For some AD accounts (resource mailboxes) it is not necessary to login.
It is a good idea to keep those accounts in a seperate OU.
This script disables all user objects in a given OU.
That way the resource mailbox will still function, only the AD account of this mailbox is no longer permitted to do logins.
For optimal security the script can be run daily (windows scheduler).
Follow the next steps to run the script (admin rights needed):
- open your favorite text editor
- copy and paste the script into the editor
- change the OU path to your specific situation
- save the script (for example c:tempdisableloginresourcemailboxes.vbs)
- open a command prompt with administrative rights
- go to “c:temp”
- give “cscript disableloginresourcemailboxes.vbs” (without quotes) and enter
The script:
' Name : disableloginresourcemailboxes.vbs
' Description : script to disable all user objects in an OU
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 20-01-2010
Set objOU = GetObject("LDAP://OU=TestOU,DC=test,DC=org")
For Each objUser In objOU
If objUser.class="user" then
objUser.AccountDisabled = True
objUser.SetInfo
End if
Next
Set objOU = Nothing
That’s just crazy simple and useful. Thanks.
I added code to hide the mailbox, and made use of it. I may use a description at some point also. Examples follow:
objUser.Put “msExchHideFromAddressLists”, True
objUser.SetInfo
objUser.Put “description”, “Disabled mm-dd-yy”
objUser.SetInfo
[...] came across this handy and concise example, and modified it to run through a group of OUs while doing what I needed it to [...]