ekingg 2008-4-8 10:20
求个脚本,列出90天AD里没登录的用户.
求个脚本,列出90天AD里没登录的用户,并删除.*L�{6N-O�T
D�F
1d�K�j�`%Y/T o
顺便问下有什么可以加密VBS的内容的工具或算法.&f4u)Q4`%p�z�q�i�L
�h
T4L!j$b�o�T�i
[[i] 本帖最后由 ekingg 于 2008-4-8 11:06 编辑 [/i]]
ekingg 2008-4-8 17:00
高手今天都很忙吗
8E�m S"F
U
偶把现在查找的脚本放上来给大家看看. :P
�G([�I�C�\�]
�V�k/J'R.T�x,~�G
'Modified for US Date format m/d/y, file name ? still a problem�_�r�~#q�s�N
I
'Modified for disabled new account Notlogon and disabled >= 90 days3X�v+H5W
h o�o%L)M�K W4}
'Modified for new account not logon >= 30 days and not disabled�F9y�a r�p�b-R�W8|,a&t
!B�H9Y9i#[�d�O2G�h�T
'ODD Users: disabled but not listed, sovled by using "m/d/y" format for condition�^3L2s$d�I�V�r0e
�i�k�o.|�w
V.l+f6m8T�B v
'********************
�B�{ G3b�@�j9x
'* Define Constants **c�^$B�r%p(d�X9Z5A
'********************
�?�`0~�w�A
Const MgmtDel = -90 'disabled or not logon for XX days, old account!
!?5q�x!H�r�J-d,I/A:s�N
Const MgmtDis = -30 'not logon for XX days, new account!�V�k7h�d�k�m
Const ADS_PROPERTY_APPEND = 3
�H'g4N�T,S�p(b�c
Const ADS_NAME_TYPE_NT4 = 3
9E�_$p�[2h�{6@�j2s�T�S
Const ADS_NAME_TYPE_1779 = 1
�Y�|1N�R�R�B�Z
�A
}�^�H1T!B�p
'*********************
�@)t�w!^
z)d
k U
'* Declare Variables *
V+w�O�`9n�_
'*********************�j0i�g)I2f�i�i�|
Dim expDate 'expiration date4u�F:[:@�w6U4R�g&M
Dim createDate 'account first created
�W�b j3D;h�@0f�k
Dim lastLogDate 'account last logon date�G%C�Z�`'a
Dim lastmodDate 'last modified date
6D�S!y5@�W
Dim accDisabled 'if account disabled, 514 for disable, 512 for enable(e
e
P�N*{�o$D
Dim mFile
$J-V
H&Y,U�w
Dim WshShell
[)N
}4Q�J#j�Y
L
Dim strFilter.R&T7O�}1D�\�O�m6J�~
Dim strAttributes
8I)T'c0r
]5w9c
Dim strQuery
9J,d,]�Z�O�x6i
Dim objRootDSE
5r(k.z�n�J:V
Dim strDNSDomain;@-S9W |%O;D
Dim objCommand4g�W;r(\�{�B�|�o5?
Dim objConnection
�j!S�m-P:n7~%J�O
?
Dim MyArr
�M�r*[1Q(z9m�f
Dim Upper
-V*g$W7}:w�S
Dim strUserNTName
�h�\3C8y�N
Dim objTrans
&?+Y�k8s�f�g
{�x
Dim strNetBiOSDomain
u9V9R�N�G$A-i�Y�h
Dim strUserDN�Z�d-W3n%u)g2R
Dim objDate�|2i�m!{
w�v
�B�`,|�u!O O�w�d:V
'*********************�y�O�j�E�W�T�m N)L!l
'* Get Required Info *(T,K�v�|6f/K3\%g%T
@:q�O�F
'* and Build Outputs *
-K;a+X F�_�R�f
'*********************
�?�q%w \�~�T
' Determine DNS domain name.�t�j�_�{�l�~"}
Set objRootDSE = GetObject("LDAP://RootDSE")
3h�y
l�d�[�L#H
strDNSDomain = objRootDSE.Get("defaultNamingContext") 'domain DNS name
(\%E1Z�o.\4a
strNetBiOSDomain = "ASIA_RRD_COM" 'domain NetBIOS name0R�x�D�l�d;H�Z)^
Set fso = CreateObject("Scripting.FileSystemObject")7t4N!G�|�y#f�M�D�H�_%B
Set mFile = fso.CreateTextFile("./" & strNetBiOSDomain & "-UserManage-" & Year(Date) & "-" & Month(Date) & "-" & Day(Date) & ".txt") 5y�L:~'K�]�A�i�c
mFile.Writeline("UserName,AccountType,SinceCreated,SinceLastModified,SinceLastLogon,Actions")
�\�j�T&b3t9G�_.J
'******************
#]�Q0Y5s1`�X�s8R�U�|
'* Search the Domain * SHOULD USE ADO LDAP to support timestamp attr
&D W�\)M+_"q�n:r"Q
'******************
d9\�F.^*N
' Use ADO to search Active Directory.
