Basically, the script reads a file containing Distinguished Names (DNs) of users to be disabled and moved to a different OU.  The code also sets the value of the description attribute so that the accounts can easily be identified as having been actioned by the script.  Only enabled accounts will be actioned, so if it finds an account that is already disabled it will log the fact and move on.

The required format of  the input file (in this case C:\DN.TXT) is DN as the example below shows:

CN=Mick Jagger,OU=Old,DC=blah,DC=com
CN=blah,OU=other,DC=blah,DC=com
CN=Keith Moon,OU=Old,DC=blah,DC=com
CN=Roger Daltrey,OU=other,DC=blah,DC=com

The script itself is shown below.

The script will log the following output.  Note that the second entry is a non-existent DN and that this is handled correctly by the script (albeit with a short delay).

CN=Mick Jagger,OU=Old,DC=blah,DC=com
Account currently enabled
Previous Description: User created 12/07/2006 by Service Desk
Account disabled
Account for Mick Jagger moved to new OU

CN=blah,OU=other,DC=blah,DC=com
Error: check status of object :CN=blah,OU=other,DC=blah,DC=com

CN=Keith Moon,OU=Old,DC=blah,DC=com
Account currently enabled
Previous Description: User created 01/02/2005 by Service Desk
Account disabled
Account for Keith Moon moved to new OU

CN=Roger Daltrey,OU=other,DC=blah,DC=com
Account currently enabled
Previous Description: User created 12/07/2006 by Service Desk
Account disabled
Account for Roger Daltrey moved to new OU

I realise that there is scope for improvement, better error handling, etc., but sometimes in life you just have get the job done and move on :-) 

Alexei

29/08/2006

' This VBScript code will disable a user object
' and move it to a new OU.
'
' Some of the code used here derives from:
' Active Directory Cookbook, 2nd edition
' by Robbie Allen and Laura Hunter, published by OReilly Media.

' ------ SCRIPT CONFIGURATION ------

' Set to FALSE to disable account or TRUE to enable account

strDisableAccount = TRUE 

strNewParentDN = "LDAP://OU=Disabled Accounts,DC=blah,DC=com"

' ------ END CONFIGURATION ---------

Const ForReading = 1

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objFile = objFSO.OpenTextFile("C:\dn.txt", ForReading)

While not objFile.AtEndOfStream 

    WScript.Echo vbCrLf

    strUserDN = objFile.Readline

    WScript.Echo strUserDN '& vbCrLf

On Error Resume Next

set objUser = GetObject("LDAP://" & strUserDN)

'If Err.number <> 0 Then

If Err.number = -2147016656 Then

          WScript.Echo "Error: check status of object :" & strUserDN

          'wScript.Echo Err.Description, apgSeverityError, Err.Number

End If

if objUser.AccountDisabled = TRUE then

   WScript.Echo "Account for " & objUser.Get("cn") & " currently disabled - not moved"

else

   WScript.Echo "Account currently enabled"

   if strDisableAccount = TRUE then

      objUser.AccountDisabled = strDisableAccount

      WScript.Echo "Previous Description: " & objUser.Get("description")

      objUser.Put "description", "#### Disabled and moved to Disabled Accounts OU via script 29/08/2006"

      objUser.SetInfo

      WScript.Echo "Account disabled"

      set objCont = GetObject(strNewParentDN)'

                  objCont.MoveHere "LDAP://" & strUserDN, vbNullString

                  WScript.Echo "Account for " & objUser.Get("cn") & " moved to new OU"                                

   end if

end if

set objUser = nothing 

Wend

objFile.Close