One thing that I seem to do with monotonous regularity is disable user accounts as people churn though the companies that I work for. Usually once an account is disabled the chances of it being re-enabled while possible are always slim. One of the things that mostly gets forgotten when disabling an account is to also remove it from any distribution lists that account maybe in. Now with the new hot-fix this is not as much of a problem because a disabled mailbox can now be configured to still receive email. However it is still desirable for these disabled accounts not to be receiving email from distribution lists. Instead of going though each disabled user to work out if it’s a member of any distribution list and then remove it I decided to create a script that would fist let me list all the disable users that are in a distribution lists and also have an option so it will remove these users from that group.
For the script itself I’ve used ADSI and the ADO data shaping provider again. As in the past the ADO data shaping provider is great if you want to create hierarchal datasets which is perfect for what I want to do here. Basically the script first goes though and creates a parent record set with the names of all the mail enabled groups in Active directory. A second ADSI query is then performed which does a bitwise filter to retrieve a recordset of all the disabled users with a mailbox. A child recordset is then created with an entry for each group a user is in. The two recordsets are then related on the Group’s DistinguishedName which then gives me a retrievable hierarchy such as
GroupName-|
|-UserName
The display section of the code then just looks at groups with at least 1 disabled user as a member. Some extra code is added to skip the system mailboxes and some ADSI code also is used to remove the user from the group if the script is being run in remove mode.
To run the script in display mode just run the script without any command-line parameters eg
Cscript.disabusers.vbs
To run the script in remove mode meaning that it will remove the disabled accounts from the group memberships of any mail-enabled groups (this script does not different between group types) run the script with remove as the command-line parameter eg
Cscript disabusers.vbs remove
I’ve put a downloadable copy of the script here the code itself looks like
if wscript.arguments.length = 0 then
wscript.echo "Display Mode"
else
if lcase(wscript.arguments(0)) = "remove" then
mode = "remove"
wscript.echo "Remove Mode"
else
wscript.echo "Display Mode"
end if
end if
wscript.echo
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
set conn1 = createobject("ADODB.Connection")
strConnString = "Data Provider=NONE; Provider=MSDataShape"
conn1.Open strConnString
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("configurationNamingContext")
strDefaultNamingContext = iAdRootDSE.Get("defaultNamingContext")
set objParentRS = createobject("adodb.recordset")
set objChildRS = createobject("adodb.recordset")
strSQL = "SHAPE APPEND" & _
" NEW adVarChar(255) AS GRPDisplayName, " & _
" NEW adVarChar(255) AS GRPDN, " & _
" ((SHAPE APPEND " & _
" NEW adVarChar(255) AS USDisplayName, " & _
" NEW adVarChar(255) AS USDN, " & _
" NEW adVarChar(255) AS USGRPDisplayName, " & _
" NEW adVarChar(255) AS USGRPDN " & _
")" & _
" RELATE GRPDN TO USGRPDN) AS rsGRPUS "
objParentRS.LockType = 3
objParentRS.Open strSQL, conn1
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
GALQueryFilter = "(&(mailnickname=*)(|(objectCategory=group)))"
strQuery = "<LDAP://" & strDefaultNamingContext & ">;" & GALQueryFilter &
";distinguishedName,displayname,legacyExchangeDN,homemdb;subtree"
Com.ActiveConnection = Conn
Com.CommandText = strQuery
Set Rs = Com.Execute
while not rs.eof
objParentRS.addnew
objParentRS("GRPDisplayName") = rs.fields("displayname")
objParentRS("GRPDN") = rs.fields("distinguishedName")
objParentRS.update
rs.movenext
wend
GALQueryFilter =
"(&(&(mailnickname=*)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2)))"
strQuery = "<LDAP://" & strDefaultNamingContext & ">;" & GALQueryFilter &
";distinguishedName,displayname,legacyExchangeDN,homemdb;subtree"
Com.ActiveConnection = Conn
Com.CommandText = strQuery
Set Rs1 = Com.Execute
Set objChildRS = objParentRS("rsGRPUS").Value
while not rs1.eof
if instr(rs1.fields("displayname"),"SystemMailbox{") = 0 then
set objuser = getobject("LDAP://" & rs1.fields("distinguishedName"))
For each objgroup in objuser.groups
objChildRS.addnew
objChildRS("USDisplayName") = rs1.fields("displayname")
objChildRS("USDN") = rs1.fields("distinguishedName")
objChildRS("USGRPDisplayName") = objgroup.name
objChildRS("USGRPDN") = objgroup.distinguishedName
objChildRS.update
next
end if
rs1.movenext
wend
objParentRS.MoveFirst
wscript.echo "GroupName,Disabled User's Name"
wscript.echo
Do While Not objParentRS.EOF
Set objChildRS = objParentRS("rsGRPUS").Value
if objChildRS.recordCount <> 0 then
Do While Not objChildRS.EOF
Wscript.echo objParentRS.fields("GRPDisplayName") & "," &
objChildRS.fields("USDisplayName")
if mode = "remove" then
set objgroup = getobject("LDAP://" & objChildRS.fields("USGRPDN"))
Set objUser = getobject("LDAP://" & objChildRS.fields("USDN"))
objGroup.Remove(objUser.AdsPath)
objgroup.setinfo
wscript.echo "User-Removed"
end if
objChildRS.MoveNext
loop
end if
objParentRS.MoveNext
Loop
For the script itself I’ve used ADSI and the ADO data shaping provider again. As in the past the ADO data shaping provider is great if you want to create hierarchal datasets which is perfect for what I want to do here. Basically the script first goes though and creates a parent record set with the names of all the mail enabled groups in Active directory. A second ADSI query is then performed which does a bitwise filter to retrieve a recordset of all the disabled users with a mailbox. A child recordset is then created with an entry for each group a user is in. The two recordsets are then related on the Group’s DistinguishedName which then gives me a retrievable hierarchy such as
GroupName-|
|-UserName
The display section of the code then just looks at groups with at least 1 disabled user as a member. Some extra code is added to skip the system mailboxes and some ADSI code also is used to remove the user from the group if the script is being run in remove mode.