8i:k�r3R,q:w
J6K5T
Set objCommand = CreateObject("ADODB.Command")�o�|�f1G-h�^8M6}
Set objConnection = CreateObject("ADODB.Connection")�K�r$j!Y�d)x5D/d
objConnection.Provider = "ADsDSOObject"
#w�a�I�E+V
objConnection.Open "Active Directory Provider"�~2x!J�v�Y�t
i
objCommand.ActiveConnection = objConnection6A�G1b
E8E�S
strBase = "<LDAP://" & strDNSDomain & ">"
/|�\$E2q$l-z
strFilter = "(&(objectCategory=person)(objectClass=user))"
4p(U;?�C ~
strAttributes = "givenName,sn,sAMAccountName,name,displayName,userPrincipalName,whenCreated,lastLogon,whenChanged,userAccountControl"
"D'f5x!g9m4O.H3g�b�Q
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"�]�U'D�Y�}�d)y
objCommand.CommandText = strQuery�T5{1W�a�Y){ x:}
C;I
objCommand.Properties("Page Size") = 20
6y$M/y:|(L
_�r
objCommand.Properties("Timeout") = 30
0}�C0X�i�Y#P�H;r�m+E
objCommand.Properties("Cache Results") = False8r8_&A5V0U6u�p"x�_
objCommand.Properties("Sort On") = "sAMAccountName"
%Y%Z�B�k&Y�@+h6^3B
y�h
Set objRecordSet = objCommand.Execute�q1[�j�K
{9b
Set objRecordSetArr = objCommand.Execute!H�S�{�K5Y.J�^
�w�@
d�~3q
If objRecordSet.EOF Then
�G�V�k�`!r1l�}�f
Wscript.Echo "No user found!!".h�M+i�y�[:k�D�l�q�H
End If
:y�W�J�X3A�D
7a�_�O7R�K
'if user exists, then run search
!m5_�u�z1k�t4J�C7r
'****************************
)f�o�T&G�i;L�e�|
'* Start Loop to find Users *9h9w"M�])[�z
'*****************************V4e�q1A${ h#c�\2X
Do Until objRecordSet.EOF
�@*v$x;c�E'u�[�}(}.J,W
�_!_�q�B:X)s
strUserNTName = objRecordSet.Fields("sAMAccountName").Value
!I$T�C;g�_
�J5}�i6{-c�H/C�|
'Wscript.echo strUserNTName(l�{!G j�}�h;Y)L
q
Set objTrans = CreateObject("NameTranslate")
:c$u�~-Y�p&H/]&t&m�q�v
objTrans.Set ADS_NAME_TYPE_NT4, strNetBiOSDomain & "\" & strUserNTName+c"r:X
P7d B
�\�A'Y6E/{9d,B�j
strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
.}�v�Q1|2|�W
+~%t�D'?�p�Q�S�~�[�i
' Bind to the user object in Active Directory with the LDAP provider.+\�T!Q�t�^ U-\
'On Error Resume Next�g
`"b-g�[�s)X
If InStr(strUserDN,"SystemMailbox") = False Then $f;N%F�@ J
'MsgBox "bingo!"
