Quick and dirty script to copy DLs from one user to another

Posted on February 4, 2007 by Scott — No Comments ↓

Edit: The inline code in this post is not the latest version of the script. Get the latest version from the downloads page.

It is not uncommon at my company to have to move a user from one domain to another for technical, logistical, or political reasons. For another set of reasons, moving the user account to the other domain is not done, instead manually creating a new one and associating the mailbox with the new account.

DL membership does not automatically get updated when this is done, so I have been doing it manually. It has been on my to-do list for awhile to write a script to copy the DL membership from the old account to the new one. So I threw this together this morning. It lacks some of the nice extras my other scripts have (finding the user by logon name, email results, true logging) but it does work.

You have to edit the script to give it the variables for the old and new users’ dn. It will skip security groups (any group without an alias) and also groups whose Notes (info) attribute contains the word SmartDL. We use Imanami’s SmartDL for automated DL membership when applicable. Those will be automatically updated the next time each of their jobs run.

Download it here, or copy/paste below.

Option Explicit
Dim strOldUser, strNewUser, objOldUser, objNewUser, strGroup, objGroup
strOldUser = &quot;&quot; 'dn of user to copy from'
strNewUser = &quot;&quot; 'dn of user to copy to'
Set objOldUser = GetObject(&quot;LDAP://&quot; &amp; strOldUser)
Set objNewUser = GetObject(&quot;LDAP://&quot; &amp; strNewUser)
wscript.echo &quot;Source user: &quot; &amp; objOldUser.DisplayName
wscript.echo &quot;Target user: &quot; &amp; objNewUser.DisplayName
For Each strGroup in objOldUser.MemberOf
	On Error Resume Next
	Set objGroup = GetObject(&quot;LDAP://&quot; &amp; strGroup)
    If Not Trim(objGroup.mailNickname) = &quot;&quot; Then
        If Not Instr(objGroup.info, &quot;SmartDL&quot;) &gt; 0 Then
			objGroup.Add(objNewUser.ADsPath)
			If Err.Num = 0 Then
				wscript.echo objGroup.DisplayName &amp; &quot;: Update successful.&quot;
			Else
				wscript.echo objGroup.DisplayName &amp; &quot;: Update UNSUCCESSFUL.&quot;
			End If
        Else
			wscript.echo objGroup.DisplayName &amp; &quot;: Skipped (SmartDL).&quot;
        End If
	End If
	On Error Goto 0
Next
Set objOldUser = Nothing
Set objNewUser = Nothing

Option Explicit

Dim strOldUser, strNewUser, objOldUser, objNewUser, strGroup, objGroup

strOldUser = "" 'dn of user to copy from'

strNewUser = "" 'dn of user to copy to'

Set objOldUser = GetObject("LDAP://" & strOldUser)

Set objNewUser = GetObject("LDAP://" & strNewUser)

wscript.echo "Source user: " & objOldUser.DisplayName

wscript.echo "Target user: " & objNewUser.DisplayName

For Each strGroup in objOldUser.MemberOf

On Error Resume Next

Set objGroup = GetObject("LDAP://" & strGroup)

If Not Trim(objGroup.mailNickname) = "" Then

If Not Instr(objGroup.info, "SmartDL") > 0 Then

objGroup.Add(objNewUser.ADsPath)

If Err.Num = 0 Then

wscript.echo objGroup.DisplayName & ": Update successful."

Else

wscript.echo objGroup.DisplayName & ": Update UNSUCCESSFUL."

End If

Else

wscript.echo objGroup.DisplayName & ": Skipped (SmartDL)."

End If

On Error Goto 0

Set objOldUser = Nothing

Set objNewUser = Nothing

Updated Exchange ActiveSync disable script

Posted on December 3, 2006 by Scott — No Comments ↓

I previously posted (here) a script to disable Exchange ActiveSync for unauthorized users. The script is based on using the dn of one or more groups to determine authorized users (i.e., if you are in the group, you are allowed). This method recently failed me (twice) because some of the groups were renamed by another admin to make them more readable. Not only were the display names changed, but the objects were renamed as well, so the cn and dn were changed. This means my script couldn’t find the groups I had hard-coded, which isn’t good scripting practice anyway.

I have updated the script, which can be downloaded here, to search for the groups based on their objectGUID, which never changes no matter what you do to the object (rename, move, etc.). Instead of hard-coding the dn of the object, I hard-code the objectGUID. Then I bind directly to the object based on the GUID to retrieve its dn, which is used in the search filter to find the users I want to modify.

Note that ADO allows you to bind to an object given just its GUID, without having to specify other connection parameters. You can also use the hexadecimal or binary format of the GUID in the connection string; AD will figure out which format you are using. I used the binary format in my script so that I could just copy and paste the value from Hyena into my script without having to convert to a hex value.

