Active Directory Group Management Script

在企业环境中,管理Active Directory(AD)中的用户组是一个常见的任务。最近,将一些分发组从子域迁移到了父域,使用的是Active Directory迁移工具。在这个过程中,允许管理者修改组成员的复选框被清空了。手动打开每个组,检查是否被管理,然后勾选复选框是不现实的,因此开始寻找一种脚本化的方法。通过Arnout van der Vorst的博客中的代码,能够创建这个程序。

这个程序用于设置或清除指定组织单位(OU)中每个组的“管理者可以更新成员”复选框。

使用代码

例如,要设置复选框,可以使用以下命令: cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,ou=Sales 1 要清除复选框,可以使用: cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,ou=Sales 0

代码解析

VBScript代码如下:

' MngChkBox.vbs ' Version 1.2 ' By Robert Kirchhof ' Sets or Clears the "Manager can update members" check box for every group in the OU specified. ' Usage MngChkBox <1 or 0> strCompair = "DC=campus" 'Used to determine if Manager object is in a child domain. On Error Resume Next DN = WScript.Arguments(0) intEnabled = WScript.Arguments(1) If (Wscript.Arguments.Count < 1) Then Wscript.Echo "Program Name: MngChkBox.vbs" WScript.Echo "Version: 1.2" WScript.Echo "Purpose: Set or Clear the 'Manager can update members' check box for every group in the OU specified." WScript.Echo "By Robert Kirchhof" Wscript.Echo "Usage MngChkBox <1 or 0>" Wscript.Echo "cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,ou=Sales,dc=MyDomain,dc=com 1 will set the checkbox" Wscript.Echo "cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,ou=Sales,dc=MyDomain,dc=com 0 will clear it." Wscript.Echo "Required argument is missing." Wscript.Quit(0) End If If (Wscript.Arguments.Count < 2) Then Wscript.Echo "Required argument is missing." Wscript.Quit(0) End If Dim objRootDSE Set objRootDSE = GetObject("LDAP://rootDSE") strDomainController = objRootDSE.Get("dnsHostName") strDomain = objRootDSE.Get("defaultNamingContext") strQuery = DN & "," & strDomain Set WshNetwork = WScript.CreateObject("WScript.Network") strDomainNT4 = WshNetwork.UserDomain Set objOU = GetObject("LDAP://" & strQuery) objOU.Filter = Array("group") Dim arrGroups i = 0 For Each objUser in objOU strLine=objUser.Name Redim Preserve arrFileLines(i) arrFileLines(i) = strLine i = i + 1 Next For Each strLine in arrFileLines strCN=strLine strGroup = strCN & "," & strQuery Set objGroup = GetObject("LDAP://" & strDomainController & "/" & strGroup) strManagedBy = objGroup.managedBy If Not IsEmpty(strManagedBy) Then wscript.echo strCN & " is managed by " & strManagedBy If InStr(strManagedBy,strCompair)>0 Then strDomainNT4 = "campus" Else strDomainNT4 = "net" End if Set objSecurityDescriptor = objGroup.Get("ntSecurityDescriptor") Set objDACL = objSecurityDescriptor.DiscretionaryACL Set objUser = GetObject("LDAP://" & objGroup.Get("managedBy")) If intEnabled = 0 Then For Each objACE in objDACL If InStr(1, objACE.Trustee, objUser.Get("sAMAccountName"), VbTextCompare) Then objDACL.RemoveAce(objACE) wscript.echo objACE.Trustee & " Can NOT manage users in " & strCN End If Next Else Set objACE = CreateObject("AccessControlEntry") objACE.Trustee = strDomainNT4 & "\" & objUser.Get("sAMAccountName") wscript.echo objACE.Trustee & " Can now manage users in " & strCN objACE.AccessMask = ADS_RIGHT_DS_WRITE_PROP objACE.AceFlags = ADS_ACEFLAG_DONT_INHERIT_ACE objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE.objectType = ADS_OBJECT_WRITE_MEMBERS objDACL.AddAce(objACE) End if objSecurityDescriptor.DiscretionaryACL = objDACL objGroup.Put("ntSecurityDescriptor", Array(objSecurityDescriptor)) objGroup.SetInfo End If WScript.Echo "" Next

代码中包含了一些重要的Active Directory服务接口(ADSI)常量,用于定义访问控制列表(ACL)的权限。例如,ADS_ACETYPE_ACCESS_ALLOWED_OBJECT 表示允许对象类型的访问控制项,而 ADS_RIGHT_DS_WRITE_PROP 表示写入属性的权限。

脚本首先检查是否提供了必要的参数,然后收集域信息,包括域控制器的完全限定域名(FQDN)和域的命名上下文。接着,脚本将组织单位中的所有组加载到一个数组中,并对每个组进行处理。

沪ICP备2024098111号-1
上海秋旦网络科技中心:上海市奉贤区金大公路8218号1幢 联系电话:17898875485