Users in OU will not delete

[ReitzelTechnology]

We have a HOLD directory in AD for disabled users and computers. Every so often the server will need to run a script to emtpy this folder. The computers will delete fine but we cannnot get the users to delete.

Here is the code for the script

expandcollapse popup

#include <\\ReitzelTechnology.int\Adm$\AutoIt_Scripts\adfunctions.au3>
#include <Array.au3>
#include <File.au3>

;---------------
; Read OU
;---------------
Global $Users
$ou = "OU=HOLD1,DC=ReitzelTechnology,DC=int"; Root of your AD, e.g. DC=microsoft,DC=com
_ADGetObjectsInOU($Users, $ou, "(&(objectCategory=person))", 2)

Dim $Array1Size = UBound($Users)-1
;~ _ArrayDisplay($Sizes)
For $i = 0 To $Array1Size
    $Users[$i] = StringReplace($Users[$i], '$', '');removes money sign from end of each computer
    $Users[$i] = StringLower($Users[$i]);makes all Users lowercase
Next

If $Users = "" Then
    MsgBox(64, "No objects", "There are no objects in this OU")
    Exit
EndIf

_ArraySort($Users, 0, 1);sort alphabetically a-z
_ArrayDelete($Users, 0);removes the first row of array to get rid of count
;_ArrayDisplay($Users)
_FileWriteFromArray("C:\output_users.txt", $Users);output OU to text file


;--------------------------
; Delete Users from OU
;--------------------------
Dim $DelUsers
_FileReadToArray("C:\output_users.txt", $DelUsers)
_ArrayDelete($DelUsers, 0);removes the first row of array to get rid of count

Dim $Array2Size = UBound($DelUsers)-1
For $i = 0 To $Array2Size
    _ADDeleteObject($ou, $DelUsers[$i], "users")
Next

[water]

If you want to delete all objects in the OU then just list all objects of the OU and delete them. To determine the needed object type you could use the following code:

_AD_DeleteObject($sObject, _AD_GetObjectClass($sObject))

For this example to work you need to change from the adfunctions.au3 to the successor AD.au3 (for download please check my signature).

BTW:

Some error handling (checking the returnvalue, @error and a COM error handler) would greatly enhance the stability of your code.

[ReitzelTechnology]

Water:

Could you give me a simple example code piece to delete all items within a specified OU?

[water]

Sure, as soon as I'm back in my office.

[water]

I suggest something like this:

#include <AD.au3>
#include <File.au3>

$sTitle = "Active Directory Cleanup Script"
_AD_Open(); Open Connection to the Active Directory
If @error Then Exit MsgBox(16, $sTitle, "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)
Global $sOU = "OU=HOLD1,DC=ReitzelTechnology,DC=int"
Global $aObjects = _AD_GetObjectsInOU($sOU, "", 1, "distinguishedName")
If @error > 0 Then Exit MsgBox(64,$sTitle, "Error in _AD_GetObjectsInOU: " & @error)
For $i = 1 To $aObjects[0]
    _AD_DeleteObject($aObjects[$i], _AD_GetObjectClass($aObjects[$i]) & @CRLF)
    If @error > 0 Then
        Exit MsgBox(64, $sTitle, "Error in _AD_DeleteObject for '" & $aObjects[$i] & "': " & @error)
    Else
        _FileWriteLog(@ScriptDir & "AD_Delete.log", "Entry " & $aObjects[$i] & " successfully deleted!")
    EndIf
Next
_AD_Close(); Close Connection to the Active Directory

Edited January 28, 2012 by water

[ReitzelTechnology]

Hey thanks for that. But when I run it the log file says it was deleted but they still appear in AD, thoughts?

Edited January 28, 2012 by ReitzelTechnology

[water]

Could you please insert line "$iAD_Debug = 2" after "#include <ad.au3>" so we get some additional debugging information?

[ReitzelTechnology]

Here is what it pops up when I run the script

[water]

Ok. We have an error in the example script I posted.

If @error > 0 Then

should be

If @error <> 0 Then

Could you please run this modified version?