Change users’ default calendar permission (and email the users and admin)

Posted on June 21, 2006 by Scott — 2 Comments ↓

Our IT Leadership team decided that it will promote more effective collaboration if the Default calendar permission for all IT employees is set to Reviewer (instead of the Default of None). As with many of my scripts, I started with the work Glen Scales has already done. Go there for information on the prerequisite for using this script to make the change (the need for ACL.dll).

Glen’s script uses an input argument of a server name. My distributed environment doesn’t allow for such a broad application, so I use the membership of a DL that contains the IT personnel. This DL actually contains other DLs, so I separately use another script by Richard Mueller that enumerates nested groups and puts the results into a domain local group that is used for other purposes.

After getting the group members, I loop through each member for only those with a mailbox that isn’t hidden. For those who haven’t been touched by the script before, a function is called that uses CDO to log into the mailbox, enumerate the calendar permissions looking for the Default entry, and change it to Reviewer. The user’s local FreeBusy Data folder is also updated to set the Default to Editor since that permission goes hand in hand when setting permissions on the calendar.

To keep tabs on who the script has touched, a notation is added to extensionAttribute4 (customizable). Those with that notation are skipped in the future. Then an email is sent to the user informing them of the change. I chose to do this because Exchange users may be used to the fact the the Default permission is None; this way they are aware that their calendar is open for viewing. It also helps with new employees who are not aware of this "policy" and can mark items as Private as necessary.

Finally, an email is sent to the admin with the results of the job run. It includes the display name, mailbox server, and whether the permission was set or the object skipped (to catch entries that slip through my filter). I have scheduled this to run weekly, and I will get an email each time so I know that the script is successfully running and which users are being modified.

All of the variables that require customization are near the top. These are for mail configuration, search filter, and the notation parameters for touched mailboxes.

Download it here or copy below.

Option Explicit

Public Const CdoDefaultFolderCalendar = 0
Dim strSMTPServer, strMailFrom, strUserMailSubject, strUserMailBody
Dim strAdminMailRecip, strAdminMailSubject, strAdminMailBody
Dim strDefaultNamingContext, strQueryFilter, strAttName, strAttNote
Dim conn, com, iAdRootDSE, strNamingContext
Dim Rs, objGroup, strMember, objUser, strMsExchHomeServerName
Dim objSession, CdoInfoStore, CdoFolderRoot, ACLObj, CdoCalendar, FolderACEs, fldACE
Dim objRoot, objFreeBusyFolder