2o�_�k6Q�x�m
Set objUser = GetObject("LDAP://" & strUserDN)�c�Y$g7j
s3n�h�d�Y�g
objUserNULL = 0 'False for non-exchange systemMailbox account5S"|/Y9o�K�u
Else�Y/\�O.N�k9\
objUserNULL = 1 'true for exchange systemMailbox account
�W�v�W�^2{:z1B�|0C
End if
�C-X,i�L�a0R*M
:d9Z�^"H
g$n t
'Reset counter values�q�Z�|�k�s&A6x
newAccountCreate = 02E%q�f#`#|
accountLastLogon = 0"A'Q
@4G�c
accountLastMod = 00M�y�B�?�c�l0s�S
accDisabled = 0
�y e0K�\+`�t
j�N
%j)K'^)].\6p$|4O
'************************************
�Z�l�U�}�n
'* Calculate the difference between *
^;O�_�f&W-c�f�t
'* now and the expiration date. date value xxxx-xx-xx can only be used with date functions!!! or converted by Integer8Date() *�O S0b�l�s ^7t�Z
'************************************
-j�g7g�L9I�y�u.A
'MsgBox strUserDN
4u
i)k
O
k0f�x�d�\
If objUserNULL = 0 Then 'not a exchange system account x$C `!F4R)Z!V�h
/x!|�e�S�D!B�A#N�y
'Wscript.Echo objUser.lastLogon�t�O�G0m+L*j)K�i#P
#O�A S�E M�g2k
accDisabled = objUser.userAccountControl 'enabled(512)? disabled(514)?password never expire(66048)�E�O/D�h:K.\�M-g�g
If IsEmpty(objUser.lastLogon) = False Then 'check if objUser.lastLogon exists, can be NOT Set,0,large integer
#R&y�{(a�g�s�Q
lastLogDate = Integer8Date(objUser.lastLogon, lngBias) 'lastlogon timestamp, converted to normal Date�D�k5g8o�H C
Else
�j:`;K0n'y-L�}�U
lastLogDate = "1601-1-1" ' for Windows 2003 SP1 AD, lastLogon should be NULL for new user�v0p4v�v*G�i
End If�y�w$f�}�t�~
t�G�U
%q/L9o#q�~
'msgbox lastLogDate
|�~1u�U�p
L
newAccountCreate = DateDiff("d",now,objUser.whenCreated) 'since first created, days?
�j�V�b�L�L�N
9s�A L"l5r7s)N
If CStr(lastLogDate) <> "1601-1-1" And CStr(lastLogDate) <> "1/1/1601" Then 'new user last logon time should be like 1601-1-1
�y�N�A)I*`�I#a�v
accountLastLogon = DateDiff("d",now,lastLogDate) 'since last logon, days? CAN BE 0 DAYS;E6d�z�^�w"Z!b�Z
Else$e�l�{�}
s�b�_4h�j�^
accountLastLogon = -36500 'Never logon to AD, should not be longer than 100 years
;K�?)d�Z�h"M
End If�s6z�p�U-d�`�j8t
:c�c�j3|�C�H!O�W
accountLastMod = DateDiff("d",now,objUser.whenChanged) 'since last changed, days?
�[
w�~�\�O"C�J�G
�H�t3h
]�F G!K(r#{
'MsgBox Objuser.sAMAccountName&"----"&newAccountCreate & "--" & accountLastMod & "--" & accountLastLogon
9x�E1C"Y:c
F
%v8Q8s�P#j3u
'******************
.v8W�M#o�n8R�A
'* Newly Created users (exists 30days) that already be disabled (and not modified for 30 days) should be deleted, >30 days*
/b4v:t/B�l�}�D�}
'******************
$F+l�p�g�y4s
If (newAccountCreate <= MgmtDis And accountLastMod <= MgmtDis And (CStr(lastLogDate) = "1601-1-1" Or CStr(lastLogDate) = "1/1/1601") And (accDisabled = 514 Or accDisabled = 66050)) Then
a�g�o�i$Z�q�L#D
mFile.Writeline(Objuser.sAMAccountName & ", [[Disabled NEW Account]," & newAccountCreate*(-1) & "," & accountLastMod*(-1) & "," & accountLastLogon*(-1) & ", Account Should be deleted!!")
�E9j0] g�v�J�t�O*Z�z
'MsgBox Objuser.sAMAccountName & ", [Disabled NEW Account], Account Should be deleted!!"
!K'v�v!r�b%D*]
End If
�Z�T�z�j;?�l9Z�s
�O�{�m#m"K�d�Q,m
'******************�C�q3L3^(`
'* Newly Created users that should be disabled, >30 days not logon*
%~
b5Z0G�a R3E.b�S
'******************
;Q4x�q+H�I�D1s2E'O'D
If (newAccountCreate <= MgmtDis And (CStr(lastLogDate) = "1601-1-1" Or CStr(lastLogDate) = "1/1/1601") And (accDisabled <> 514 And accDisabled <> 66050)) Then
"W:^�b�b�H�q�w�B�z
mFile.Writeline(Objuser.sAMAccountName & ", [NEW Account]," & newAccountCreate*(-1) & "," & accountLastMod*(-1) & "," & accountLastLogon*(-1) & ", Account Should be disabled!!")
