This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bulk deletion of users

Hi,

I'm taking over the main administration of the domain for the college I work in, I've come across over 14,500 inactive accounts from the last 6/7/8/? years and want to delete them.

These accounts are under the main tree but under different OU's so I'm not sure it's a simple task. 

I do have a CSV of all the usernames so was hoping there was an easy way to use this.

I've looked through the JRBUtils hoping for a nice tool to help but no luck.

Can anyone point me in the right direction for bulk deleting users across multiple OU's?

  • Verified Answer

    +1  

    Well, if you have a list of the affected objects with full context, you can script something to generate an LDIF file in the following format

    ---


    dn: cn=user1,ou=someOU,o=someOrg
    changetype: delete

    dn: cn=user2,ou=anotherOU,o=anotherOrg
    changetype: delete

    ---

    Import it from the commandline or within iManager (ICE), if you prefer.

    Even simpler, if you generate a file in this format

    ---

    cn=user1,ou=someOU,o=someOrg
    cn=user2,ou=anotherOU,o=anotherOrg

    --

    and save it as let's say "filename.txt" you can enforce it from the CL via e.g.

    LDAPTLS_REQCERT=never ldapdelete -H ldaps://xx.xx.xx.xx:636 -x -D "cn=admin,o=org" -W < filename.txt

  • 0 in reply to   

    Works a treat, thanks Mathias! One more onto this though, I've just found I need to keep a a couple thousand of these accounts another few months so want to disable a portion instead of delete. Is there a similar command to do this at all? We did try LDAPDISABLE on the off chance it would work.

  • 0   in reply to 

    You'd generate a file like this

    -----

    dn: cn=user1,ou=someUnit,o=someOrg
    changetype: modify
    replace: loginDisabled
    loginDisabled: TRUE

    dn: cn=user2,ou=someUnit,o=someOrg
    changetype: modify
    replace: loginDisabled
    loginDisabled: TRUE

    -----

    and import it via something like

     LDAPTLS_REQCERT=never ldapmodify -H ldaps://xx.xx.xx.xx:636 -x -D "cn=admin,o=someOrg" -W -f filename.ldif