'Configuration parameters:
''''''''''''''''''''''''''''''''''''''''''''''
'Email notification configuration
strSMTPServer = &quot;server.company.com&quot; 'FQDN of SMTP server
strMailFrom = &quot;&quot;&quot;Display Name&quot;&quot; &lt;a href="mailto:SMTPAddress@company.com"&gt;SMTPAddress@company.com&lt;/a&gt;&quot; ' Display name and address of sender
strUserMailSubject = &quot;The default permission on your calendar has been updated&quot; 'Subject of message sent to users
strUserMailBody = &quot;In order to promote effective collaboration among the Company &quot; &amp; _
    &quot;employees, the Default permission on your calendar has been updated to Reviewer.  This allows anyone within the organization &quot; &amp; _
    &quot;to see the details of items within your calendar.  For items that are of a sensitive, confidential, or personal nature, &quot; &amp; _
    &quot;you can mark them as Private.  This will restrict the details of the item so that others cannot see the subject or body.  &quot; &amp; _
    &quot;If you have any questions about this change, please reply to this message or contact the Help Desk at XXXX.&lt;br&gt;&lt;br&gt;&quot; &amp; _
    &quot;Company Messaging and Collaboration Team (GAL Display Name)&lt;br&gt;Department&lt;br&gt;Company&quot; 'Body of message sent to users
strAdminMailRecip = &quot;&lt;a href="mailto:SMTPAddress@company.com"&gt;SMTPAddress@company.com&lt;/a&gt;&quot; 'Address of admin to receive status report
strAdminMailSubject = &quot;Default calendar permission change report&quot; 'Subject of message sent to admin
'Domain to search for object
strDefaultNamingContext = &quot;dc=company,dc=com&quot; 'AD FQDN of base scope to search
'Search filter for group with users
strQueryFilter = &quot;(&amp;(objectcategory=group)(displayName=something))&quot; 'LDAP filter to locate group with members to modify</p><p>'Attribute and notation for updated objects
strAttName = &quot;extensionAttribute4&quot; 'defined for a single-valued string attribute
strAttNote = &quot;DefaultCalSet&quot; 'Notation used to skip processed users on future script runs
''''''''''''''''''''''''''''''''''''''''''''''
strAdminMailBody = &quot;&quot;
Set conn = createobject(&quot;ADODB.Connection&quot;)
Set com = createobject(&quot;ADODB.Command&quot;)
Set iAdRootDSE = GetObject(&quot;&lt;a href="ldap://RootDSE"&gt;LDAP://RootDSE&lt;/a&gt;&quot;)
strNamingContext = iAdRootDSE.Get(&quot;configurationNamingContext&quot;)
Conn.Provider = &quot;ADsDSOObject&quot;
Conn.Open &quot;ADs Provider&quot;
Com.ActiveConnection = Conn
com.Properties(&quot;Page Size&quot;) = 1000
Com.CommandText = &quot;&lt;GC://&quot; &amp; strDefaultNamingContext &amp; &quot;&gt;;&quot; &amp; StrQueryFilter &amp; &quot;;distinguishedname;subtree&quot;
Set Rs = Com.Execute
While Not Rs.EOF
	Set objGroup = GetObject(&quot;LDAP://&quot; &amp; Rs.fields(&quot;distinguishedname&quot;))
	For each strMember in objGroup.Member
		Set objUser = GetObject(&quot;LDAP://&quot; &amp; strMember)
		If InStr(objUser.Get(strAttName), strAttNote) &lt; 1 Then
			strAdminMailBody = strAdminMailBody &amp; objUser.displayName &amp; &quot;&lt;br&gt;&quot;
			If objUser.Class = &quot;user&quot; And Not IsNull(objUser.msExchHomeServerName) And Not UCase(objUser.msExchHidefromAddressLists) = &quot;TRUE&quot; Then
				strMsExchHomeServerName = objUser.msExchHomeServerName
				strMsExchHomeServerName = right(strMsExchHomeServerName,len(strMsExchHomeServerName)-instrrev(strMsExchHomeServerName,&quot;/cn=&quot;)-3)
				strAdminMailBody = strAdminMailBody &amp; &quot;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&quot; &amp; strMsExchHomeServerName &amp; &quot;&lt;br&gt;&quot;
				Call dofreebusy(strMsExchHomeServerName, objUser.mailNickname)
				strAdminMailbody = strAdminMailBody &amp; &quot;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;Permission set on: &quot; &amp; objUser.mailNickname &amp; &quot;&lt;br&gt;&quot;
				WriteTag
				SendEmail objUser.mail, strUserMailSubject, strUserMailBody
			Else
				strAdminMailBody = strAdminMailBody &amp; &quot;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;Skipping object&lt;br&gt;&quot;
			End If
		End If
	Next
	Rs.MoveNext
Wend
Rs.Close

'Send admin email report
If Not strAdminMailBody = &quot;&quot; Then
	strAdminMailBody = strAdminMailBody &amp; &quot;&lt;br&gt;Done.&lt;br&gt;&quot;
Else
	strAdminMailBody = &quot;No mailboxes needed updating.&quot;
End If
SendEmail strAdminMailRecip, strAdminMailSubject, strAdminMailBody

Set conn = Nothing
Set com = Nothing

Function dofreebusy(serverName, mailboxName)
	'Set Default permission to Reviewer
	Set objSession = CreateObject(&quot;MAPI.Session&quot;)
	objSession.Logon &quot;&quot;,&quot;&quot;,false,true,0,true,servername &amp; vbLF &amp; mailboxname
	Set CdoInfoStore = objSession.GetInfoStore
	Set CdoFolderRoot = CdoInfoStore.RootFolder
	Set ACLObj = CreateObject(&quot;MSExchange.aclobject&quot;)
	Set CdoCalendar = objSession.GetDefaultFolder(CdoDefaultFolderCalendar)
	ACLObj.CdoItem = CdoCalendar
	Set FolderACEs = ACLObj.ACEs
	For each fldACE in FolderACEs
		If fldACE.ID = &quot;ID_ACL_DEFAULT&quot; Then
			fldACE.Rights = 1025
			ACLObj.Update
		End If
	Next
 
	'Set local FreeBusy folder permission to Editor
	Set objRoot = objSession.GetFolder(&quot;&quot;)
	Set objFreeBusyFolder = objRoot.Folders.Item(&quot;FreeBusy Data&quot;)
	ACLObj.CdoItem = objFreeBusyFolder
	Set FolderACEs = ACLObj.ACEs
	For each fldACE in FolderACEs
		If fldACE.ID = &quot;ID_ACL_DEFAULT&quot; Then
		fldACE.Rights = 1123
		ACLObj.Update
		End If
	Next
End function

'Write notation tag into attribute
Sub WriteTag()
	If IsNull(objUser.Get(strAttName)) or IsEmpty(objUser.Get(strAttName)) Then
		objUser.Put strAttName, strAttNote &amp; &quot;;&quot;
	Else
		Dim strExistAttName
		strExistAttName = objUser.Get(strAttName)
		objUser.Put strAttName, strExistAttName &amp; strAttNote &amp; &quot;;&quot;
	End If
	objUser.SetInfo
End Sub

