niedziela, 27 października 2013

Wyłączenie kilku kont użytkowników w AD - Skrypty VBS/ BAT cz.7

Przy pomocy skryptu VBS możemy wyłączyć grupowo konta które są nieaktywne od jakiegoś czasu, lub konta takich osób które już nie pracują.

1) Blokowanie osób, które nie pracują w firmie:

Do pliku users dodajemy konta, które chcemy zablokować, w pliku disabledusers mamy informacje które konta zostały zablokowane.



strFile = "c:\users.txt"
strLogFile = "c:\disabledusers.log"
Const ForReading = 1
Const ForAppending = 8
Const ADS_UF_ACCOUNTDISABLE = &H02
intCount = 0
intDisabledCount = 0
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strFile, ForReading)
Set objLogFile = objFSO.OpenTextFile(strLogFile, ForAppending, True)
On Error Resume Next
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
Set objCommand.ActiveConnection = objConnection
strBase = " & strDNSDomain & ">"

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False

booLogging = MsgBox("This script will attempt to Disabled all user accounts as specified in the text file '" & 
 strFile & "'  " & vbCrLf & vbCrLf & "Would you like to append the results to the log file located at '" & 
 strLogFile & "'?  ", vbYesNo+vbQuestion, "Disable Accounts")
If booLogging = vbYes Then
 booLogging = True
 strLogMsg = "The log file can be located at: '" & strLogFile & "'"
 Else booLogging = False
End If

While not objFile.AtEndOfStream 
 strUser = objFile.Readline 

 strFilter = "(sAMAccountName=" & strUser & ")"
 strAttributes = "distinguishedName"
 strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
 objCommand.CommandText = strQuery
 Set objRecordset = objCommand.Execute

 Do Until objRecordset.EOF
  strUserDN = objRecordset.Fields("distinguishedName").Value
  objRecordset.MoveNext
 Loop
 objRecordset.Close
 Set objUser = GetObject("LDAP://" & strUserDN) 
 intUACFlag = objUser.Get("UserAccountControl")
 If (intUACFlag AND ADS_UF_ACCOUNTDISABLE) = 0 Then
  objUser.Put "userAccountControl", 514
  objUser.SetInfo
  
  Set objUser = Nothing
  
  If booLogging = True Then objLogFile.WriteLine Now() & vbTab & strUser & vbTab & "Disabled Account"
  intCount = intCount + 1
  Else
   intDisabledCount = intDisabledCount + 1
   strMsg = "  *  " & strUser & vbCrLf & strMsg
   If booLogging = True Then objLogFile.WriteLine Now() & vbTab & strUser & vbTab & "Already Disabled"
 End If
WEnd

If intDisabledCount <> 0 Then
 WScript.Echo "Disabled " & intCount & " user accounts. " & strLogMsg & vbCrLf & vbCrLf & 
  "The following accounts were already disabled: " & vbCrLf & strMsg
 Else
  WScript.Echo "Disabled all " & intCount & " user accounts. " & strLogMsg
End If
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
booLogging = MsgBox("This script will attempt to Disabled all user accounts as specified in the text file '" & 
 strFile & "'  " & vbCrLf & vbCrLf & "Would you like to append the results to the log file located at '" & _
 strLogFile & "'?  ", vbYesNo+vbQuestion, "Disable Accounts")
If booLogging = vbYes Then
 booLogging = True
 strLogMsg = "The log file can be located at: '" & strLogFile & "'"
 Else booLogging = False
End If
While not objFile.AtEndOfStream 
 strUser = objFile.Readline 
 strFilter = "(sAMAccountName=" & strUser & ")"
 strAttributes = "distinguishedName"
 strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
 objCommand.CommandText = strQuery
 Set objRecordset = objCommand.Execute
 Do Until objRecordset.EOF
  strUserDN = objRecordset.Fields("distinguishedName").Value
  objRecordset.MoveNext
 Loop
 objRecordset.Close
 Set objUser = GetObject("LDAP://" & strUserDN) 
 intUACFlag = objUser.Get("UserAccountControl")
 If (intUACFlag AND ADS_UF_ACCOUNTDISABLE) = 0 Then
  objUser.Put "userAccountControl", 514
  objUser.SetInfo
  
  Set objUser = Nothing
  
  If booLogging = True Then objLogFile.WriteLine Now() & vbTab & strUser & vbTab & "Disabled Account"
  intCount = intCount + 1
  Else
   intDisabledCount = intDisabledCount + 1
   strMsg = "  *  " & strUser & vbCrLf & strMsg
   If booLogging = True Then objLogFile.WriteLine Now() & vbTab & strUser & vbTab & "Already Disabled"
 End If
WEnd
If intDisabledCount <> 0 Then
 WScript.Echo "Disabled " & intCount & " user accounts. " & strLogMsg & vbCrLf & vbCrLf & _
  "The following accounts were already disabled: " & vbCrLf & strMsg
 Else
  WScript.Echo "Disabled all " & intCount & " user accounts. " & strLogMsg
End If
2) Blokowanie kont, które są nieaktywne od 30 dni:

Do pliku .bat wrzucamy ( zmieniając czerwone parametry na własne):

dsquery user "ou=nasza_jednostka_org,dc=local,dc=com" -inactive 4 | dsmod user -desc "Konto zablokowane automatycznie po 30 dniach nieaktywnosci" -disabled yes > c:\zablokowaneKonta.txt 



Brak komentarzy:

Prześlij komentarz