SALOG,LOGVERBOSE                                                                                objUser.Put "userAccountControl", intUAC OR ADSUFACCOUNTDISABLE                                                                End If           The only thing I changed above is the actual domain to --> DOMAINNAME
Thank you,
-Jesse 
On Jul 25, 2017, at 4:24 PM, Jesse Moore <jesse.f.moore@xxxxxxxxxxxxxxxx> wrote:
Does anyone know why I can't see logs generated by AD when I use a service account with authority to disable a user in an Active Directory using a VB script?
Thank you,
-Jesse 

jhondrake posted this 26 July 2017

You can run the following VBScript:

' DisableADUserWithsamAccountName.vbs
' Sample VBScript to disable AD user .
' ------------------------------------------------------'
 
Option Explicit
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes
Dim objRootDSE, varDNSDomain, strQuery, adoRecordset,strUserDN
Dim strSamAccountName,objUser
 
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
 
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
 
varDNSDomain = objRootDSE.Get("defaultNamingContext")
varBaseDN = "<LDAP://" & varDNSDomain & ">"
 
strSamAccountName="Test"
 
' Filter on user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(samaccountname="& strSamAccountName &"))"
 
' Comma delimited list of attribute values to retrieve.
varAttributes = "samaccountname,distinguishedname"
 
' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False
 
' Run the query.
Set adoRecordset = adoCommand.Execute
 
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
    ' Retrieve values and display.
    strUserDN = adoRecordset.Fields("distinguishedname").value
    Set objUser = GetObject("LDAP://"& strUserDN)
        objUser.AccountDisabled = True
        objUser.SetInfo
 
    ' Move to the next record in the recordset.
    adoRecordset.MoveNext
Loop
 
  If strUserDN = "" then
      Msgbox "No user found with the name '"& strSamAccountName &"'"
    Else  Msgbox "The user '"& strSamAccountName &"' disabled successfully..."
   end if
 
' close ado connections.
adoRecordset.Close
adoConnection.Close


For more information, see Disable AD User Account : https://msdn.microsoft.com/en-us/library/windows/desktop/ms696026(v=vs.100).aspx
http://www.morgantechspace.com/2013/11/Disable-Active-Directory-User-Account-using-VBScript.html

ZJORZ posted this 26 July 2017

Because the correct (sub)category for auditing is not enabled and/or no SACL has been defined? Met vriendelijke groeten / Kind regards, Jorge de Almeida PintoMVP Enterprise Mobility And Security | MCP/MCSE/MCITPMVP Profile | Blog | Facebook | Twitter Description: Description: Description: Description: Think Green 

show

Jessefmoore posted this 26 July 2017

Yup, does anyone know what the (sub) category for auditing I need enable or correct SACL that needs to be defined. Right now I have been turning stuff on and off and can't seem to find it. Any additional help with specifics would be awesome. thanks.

show

TonyFE posted this 26 July 2017

Hi Jesse

 

This should help…

 

http://www.open-a-socket.com/index.php/2014/07/14/how-to-enable-active-directory-auditing/

 

Tony

 

show

ZJORZ posted this 27 July 2017

Check out my blog below and search for audit or auditing




Met vriendelijke groet / Kind regards,
Jorge de Almeida Pinto
E-Mail: jorge@xxxxxxxxxxxxxxxx
Tel.: +31-(0)6-26.26.62.80
Blog: https://jorgequestforknowledge.wordpress.com/
(+++Sent from my mobile device +++)
(Apologies for any typos)

show

Close