'Send change notification and report
Sub SendEmail (strRecipAddress, strMailSubject, strMailBody)
	Dim objMail
	Set objMail = CreateObject(&quot;CDO.Message&quot;)
	objMail.Configuration.Fields.Item (&quot;<a href="http://schemas.microsoft.com/cdo/configuration/sendusing">http://schemas.microsoft.com/cdo/configuration/sendusing</a>&quot;) = 2
	objMail.Configuration.Fields.Item (&quot;<a href="http://schemas.microsoft.com/cdo/configuration/smtpserver">http://schemas.microsoft.com/cdo/configuration/smtpserver</a>&quot;) = strSMTPServer
	objMail.Configuration.Fields.Item (&quot;<span class="removed_link" title="http://schemas.microsoft.com/cdo/configuration/smtpserverport"></span>&quot;) = 25
	objMail.Configuration.Fields.Update</p><p> objMail.From = strMailFrom
	objMail.To = strRecipAddress
	objMail.Subject = strMailSubject
	objMail.HTMLBody = strMailBody
	objMail.Send
	Set objMail = Nothing
End Sub

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

Option Explicit

Public Const CdoDefaultFolderCalendar = 0

Dim strSMTPServer, strMailFrom, strUserMailSubject, strUserMailBody

Dim strAdminMailRecip, strAdminMailSubject, strAdminMailBody

Dim strDefaultNamingContext, strQueryFilter, strAttName, strAttNote

Dim conn, com, iAdRootDSE, strNamingContext

Dim Rs, objGroup, strMember, objUser, strMsExchHomeServerName

Dim objSession, CdoInfoStore, CdoFolderRoot, ACLObj, CdoCalendar, FolderACEs, fldACE

Dim objRoot, objFreeBusyFolder

'Configuration parameters:

''''''''''''''''''''''''''''''''''''''''''''''

'Email notification configuration

strSMTPServer = "server.company.com" 'FQDN of SMTP server

strMailFrom = """Display Name"" <a href="mailto:SMTPAddress@company.com">SMTPAddress@company.com</a>" ' Display name and address of sender

strUserMailSubject = "The default permission on your calendar has been updated" 'Subject of message sent to users

strUserMailBody = "In order to promote effective collaboration among the Company " & _

"employees, the Default permission on your calendar has been updated to Reviewer. This allows anyone within the organization " & _

"to see the details of items within your calendar. For items that are of a sensitive, confidential, or personal nature, " & _

"you can mark them as Private. This will restrict the details of the item so that others cannot see the subject or body. " & _

"If you have any questions about this change, please reply to this message or contact the Help Desk at XXXX. " & _

"Company Messaging and Collaboration Team (GAL Display Name) Department Company" 'Body of message sent to users

strAdminMailRecip = "<a href="mailto:SMTPAddress@company.com">SMTPAddress@company.com</a>" 'Address of admin to receive status report

strAdminMailSubject = "Default calendar permission change report" 'Subject of message sent to admin

'Domain to search for object

strDefaultNamingContext = "dc=company,dc=com" 'AD FQDN of base scope to search

'Search filter for group with users

strQueryFilter = "(&(objectcategory=group)(displayName=something))" 'LDAP filter to locate group with members to modify'Attribute and notation for updated objects

strAttName = "extensionAttribute4" 'defined for a single-valued string attribute

strAttNote = "DefaultCalSet" 'Notation used to skip processed users on future script runs

''''''''''''''''''''''''''''''''''''''''''''''

strAdminMailBody = ""

Set conn = createobject("ADODB.Connection")

Set com = createobject("ADODB.Command")

Set iAdRootDSE = GetObject("<a href="ldap://RootDSE">LDAP://RootDSE</a>")

strNamingContext = iAdRootDSE.Get("configurationNamingContext")

Conn.Provider = "ADsDSOObject"

Conn.Open "ADs Provider"

Com.ActiveConnection = Conn

com.Properties("Page Size") = 1000

Com.CommandText = "<GC://" & strDefaultNamingContext & ">;" & StrQueryFilter & ";distinguishedname;subtree"

Set Rs = Com.Execute

While Not Rs.EOF

Set objGroup = GetObject("LDAP://" & Rs.fields("distinguishedname"))

For each strMember in objGroup.Member

Set objUser = GetObject("LDAP://" & strMember)

If InStr(objUser.Get(strAttName), strAttNote) < 1 Then

strAdminMailBody = strAdminMailBody & objUser.displayName & " "

If objUser.Class = "user" And Not IsNull(objUser.msExchHomeServerName) And Not UCase(objUser.msExchHidefromAddressLists) = "TRUE" Then

strMsExchHomeServerName = objUser.msExchHomeServerName

strMsExchHomeServerName = right(strMsExchHomeServerName,len(strMsExchHomeServerName)-instrrev(strMsExchHomeServerName,"/cn=")-3)

strAdminMailBody = strAdminMailBody & "&nbsp;&nbsp;&nbsp;&nbsp;" & strMsExchHomeServerName & " "