#include <AD.au3>
#include <File.au3>

$sTitle = "Active Directory Cleanup Script"
_AD_Open(); Open Connection to the Active Directory
If @error Then Exit MsgBox(16, $sTitle, "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)
Global $sOU = "OU=HOLD1,DC=ReitzelTechnology,DC=int"
Global $aObjects = _AD_GetObjectsInOU($sOU, "", 1, "distinguishedName")
If @error > 0 Then Exit MsgBox(64,$sTitle, "Error in _AD_GetObjectsInOU: " & @error)
For $i = 1 To $aObjects[0]
    _AD_DeleteObject($aObjects[$i], _AD_GetObjectClass($aObjects[$i]) & @CRLF)
    If @error <> 0 Then
        Exit MsgBox(64, $sTitle, "Error in _AD_DeleteObject for '" & $aObjects[$i] & "', Class ': " & _AD_GetObjectClass($aObjects[$i]) & "': " & @error)
    Else
        _FileWriteLog(@ScriptDir & "AD_Delete.log", "Entry " & $aObjects[$i] & " successfully deleted!")
    EndIf
Next
_AD_Close(); Close Connection to the Active Directory

[ReitzelTechnology]

Ok here is the error we get now

[water]

But when you run the above script you should get something like:

"Error in _AD_DeleteObject for 'CN=test user,OU=HOLD1,DC=ReitzelTechnology,DC=int', Class: 'computer': -21..."

[ReitzelTechnology]

But when you run the above script you should get something like:

"Error in _AD_DeleteObject for 'CN=test user,OU=HOLD1,DC=ReitzelTechnology,DC=int', Class: 'computer': -21..."

I get that same error except it says class:'user': 0. We have both users and computers in the directory

[water]

Could you please modify function _AD_DeleteObject so we get the "real" data the function uses?

Func _AD_DeleteObject($sAD_Object, $sAD_Class)

    If Not _AD_ObjectExists($sAD_Object) Then Return SetError(1, 0, 0)
    If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided
    Local $oAD_Object = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Object)
    Local $oAD_OU = _AD_ObjGet($oAD_Object.Parent) ; Get the object of the OU/CN where the object resides
    Local $sAD_CN = "CN=" & _AD_GetObjectAttribute($sAD_Object, "cn")
ConsoleWrite(">" & $sAD_Class & "-" & $sAD_CN & "<" & @CRLF) ; <=== This line is new
    $oAD_OU.Delete($sAD_Class, $sAD_CN)
    If @error <> 0 Then Return SetError(@error, 0, 0)
    Return 1

EndFunc   ;==>_AD_DeleteObject

Edited January 28, 2012 by water

[ReitzelTechnology]

Could you please modify function _AD_DeleteObject so we get the "real" data the function uses?

Func _AD_DeleteObject($sAD_Object, $sAD_Class)

    If Not _AD_ObjectExists($sAD_Object) Then Return SetError(1, 0, 0)
    If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided
    Local $oAD_Object = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Object)
    Local $oAD_OU = _AD_ObjGet($oAD_Object.Parent) ; Get the object of the OU/CN where the object resides
    Local $sAD_CN = "CN=" & _AD_GetObjectAttribute($sAD_Object, "cn")
ConsoleWrite(">" & $sAD_Class & "-" & $sAD_CN & "<" & @CRLF) ; <=== This line is new
    $oAD_OU.Delete($sAD_Class, $sAD_CN)
    If @error <> 0 Then Return SetError(@error, 0, 0)
    Return 1

EndFunc   ;==>_AD_DeleteObject

Did that, still no change

[water]

I know, but you should get the data that is used for the delete operation written to the console.

If you compile the script to run it please replace the ConsoleWrite with:

MsgBox(0, "", ">" & $sAD_Class & "-" & $sAD_CN & "<")

Edited January 28, 2012 by water

[water]

Am I correct the we now have the same problem you had with your original script? Computers can be deleted fine but users give an error?

What version of AutoIt do you use?

[ReitzelTechnology]

Am I correct the we now have the same problem you had with your original script? Computers can be deleted fine but users give an error?

What version of AutoIt do you use?

This new one won't delete anything, no computers or users. I am using 3.3.6.0

[water]

What user do you use to delete the computers/users (ordinary user, domain admin ...)?

We once had a problem with

[ReitzelTechnology]

What user do you use to delete the computers/users (ordinary user, domain admin ...)?

We once had a problem with

We use a domain admin account that we are logged in with

[water]

Can you delete computers or users with Microsoft admin tools?