使用 VBScript 设置或清除“管理员可以更新成员列表”复选框

Robert Kirchhof

5.00/5 (3投票s)

2008年8月28日

CPOL

56669

281

提供 OU，并设置或清除其中所有已管理组的复选框

下载源代码 - 2.01 KB

引言

此程序会检查或取消选中指定 OU 包含的每个组的“经理可以更新成员列表”复选框（如果已分配经理）。

背景

我最近使用 Active Directory 迁移工具将一批分发组从子域迁移到其父域。在此过程中，允许经理修改组成员的复选框被取消选中。手动逐个打开每个组，检查它是否受管理，然后选中复选框是不现实的，所以我开始研究一种编写脚本的方法。使用 Arnout van der Vorst 的博客中的代码，在这里找到，我能够创建这个程序。

Using the Code

此程序为指定的 OU 中的每个组设置或清除“经理可以更新成员”复选框。

Usage Cscript MngChkBox.vbs Distinguished Name of OU <1 or 0>

示例 1

cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,ou=Sales 1

这将设置复选框。

示例 2

cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,ou=Sales 0

这将清除它。

代码

'MngChkBox.vbs
'Version 1.2
'By Robert Kirchhof

'Usage MngChkBox  <1 or 0>
'Sets or Clears the "Manager can update members" check box for every group in
'the OU specified.
'cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,ou=Sales 1 will set
'the checkbox
'cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,ou=Sales 0 will clear it.
'strCompair = "DC=campus" 'Used to determine if Manager object is in a child domain.
'see line 91
'Line above is only needed when the management object (Group or User) might be in
'another domain.
'line 61 automatically sets the correct NetBios name for single domain applications
'of this program.

wscript.echo " "
wscript.echo " " 'Two line feeds for looks
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_ACEFLAG_INHERIT_ACE = &H00002
Const ADS_ACEFLAG_DONT_INHERIT_ACE = &H0

Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H01
Const ADS_OBJECT_WRITE_MEMBERS = "{BF9679C0-0DE6-11D0-A285-00AA003049E2}"
'===========================================================================
On Error Resume Next
DN = WScript.Arguments(0) 'ou=Distribution Groups,ou=Users & Groups,ou=Sales
intEnabled = WScript.Arguments(1) '1 for Checked, 0 for Not-Checked. Change to zero
                                  'if you want to clear all the check boxes.
'==========================================================
' Check for required argument.
'==========================================================
If (Wscript.Arguments.Count < 1) Then
    Wscript.Echo "Program Name:    MngChkBox.vbs"
    WScript.Echo "Version:    1.2"
    WScript.Echo "Purpose:    Set or Clear the 'Manager can update members' _
				check box for every group in the OU specified."
    WScript.Echo "By Robert Kirchhof"
    Wscript.Echo " "
    WScript.Echo "Usage MngChkBox  <1 or 0>"
    Wscript.Echo
    Wscript.Echo "cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,_
			ou=Sales,dc=MyDomain,dc=com 1 will set the checkbox"
    Wscript.Echo "cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,_
			ou=Sales,dc=MyDomain,dc=com 0 will clear it."
    Wscript.Echo
    Wscript.Echo "Required argument  is missing. " _
        & "For example:" & vbCrLf _
        & "cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,_
			ou=Sales,dc=MyDomain,dc=com 1"
    Wscript.Quit(0)
End If
If (Wscript.Arguments.Count < 2) Then
    Wscript.Echo "Required argument <set> is missing. " _
        & "For example:" & vbCrLf _
        & "cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,_
			ou=Sales,dc=MyDomain,dc=com 0"
    Wscript.Quit(0)
End If
'==========================================================
' Collect domain information
'==========================================================
Dim objRootDSE
Set objRootDSE = GetObject("LDAP://rootDSE")
strDomainController = objRootDSE.Get("dnsHostName") 'FQGN of DC. Used to bind to group.
'wscript.echo strDomainController
strDomain = objRootDSE.Get("defaultNamingContext")  'Distinguished Name of Domain.
'wscript.echo strDomain
strQuery = DN &","& strDomain
Set WshNetwork = WScript.CreateObject("WScript.Network")
strDomainNT4 = WshNetwork.UserDomain 'NetBios Name of logged on users Domain
'wscript.echo strDomainNT4
Set objOU = GetObject("LDAP://" & strQuery )
objOU.Filter = Array("group")
'==========================================================
'Load Groups into an array.
'==========================================================
Dim arrGroups
i = 0
For Each objUser in objOU
    strLine=objUser.Name
    Redim Preserve arrFileLines(i)
    arrFileLines(i) = strLine
    i = i + 1
Next
'==========================================================
'Process each element
'==========================================================
For Each strLine in arrFileLines
    strCN=strLine 'Sets strCN to name of group
    strGroup = strCN & "," & strQuery 'builds DN of Group
    Set objGroup = GetObject("LDAP://" & strDomainController & "/" & strGroup)
    strManagedBy = objGroup.managedBy 'objGroup.Get("managedBy") 'get managed by

        If IsEmpty(strManagedBy) = FALSE Then 'It isn't empty?
        wscript.echo strCN & " is  managed by " & strManagedBy 'Yes we have 
							'a manager object.
'==========================================================
'Check which Domain the management object is in.
'==========================================================
            'NOTE line 61 automatically sets the correct 
	   'NetBios name for single domain applications of this program.
            'If InStr(strManagedBy,strCompair)>0 Then 
	   'Checks strManagedby for the presents of DC=Campus
            'strDomainNT4 = "campus" 'if found
            'Else
            'strDomainNT4 = "net"    'else must be
            'End if
'===========================================================
        Set objSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")
        Set objDACL = objSecurityDescriptor.DiscretionaryACL
        Set objUser = GetObject("LDAP://" & objGroup.Get("managedBy"))

            if intEnabled = 0 Then 'clear the check box
                For Each objACE in objDACL
                    If InStr(1, objACE.Trustee, objUser.Get("sAMAccountName"), _
			VbTextCompare) Then
                    objDACL.RemoveAce(objACE)
                    wscript.echo objACE.Trustee & " Can NOT manage users in " & strCN
                End If
                Next
                    Else 'Checks the check box
                    Set objACE = CreateObject("AccessControlEntry")
                    objACE.Trustee = strDomainNT4 & "\" & objUser.Get("sAMAccountName")
                    wscript.echo objACE.Trustee & " Can now manage users in " & strCN
                    objACE.AccessMask = ADS_RIGHT_DS_WRITE_PROP
                    objACE.AceFlags = ADS_ACEFLAG_DONT_INHERIT_ACE
                    objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
                    objACE.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
                    objACE.objectType = ADS_OBJECT_WRITE_MEMBERS
                    objDACL.AddAce(objACE)
                    end if

objSecurityDescriptor.DiscretionaryACL = objDACL
objGroup.Put "ntSecurityDescriptor", Array(objSecurityDescriptor)
objGroup.SetInfo

Else 'No manager object assigned.
wscript.echo strCN & " has no manager."
end If
WScript.Echo " " 'Blank line feed
Next

历史

2008年8月28日：初始发布