Call dofreebusy(strMsExchHomeServerName, objUser.mailNickname)

strAdminMailbody = strAdminMailBody & "&nbsp;&nbsp;&nbsp;&nbsp;Permission set on: " & objUser.mailNickname & " "

WriteTag

SendEmail objUser.mail, strUserMailSubject, strUserMailBody

Else

strAdminMailBody = strAdminMailBody & "&nbsp;&nbsp;&nbsp;&nbsp;Skipping object "

End If

Rs.MoveNext

Wend

Rs.Close

'Send admin email report

If Not strAdminMailBody = "" Then

strAdminMailBody = strAdminMailBody & " Done. "

Else

strAdminMailBody = "No mailboxes needed updating."

End If

SendEmail strAdminMailRecip, strAdminMailSubject, strAdminMailBody

Set conn = Nothing

Set com = Nothing

Function dofreebusy(serverName, mailboxName)

'Set Default permission to Reviewer

Set objSession = CreateObject("MAPI.Session")

objSession.Logon "","",false,true,0,true,servername & vbLF & mailboxname

Set CdoInfoStore = objSession.GetInfoStore

Set CdoFolderRoot = CdoInfoStore.RootFolder

Set ACLObj = CreateObject("MSExchange.aclobject")

Set CdoCalendar = objSession.GetDefaultFolder(CdoDefaultFolderCalendar)

ACLObj.CdoItem = CdoCalendar

Set FolderACEs = ACLObj.ACEs

For each fldACE in FolderACEs

If fldACE.ID = "ID_ACL_DEFAULT" Then

fldACE.Rights = 1025

ACLObj.Update

End If

'Set local FreeBusy folder permission to Editor

Set objRoot = objSession.GetFolder("")

Set objFreeBusyFolder = objRoot.Folders.Item("FreeBusy Data")

ACLObj.CdoItem = objFreeBusyFolder

Set FolderACEs = ACLObj.ACEs

For each fldACE in FolderACEs

If fldACE.ID = "ID_ACL_DEFAULT" Then

fldACE.Rights = 1123

ACLObj.Update

End If

End function

'Write notation tag into attribute

Sub WriteTag()

If IsNull(objUser.Get(strAttName)) or IsEmpty(objUser.Get(strAttName)) Then

objUser.Put strAttName, strAttNote & ";"

Else

Dim strExistAttName

strExistAttName = objUser.Get(strAttName)

objUser.Put strAttName, strExistAttName & strAttNote & ";"

End If

objUser.SetInfo

End Sub

'Send change notification and report

Sub SendEmail (strRecipAddress, strMailSubject, strMailBody)

Dim objMail

Set objMail = CreateObject("CDO.Message")

objMail.Configuration.Fields.Item ("<a href="http://schemas.microsoft.com/cdo/configuration/sendusing">http://schemas.microsoft.com/cdo/configuration/sendusing</a>") = 2

objMail.Configuration.Fields.Item ("<a href="http://schemas.microsoft.com/cdo/configuration/smtpserver">http://schemas.microsoft.com/cdo/configuration/smtpserver</a>") = strSMTPServer

objMail.Configuration.Fields.Item ("") = 25

objMail.Configuration.Fields.Update objMail.From = strMailFrom

objMail.To = strRecipAddress

objMail.Subject = strMailSubject

objMail.HTMLBody = strMailBody

objMail.Send

Set objMail = Nothing

End Sub

Script to disable Exchange ActiveSync for unauthorized users

Posted on June 1, 2006 by Scott — 1 Comment ↓

By default, users have all mobile services enabled (OMA, EAS including AUTD/DP). This is a pain in my environment because only authorized users are allowed to use EAS (to ensure only approved devices procured through proper channels are used). OMA, being similar to OWA, is allowed for everyone.

I had written a batch file long ago to change the bitmask attribute for users whose mobile services are enabled for everything (0) and are not in the appropriate DL of authorized users to disable only EAS (5). It was an inefficient script that required explicit permissions for each domain, called a command-line regex tool to format the ldifde export, and was prone to errors.

This updated script accomplishes the same thing, but more efficiently. It processes all users at one time (inside a for loop) and uses implicit permissions. It even emails the results of the number of users modified. The script is customized for my environment, but you can tweak it as necessary.

I have five user domains, but the DLs for authorization are in one domain. I wanted it to be as dynamic as possible, but balancing that with all the extra code necessary to make every piece not rely on hard-coded information. So you need to provide mail config information, the NetBIOS domain names you want to loop through, and the dn of the groups for each user domain. The GC to search and the DC to make the change to will be determined automatically.

Download it here or copy below.

