HELP! Need VB script to remove the email address from General Tab in AD

[jonnyfive]

Hey Guys?Gals,

First post.. Hopefully I can gain some information as well as contribute....

Right now, I am facing this:

I have a mixed AD setup.. Meaning servers with 2003 and servers with 2008...

We have a process of terminating users.. Their mailbox gets archived, moved to termed OU, ect... However, each user is retaining the EMAIL address on the general tab of the AD properties of each user. What I am needing is a VB script that will clear everybodies EMAIL from the General tab. I have tried this:

Const ADS_PROPERTY_CLEAR = 1

Set objContainer = GetObject _
("LDAP://ou=Terminated Users,dc=corp,dc=CorpName,dc=com")

objContainer.PutEx ADS_PROPERTY_CLEAR, "mail", 0

objContainer.SetInfo

That does not work. Well.... It executes without any errors. But when I check users email portion on the general tab within the terminated users OU, they still have the mail address filled in. I HAVE waited, refreashed, and replicated all DC......

Any ideas??

[FN-GM]

Can you not select all the accounts > Right click > Properties and clear them that way?

[Steve21]

That does not work. Well.... It executes without any errors. But when I check users email portion on the general tab within the terminated users OU, they still have the mail address filled in. I HAVE waited, refreashed, and replicated all DC......

Any ideas??

Simple answer (Unless I'm imaging this late at night), You're editting what user?

Answer, None. You haven't told it at all what user to edit.

Normally you'd do a LDAP://cn=Bob,ou=blahblah which would run on account Bob.

You don't run it on anyone the way you wrote it. It has to be a user you're changing permissions, and if you want a group done you need to enumerate it through each user. Else as you're getting, it's running perfect, doing exactly what you asked it to. Set no-ones propertys :P

Steve

[jonnyfive]

Our term process is automated... Yes, your method works, if I want to babysit AD every two minutes(this is a HUGE company).... That is how I initially cleared them out... But when our main term script runs, this field is not cleared. Thus bringing me to this question. Thank you though

[jonnyfive]

@steve....

I am not wanting a single user.. I am wanting EVERY user within the OU after the Term script places the user in the Terminated Users OU.... Here is another script I tried that WORKS... but the email address is " " which is a space... What is the correct way to put no values in the field?
See the following:

On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

objCommand.CommandText = _
"SELECT AdsPath FROM 'LDAP://OU=Terminated Users,DC=corp,DC=fleishman,DC=com' WHERE objectCategory='user'"
Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Set objUser = GetObject(objRecordSet.Fields("AdsPath").Value)
strEmailAddress = objUser.Mail
strEmailAddress = LCase(strEmailAddress)
objUser.Mail = " " <------That is where the SPACE is for email.. Blanks it out, but I have a feeling it is not correct.. How can I VOID value out......
objUser.SetInfo
objRecordSet.MoveNext
Loop

[Steve21]

If you read what I said though, You're not setting ANY user. You have to set a SINGLE user, and enumerate it through...

As it is your original script is NOT set to change anyone. No-one.

Notice in the second script, It's looping through each user "setting a SINGLE user at a time"

Try this:


Const ADS_PROPERTY_CLEAR = 1
Set objContainer = GetObject("LDAP://ou=Terminated Users,dc=corp,dc=CorpName,dc=com")
objContainer.Filter = Array("user")
For Each objUser In objContainer
objUser.PutEx ADS_PROPERTY_CLEAR, "mail", 0
objUser.SetInfo
Next


Steve

[Steve21]

Think of it like this:

You have 5 users, MrA, MrB... MrE

Originally your code before you editted it said:

Set MrA = Blue
So it'd change MrA to Blue.

Now you changed it to Set "blank" = Blue.
Blank doesn't equal everyone, it equals no-one.

So now you need to change it do to:

For MrA-MrE
Set User = Blue
Next

etc

That make more sense? It's late, so apologies if that seems rudely written. Just trying to explain why you need to edit, each user, and not just leave it blank as such

Did you try the code above?

Steve

[Arthur]

PowerShell seems much better suited to this task...

Code:

Get-QADUser -SearchRoot 'corpname.com/Terminated Users' | Set-QADUser -ObjectAttributes @{mail=$null}

[jonnyfive]

Will try tomorrow morning. Thank you all for such good input. And yes, explanation helped out.

J

PowerShell seems much better suited to this task...

Code:

Get-QADUser -SearchRoot 'corpname.com/Terminated Users' | Set-QADUser -ObjectAttributes @{mail=$null}

[jonnyfive]

PowerShell seems much better suited to this task...

Code:

Get-QADUser -SearchRoot 'corpname.com/Terminated Users' | Set-QADUser -ObjectAttributes @{mail=$null}

Tried Powershell and got this:

The term 'Get-QADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:12
+ Get-QADUser <<<< -SearchRoot 'lab.fhdevlab.com/Terminated Users' | Set-QADUser -ObjectAttributes @{mail=$null}
+ CategoryInfo : ObjectNotFound: (Get-QADUser:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException


???? Will try VB now..

Thanks again

[jonnyfive]

With the VB script I get a General access denied... It seems to work for all the accounts except the last one... The "Next" is seeming to hang it up.. And my account is Admin, Domain Admin, Enterprise Admin, Org Manager, Schema Admin.... So I don's see permissions as an issue...

[jonnyfive]

Scratch that... In the test bed it did not work... Which does not suprise me... I tested it on a test OU live.. and it worked flawlessly. I am curios however, as to why the PS didn't work... Again, probably a test bed thing.

[Arthur]

The term 'Get-QADUser' is not recognized as the name of a cmdlet, function, script file, or operable program.

I should have mentioned you need to download and install Quest's ActiveRoles PowerShell Snap-in for that to work.

Try this once you have the snap-in installed...

Code:

Add-PSSnapin Quest.ActiveRoles.ADManagement

Get-QADUser -SearchRoot 'corpname.com/Terminated Users' | Set-QADUser -ObjectAttributes @{mail=$null}

or

Code:

Add-PSSnapin Quest.ActiveRoles.ADManagement

Get-QADUser -SearchRoot 'OU=Terminated Users,DC=corp,DC=corpname,DC=com' | Set-QADUser -ObjectAttributes @{mail=$null}

By the way, to load the snap-in automatically here are some instructions on how to add it to your PowerShell profile...

http://desktopfeedbag.com/2008/08/02...ve-powershell/

[jonnyfive]

One last thing... The following is the actual snippit from our term script that is calling the individual user to be terminated's email address... Notice there is a call to LDAP with predefined scopes.. In here somewhere, could I insert something that will just piggyback off of this LDAP call and clear the AD property along with it's clearing of the SMTP and x400 addressess??



Dim objUser, entry

eAddresses = ""
set objUser = GetObject("LDAP://"& g_sDN)

For Each entry in objUser.GetEx("proxyAddresses")

If instr(entry,"X400") = 0 Then
eAddresses = eAddresses & entry & " , "
end if

Next

eAddresses = Replace(eAddresses,"smtp","")
eAddresses = Replace(eAddresses,"SMTP","")
eAddresses = Replace(eAddresses,":","")

WriteLog "SMTP Email Addresses: " & eAddresses
sbEmail.Add "SMTP Email Addresses: " & eAddresses & vbcrlf

if err.number <> 0 then
'errorHandler "Get SMTP Info Failed ", hex(err.number), err.Description, false
WriteLog "Unable to get SMTP info"
err.clear
end if