6^�t&}5l�|�?:q'i
'MsgBox Objuser.sAMAccountName & ", [NEW Account], Account Should be disabled!!"
3h�m1|�K/}6y'M-i�_
End If
�M�X�q/r+z�C*U
?3@�O!B;`�[
5M�i8q�G�c1g�j�n�s;W
If accountLastLogon <> -36500 And accountLastLogon <> -148042 Then�z�T�N�S�N(j�Z�e�|
'******************�}�e&S�k4M#X�[�l
'*users not used that should be disabled, >90 days not logon*�E+\;a�~�h�o�T�g�U
'******************
�r"\�m
g,s�j
If (accountLastLogon <= MgmtDel And (accDisabled = 512 Or accDisabled = 66048)) Then 'when pwd never expire, 66048
�x�U!_:|3?
mFile.Writeline(objUser.sAMAccountName & ", [Old Account]," & newAccountCreate*(-1) & "," & accountLastMod*(-1) & "," & accountLastLogon*(-1) & ", Account Should be disabled!!")�?0@�Q�G�o,C#~1y�B5{
objUser.AccountDisabled = True�G a�Q&w�q�o
'MsgBox objUser.sAMAccountName & ", [Old Account], Account Should be disabled!!"2y�r�d�g)i0t�H:k
End If�G�M!t�o�B#N�V�h3Z
7A�u%e�b
Z,X
'****************** k�R�w�G�]
I�M%W
'* users disabled that should be deleted, >90 days not enabled again*
�M
n,b�@�V�p
'******************!X0u�s*]9~�O:X�d
If (accountLastMod <= MgmtDel And (accDisabled = 514 Or accDisabled = 66050)) Then 'when pwd never expire, 66050,x�K�h+{�^"c i$H#u
mFile.Writeline(objUser.sAMAccountName & ", [Disabled Account]," & newAccountCreate*(-1) & "," & accountLastMod*(-1) & "," & accountLastLogon*(-1) & ", Account Should be Deleted!!")
�e�\�O�o�F�](Y!J
objUser.AccountDisabled = True�p/e�J9S�U�e�R;U3Z
'MsgBox objUser.sAMAccountName & ", [Disabled Account], Account Should be Deleted!!"
�K�V%W m�y7Z*M2N [�S$\
End If�K o�Q�v�~�d0p�W�y�e�O
5N4Y%p�u�n6D#L�Z�k�^�s�G
�`�U ~�g�L;X)I�D�V#L�R
End If5Z�A d1b [8h�W�{�t�|/s
End If�u.F)V.@'p3Q�N�?�I s+T*V
"](k5z-W�n!X
' If accountLastMod = -945 Then�@
[�@/K(_�S�T�e
' objUser.AccountDisabled = True
:P�j�\!N-R�{�e
' objUser.SetInfo
�s'M�f�f�C�b�v�Y'R:j(~
' End If
�b#a&N.g�o+^�c�`�m�_
�d�W�o1Y�n3X�h�^
objRecordSet.Movenext
&B�[,i0S�X
~$Z
Loop
�|:g�B*G7k%}�]�w
'Next�\'r�t�`�a�F+u�@&q0]
�p�l4a/g�I�I&o
'******************************************
�V�d�|�|�Z�z�z(V&q*n�y�h
'* Clean up open files and send log files *
+].J+v�S�m�T;f
'******************************************�}�p�G�n�V�Z#u�i�^
'*******************
�R(k/y+z�E�h0I
'* Close all Files *�A�D,N�N�k&P1X�C�b
'*******************(x�w�X�h!H;N.E
mFile.close
3M5p�y(o%Y3H"f�F�~,Q;l
)q
E�o:c1Z�i7[�|�X�C�P
'****************�s-s$s:e�J�n�^�\!s
'* Delete Files *)S6O(r�|1b�M8p�z;n�N
'****************�`�b5|�r�x3?�K:s'D�k�a
'fso.DeleteFile(mFile)
9C
W-_�\8W V
t�X�d-G
'fso.DeleteFile(uFile);{5a�r
v#a�T2y
'fso.DeleteFile(wFile)
(^&n�B�P `
'*******************
�t o#l$T,N�x�i
'* Quit the Script *%M�g�o�G�G4Q a�q!}9p
'*******************
0O�O2[3N6c8J
MsgBox "Searching for invalid users done!!"#Z1`�y�P(I�R
WScript.Quit(1)
�c'r�M�C.B
W�^�S�g�w {�H
l-L J t�W'j�M
'*******************�a9s�Q:u
J$}�W$\)c
'Functions
�U5T�e�D&~&j*b�V1[*^
'*******************
$o�b0I
X�r�Y
Function Integer8Date(objDate, lngBias)
�k ^
b�g)D
' Function to convert Integer8 (64-bit) value to a date, adjusted for
;p/I3n�K�`�`�H
' local time zone bias.