Option Explicit

Dim mailFrom, mailTo, mailSubject, mailBody, mailServer
Dim objConnection, objCommand, objRecordSet, objUser, objGC, objDomain
Dim strGCPath, strNBDomain, strdomain, arrDomains, strCount
dim strSearchFilter, strEASDL, strDomainPath
strCount = ""

'Mail config
mailFrom = Wscript.ScriptName & "@company.com"
mailTo = "user@company.com"
mailSubject = "EAS Disable Results"
mailBody = ""
mailServer = "server.company.com"

'AD connection parameters
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

'Get FQDN of a GC
Set objGC = GetObject("GC://RootDSE")
strGCPath = objGC.Get("dnsHostName")

'Query each domain and call disable subroutine
arrDomains = array("domainA", "domainB", "domainC", "domainD", "domainE")
For each strDomain in arrDomains
	subOMADisable strdomain
Next

'Email results
Call subSendMail(mailFrom, mailTo, mailSubject, strCount, mailServer)

'Sub to change attribute value
Sub subOMADisable(strNBDomain)
	'Get base DN of domain
	Set objDomain = GetObject("LDAP://" & strNBDomain & "/RootDSE")
	strDomainPath = objDomain.Get("DefaultNamingContext")
	Set objDomain = Nothing

	Select Case strNBDomain
		Case "domainA"
			strEASDL = "dn of groupA"
		Case "domainB"
			strEASDL = "dn of groupB"
		Case "domainC"
			strEASDL = "dn of groupC"
		Case "domainD"
			strEASDL = "dn of groupD"
		Case "domainE"
			strEASDL = "dn of groupE"
	End Select
	strSearchFilter="(&(objectcategory=user)(mailnickname=*)(homeMDB=*)(!memberof=" & strEASDL & ")(!msExchOMAAdminWirelessEnable=5))"
	objCommand.CommandText = "&lt;GC://" & strGCPath & "/" & strDomainPath & "&gt;;" & strSearchFilter & ";distinguishedname;subtree"
	Set objRecordSet = objCommand.Execute
	If objRecordSet.RecordCount &gt; 0 Then
		While Not objRecordSet.EOF
			Set objUser = GetObject("LDAP://" & objRecordSet.Fields("distinguishedname"))
			'wscript.echo objUser.DisplayName
			objUser.Put "msExchOMAAdminWirelessEnable", "5"
			objUser.SetInfo
			objRecordSet.MoveNext
		Wend
	End If
	strCount = strCount & vbTAB & strNBDomain & ": " & objRecordSet.RecordCount & vbCRLF
End Sub

'Sub to send email with results
Sub subSendMail (mFrom, mTo, mSubject, mBody, mServer)
	Dim objEmail
	Set objEmail = CreateObject("CDO.Message")
	objEmail.From = mFrom
	objEmail.To = mTo
	objEmail.Subject = mSubject
	objEmail.Textbody = "Objects modified in each domain:" & vbCRLF &vbCRLF & mBody
	objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
	objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = mServer 
	objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
	objEmail.Configuration.Fields.Update
	objEmail.Send
End Sub

'Cleanup
Set objUser = Nothing
Set objCommand = Nothing
Set objGC = Nothing
Set objConnection = Nothing

Option Explicit

Dim mailFrom, mailTo, mailSubject, mailBody, mailServer

Dim objConnection, objCommand, objRecordSet, objUser, objGC, objDomain

Dim strGCPath, strNBDomain, strdomain, arrDomains, strCount

dim strSearchFilter, strEASDL, strDomainPath

strCount = ""

'Mail config

mailFrom = Wscript.ScriptName & "@company.com"

mailTo = "user@company.com"

mailSubject = "EAS Disable Results"

mailBody = ""

mailServer = "server.company.com"

'AD connection parameters

Set objConnection = CreateObject("ADODB.Connection")

objConnection.Open "Provider=ADsDSOObject;"

Set objCommand = CreateObject("ADODB.Command")

objCommand.ActiveConnection = objConnection

'Get FQDN of a GC

Set objGC = GetObject("GC://RootDSE")

strGCPath = objGC.Get("dnsHostName")

'Query each domain and call disable subroutine

arrDomains = array("domainA", "domainB", "domainC", "domainD", "domainE")

For each strDomain in arrDomains

subOMADisable strdomain

'Email results

Call subSendMail(mailFrom, mailTo, mailSubject, strCount, mailServer)

'Sub to change attribute value

Sub subOMADisable(strNBDomain)

'Get base DN of domain

Set objDomain = GetObject("LDAP://" & strNBDomain & "/RootDSE")

strDomainPath = objDomain.Get("DefaultNamingContext")

Set objDomain = Nothing

Select Case strNBDomain

Case "domainA"

strEASDL = "dn of groupA"

Case "domainB"

strEASDL = "dn of groupB"

Case "domainC"

strEASDL = "dn of groupC"

