I've written a script that we use instead of disabling accounts when
people leave. It prevents the account from being used, but also
eliminates some errors we had with Exchange when we had a bunch of
mailboxes tied to disabled accounts. Here it is, if anyone's
interested.
Thoughts?
'*****************************************************************
'Written by Scott Crawford
'Date 2005-08-10
'
'Effectively disables accounts by:
' Setting account to expired
' Setting a random password
' Removing the user from all groups
'
'This will apply to all users in OU and Domain specified in
'strPathToContainer and strDomain.
'*****************************************************************
Option Explicit
Dim oUser
Dim strPathToContainer, strDomain
Dim oUserContainer
strDomain = "DC=evangel, DC=edu"
strPathToContainer = "OU=Disabled, OU=Staff"
Set oUserContainer = GetObject("LDAP://" & strPathToContainer & ", " &
strDomain)
oUserContainer.Filter = Array("User")
For Each oUser In oUserContainer
oUser.GetInfo
SetExpired oUser
RandomPassword oUser
CleanGroups oUser
Next
MsgBox "Done"
'*****************************************************************
'SetExpired
'
'Checks inputed user object to see if it already has an
'expiration date.
'If not, set the expiration date to today.
'*****************************************************************
Sub SetExpired(oUser)
Dim ExpirationDate
On Error Resume Next
ExpirationDate = oUser.AccountExpirationDate
If Err.Number = 0 Then
Exit Sub
End If
On Error GoTo 0
oUser.AccountExpirationDate = Date()
oUser.SetInfo
End Sub
'*****************************************************************
'RandomPassword
'
'Sets a user object to a random 100 character password.
'*****************************************************************
Sub RandomPassword(oUser)
Dim intLow, intHigh, i, intNumber
Dim strPassword
intLow = 32
intHigh = 255
For i = 1 to 100
Randomize
intNumber = Int((intHigh - intLow + 1) * Rnd + intLow)
strPassword = strPassword + Chr(intNumber)
Next
oUser.SetPassword(strPassword)
oUser.AccountDisabled = False
oUser.Put "pwdLastSet", 0
oUser.SetInfo()
End Sub
'*****************************************************************
'CleanGroups
'
'Removes all groups from a user object.
'*****************************************************************
Sub CleanGroups(oUser)
Dim arrMembersOf, strMemberOf
Dim oGroup
On Error Resume Next
arrMembersOf = oUser.GetEx("memberOf")
If Err.number <> 0 Then
Exit Sub
End If
On Error GoTo 0
For Each strMemberOf in arrMembersOf
Set oGroup = GetObject("LDAP://" & strMemberOf)
oGroup.Remove(oUser.ADsPath)
Next
End Sub