To run the script in display mode just run the script without any command-line parameters eg
Cscript.disabusers.vbs
To run the script in remove mode meaning that it will remove the disabled accounts from the group memberships of any mail-enabled groups (this script does not different between group types) run the script with remove as the command-line parameter eg
Cscript disabusers.vbs remove
I’ve put a downloadable copy of the script here the code itself looks like
if wscript.arguments.length = 0 then
wscript.echo "Display Mode"
else
if lcase(wscript.arguments(0)) = "remove" then
mode = "remove"
wscript.echo "Remove Mode"
else
wscript.echo "Display Mode"
end if
end if
wscript.echo
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
set conn1 = createobject("ADODB.Connection")
strConnString = "Data Provider=NONE; Provider=MSDataShape"
conn1.Open strConnString
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("configurationNamingContext")
strDefaultNamingContext = iAdRootDSE.Get("defaultNamingContext")
set objParentRS = createobject("adodb.recordset")
set objChildRS = createobject("adodb.recordset")
strSQL = "SHAPE APPEND" & _
" NEW adVarChar(255) AS GRPDisplayName, " & _
" NEW adVarChar(255) AS GRPDN, " & _
" ((SHAPE APPEND " & _
" NEW adVarChar(255) AS USDisplayName, " & _
" NEW adVarChar(255) AS USDN, " & _
" NEW adVarChar(255) AS USGRPDisplayName, " & _
" NEW adVarChar(255) AS USGRPDN " & _
")" & _
" RELATE GRPDN TO USGRPDN) AS rsGRPUS "
objParentRS.LockType = 3
objParentRS.Open strSQL, conn1
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
GALQueryFilter = "(&(mailnickname=*)(|(objectCategory=group)))"
strQuery = "<LDAP://" & strDefaultNamingContext & ">;" & GALQueryFilter &
";distinguishedName,displayname,legacyExchangeDN,homemdb;subtree"
Com.ActiveConnection = Conn
Com.CommandText = strQuery
Set Rs = Com.Execute
while not rs.eof
objParentRS.addnew
objParentRS("GRPDisplayName") = rs.fields("displayname")
objParentRS("GRPDN") = rs.fields("distinguishedName")
objParentRS.update
rs.movenext
wend
GALQueryFilter =
"(&(&(mailnickname=*)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2)))"
strQuery = "<LDAP://" & strDefaultNamingContext & ">;" & GALQueryFilter &
";distinguishedName,displayname,legacyExchangeDN,homemdb;subtree"
Com.ActiveConnection = Conn
Com.CommandText = strQuery
Set Rs1 = Com.Execute
Set objChildRS = objParentRS("rsGRPUS").Value
while not rs1.eof
if instr(rs1.fields("displayname"),"SystemMailbox{") = 0 then
set objuser = getobject("LDAP://" & rs1.fields("distinguishedName"))
For each objgroup in objuser.groups
objChildRS.addnew
objChildRS("USDisplayName") = rs1.fields("displayname")
objChildRS("USDN") = rs1.fields("distinguishedName")
objChildRS("USGRPDisplayName") = objgroup.name
objChildRS("USGRPDN") = objgroup.distinguishedName
objChildRS.update
next
end if
rs1.movenext
wend
objParentRS.MoveFirst
wscript.echo "GroupName,Disabled User's Name"
wscript.echo
Do While Not objParentRS.EOF
Set objChildRS = objParentRS("rsGRPUS").Value
if objChildRS.recordCount <> 0 then
Do While Not objChildRS.EOF
Wscript.echo objParentRS.fields("GRPDisplayName") & "," &
objChildRS.fields("USDisplayName")
if mode = "remove" then
set objgroup = getobject("LDAP://" & objChildRS.fields("USGRPDN"))
Set objUser = getobject("LDAP://" & objChildRS.fields("USDN"))
objGroup.Remove(objUser.AdsPath)
objgroup.setinfo
wscript.echo "User-Removed"
end if
objChildRS.MoveNext
loop
end if
objParentRS.MoveNext
Loop