Case "domainD"

strEASDL = "dn of groupD"

Case "domainE"

strEASDL = "dn of groupE"

End Select

strSearchFilter="(&(objectcategory=user)(mailnickname=*)(homeMDB=*)(!memberof=" & strEASDL & ")(!msExchOMAAdminWirelessEnable=5))"

objCommand.CommandText = "<GC://" & strGCPath & "/" & strDomainPath & ">;" & strSearchFilter & ";distinguishedname;subtree"

Set objRecordSet = objCommand.Execute

If objRecordSet.RecordCount > 0 Then

While Not objRecordSet.EOF

Set objUser = GetObject("LDAP://" & objRecordSet.Fields("distinguishedname"))

'wscript.echo objUser.DisplayName

objUser.Put "msExchOMAAdminWirelessEnable", "5"

objUser.SetInfo

objRecordSet.MoveNext

Wend

End If

strCount = strCount & vbTAB & strNBDomain & ": " & objRecordSet.RecordCount & vbCRLF

End Sub

'Sub to send email with results

Sub subSendMail (mFrom, mTo, mSubject, mBody, mServer)

Dim objEmail

Set objEmail = CreateObject("CDO.Message")

objEmail.From = mFrom

objEmail.To = mTo

objEmail.Subject = mSubject

objEmail.Textbody = "Objects modified in each domain:" & vbCRLF &vbCRLF & mBody

objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2

objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = mServer

objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25

objEmail.Configuration.Fields.Update

objEmail.Send

End Sub

'Cleanup

Set objUser = Nothing

Set objCommand = Nothing

Set objGC = Nothing

Set objConnection = Nothing

Use Outlook rules to delete public folder conflict messages

Posted on February 27, 2006 by Scott — No Comments ↓

I am in a DL that has explicit ownership permissions on all public folders in my org (all 22,881 of them). And since Exchange sends public folder conflict messages to the owner(s) of a folder, I get quite a few of them. At one time I thought I had a rule to move or delete them, but I couldn’t get it to work when I tried to set it up again. Because the message class is different (IPM.Conflict.Folder) you don’t get to see the same fields as a regular message. Rules to delete them based on words in the sender’s address, etc., had no effect, partly because the sender is the name of the folder that has the conflict, so it is a dynamic value.

Using MFCMapi to look at the properties of a conflict message, there are several properties that you’d think you could use, but when setting up a rule to use properties of the conflict message form, none of he properties are available. And if you manually type in property name it gives you an error.

In the end, I tried setting the rule again to fire on subject contains "Conflict Message:" and it worked. Huh. So who knows what I was doing wrong before? You can also have the rule fire if the message form is "Conflict Message."

Send email notification for password expiration to “remote” users

Posted on September 19, 2005 by Scott — 10 Comments ↓

Over on Michael Smith’s blog, he has a script to notify users when their password is about to expire. This is handy for Exchange users who never log in to the network because they are offsite or on an extranet (i.e., POP3/IMAP4/RPC-HTTP users). It will crawl an OU and check the days until expiration and, if less than a variable you set, send an email via CDO.

However, at my office we don’t have these kinds of users in one OU. They are spread across multiple domains, but are all in a local group that has permission to a web page that allows them to change their password. So I updated the script to enumerate the members of this group. To accommodate different password aging settings in each domain I moved the domain query for this setting into the For loop. I also added logging so you will have a record of what was sent, not sent, and why. This way you can schedule it or run it interactively without having to adjust the code. Download it here, or copy below.

Option Explicit

' Per environment constants - you should change these
Const SMTP_SERVER  = "ServerName"
Const STRFROM   = "From SMTP Address"
Const DAYS_FOR_EMAIL  = 14 'Send notification when pwd will expire in this number of days
Const GROUPDN = "DN of group to enumerate"
Const LOGFILE = "Patch and filename of log file"

' System Constants - do not change
Const ONE_HUNDRED_NANOSECOND    = .000000100   ' .000000100 is equal to 10^-7
Const SECONDS_IN_DAY            = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &amp;h10000
Const E_ADS_PROPERTY_NOT_FOUND  = &amp;h8000500D

' Change to "True" for extensive debugging output
Const bDebug   = False

Dim numDays, iResult
Dim strDomain
Dim objGroup, objMember, member
Dim objFSO, objFile, strOutput

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(LOGFILE, 8, True)