:o�j�Q�q;D�V�A�O
Dim lngAdjust, lngDate, lngHigh, lngLow
�E$o�^�N#X3Y�@8Q"V8S
lngAdjust = lngBias#t!i�H/C,o�I�?"m5}�E3G
lngHigh = objDate.HighPart
7h�Q�Q�k�p�N)v8M
lngLow = objdate.LowPart
9p(f�]�y�_:v
' Account for bug in IADslargeInteger property methods.
�^!I�H4\�k�P4{*v�f
If lngLow < 0 Then
%V�v#w�j�v
E2E�^4U�^�t
lngHigh = lngHigh + 1+d�l�L"u�e
End If�k-V�L#R l+z�Z3}
If (lngHigh = 0) And (lngLow = 0) Then5G*J.F�N�t�]#j x
lngAdjust = 0
p h�c M2t&O�^�X
End If
"v�|�f�]5V8r2`/F
lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
8{�n�w,t�B
+ lngLow) / 600000000 - lngAdjust) / 1440
5g�j�|!k7^/v7J
Integer8Date = CDate(lngDate)
�S�~;` k�B+r
End Function
风中叶雨 2008-4-9 11:11
有高手吗?本人对这个也有兴趣,想找一个禁用90天未登录的AD帐号的脚本,或者命令
ekingg 2008-4-9 14:00
命令就用dsquery user -inactive 10 | dsrm -c -noprompt
$^�l�y�A�F�G2B7t7t�\
$Y8k�B:n3r,`
y�[.B�T�Q
10表示10周没登录过
594sky 2008-4-10 18:05
楼主能否告知:把您的文章复制到记事本里怎么会出现乱码?本人是菜鸟。�d$y�i�X-G�R�v�n�\�I
先谢过楼主
ghostshadow 2008-4-17 09:11
这个脚本好多命令 太深奥啦!!:( �c,n�M*e�|0{�z
看不懂
风尚 2008-4-29 21:08
[quote]原帖由 [i]594sky[/i] 于 2008-4-10 18:05 发表 [url=http://www.sharecenter.net/redirect.php?goto=findpost&pid=2153462&ptid=209570][img]http://www.sharecenter.net/images/common/back.gif[/img][/url]
#U�p�m�y�l)G/B
楼主能否告知:把您的文章复制到记事本里怎么会出现乱码?本人是菜鸟。
�m�G&t,n�}�h�}
先谢过楼主 [/quote]
�@"z;~(W�E4E�c
放盗功能�k3K5y�Q�P:`�G�e
你全选就可以看到其中的奥妙
setthyfree 2008-6-16 14:59
ekingg厲害
adrien0901 2008-8-26 09:50
[quote]原帖由 [i]ekingg[/i] 于 2008-4-8 10:20 发表 [url=http://www.sharecenter.net/redirect.php?goto=findpost&pid=2149632&ptid=209570][img]http://www.sharecenter.net/images/common/back.gif[/img][/url]
;_�z�h6p)W�R
求个脚本,列出90天AD里没登录的用户,并删除.,q�?�U�}�W�v(Z
|�_
V7V1\�m�g%x;j!{�q
顺便问下有什么可以加密VBS的内容的工具或算法. [/quote]
8W�Y�q'@5v
-T�K4@�a�a
1:可以将以下代码保存为BAT运行即可
�]�{�E�T
Q�y
6p$t'k�O5l5G
@echo off�f/c!F-K�F.@ q�c t
@dsquery user -inactive 4 > dn.txt
/E�z-^�{�H�q�m
@for /f %%1 in (dn.txt) do dsrm %%1 -noprompt
�}
m"D�?2`5{:u�I$c,E.v
�n1d�C�x�`3z�w
2:VBS加密工具