Set objGroup = GetObject("LDAP://" &amp; GROUPDN)
objFile.WriteLine "Executed at " &amp; Now() &amp; vbCRLF
objFile.WriteLine "Enumerating members of " &amp; objGroup.distinguishedName &amp; ":" &amp; vbCRLF
For each member in objGroup.member
	Set objMember = GetObject("LDAP://" &amp; member)
	objFile.WriteLine objMember.distinguishedname
	strDomain = Mid(objMember.distinguishedname, InStr(objMember.distinguishedname, "DC="))
	numdays = GetMaximumPasswordAge (strDomain)
	Call ProcessUser (numDays)
Next

objFile.WriteLine "Done. Finished at " &amp; Now() &amp; "."
objFile.Close

Function GetMaximumPasswordAge (ByVal strDomainDN)
	Dim objDomain, objMaxPwdAge
	Dim dblMaxPwdNano, dblMaxPwdSecs, dblMaxPwdDays

	Set objDomain = GetObject("LDAP://" &amp; strDomainDN)
	Set objMaxPWdAge = objDomain.maxPwdAge

	If objMaxPwdAge.LowPart = 0 And objMaxPwdAge.Highpart = 0 Then
		' Maximum password age is set to 0 in the domain
		' Therefore, passwords do not expire
		GetMaximumPasswordAge = 0
	Else
		dblMaxPwdNano = Abs (objMaxPwdAge.HighPart * 2^32 + objMaxPwdAge.LowPart)
		dblMaxPwdSecs = dblMaxPwdNano * ONE_HUNDRED_NANOSECOND
		dblMaxPwdDays = Int (dblMaxPwdSecs / SECONDS_IN_DAY)
		GetMaximumPasswordAge = dblMaxPwdDays
	End If
End Function

Function UserIsExpired (objMember, iMaxAge, iDaysForEmail, iRes)
	Dim intUserAccountControl, dtmValue, intTimeInterval
	Dim strName
	On Error Resume Next
	Err.Clear
	strName = Mid (objMember.Name, 4)
	intUserAccountControl = objMember.Get ("userAccountControl")

	If intUserAccountControl And ADS_UF_DONT_EXPIRE_PASSWD Then
		dp "The password for " &amp; strName &amp; " does not expire."
		UserIsExpired = False
	Else
		iRes = 0
		dtmValue = objMember.PasswordLastChanged
		If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
			UserIsExpired = True
			dp "The password for " &amp; strName &amp; " has never been set."
		Else
			intTimeInterval = Int (Now - dtmValue)
			dp "The password for " &amp; strName &amp; " was last set on " &amp; _
			DateValue(dtmValue) &amp; " at " &amp; TimeValue(dtmValue) &amp; _
			" (" &amp; intTimeInterval &amp; " days ago)"
			If intTimeInterval &gt;= iMaxAge Then
				dp "The password for " &amp; strName &amp; " has expired."
				UserIsExpired = True
			Else
				iRes = Int ((dtmValue + iMaxAge) - Now)
				dp "The password for " &amp; strName &amp; " will expire on " &amp; _
				DateValue(dtmValue + iMaxAge) &amp; " (" &amp; _
				iRes &amp; " days from today)."
				If iRes &lt;= iDaysForEmail Then
					dp strName &amp; " needs an email for password change"
					UserIsExpired = True
				Else
					dp strName &amp; " does not need an email for password change"
					'Swap commented variable below to force email to be sent (for testing).
					UserIsExpired = False
					'UserIsExpired = True
				End If
			End If
		End If
	End If
End Function

Sub ProcessUser (iMaxPwdAge)
	Dim iResult, strExpire
	If Right (objMember.Name, 1) &lt;&gt; "$" Then
		If IsEmpty (objMember.Mail) or IsNull  (objMember.Mail) Then
			dp Mid (objMember.Name, 4) &amp; " has no mailbox"
		Else
			If UserIsExpired (objMember, iMaxPwdAge, DAYS_FOR_EMAIL, iResult) Then
				objFile.WriteLine "Sending an email to " &amp; objMember.givenName &amp; " " &amp; objMember.sn &amp; _
				" (" &amp; objMember.Mail &amp; ").  Password expires in " &amp; iResult &amp; " days." &amp; vbCRLF
				Call SendEmail (iResult)
			Else
				If iResult = "" Then
					strExpire = "."
				Else
					strExpire = " for " &amp; iResult &amp; " days."
				End If
				objFile.WriteLine "Skipping " &amp; objMember.givenName &amp; " " &amp; objMember.sn &amp; _
				". Password does not expire" &amp; strExpire &amp; vbCRLF
			End If
		End If
	End If
End Sub

Sub SendEmail (iResult)
	Dim objMail
	Set objMail = CreateObject ("CDO.Message")
	objMail.Configuration.Fields.Item ("<a href="http://schemas.microsoft.com/cdo/configuration/sendusing">http://schemas.microsoft.com/cdo/configuration/sendusing</a>")      = 2
	objMail.Configuration.Fields.Item ("<a href="http://schemas.microsoft.com/cdo/configuration/smtpserver">http://schemas.microsoft.com/cdo/configuration/smtpserver</a>")     = SMTP_SERVER
	objMail.Configuration.Fields.Item ("<a href="http://schemas.microsoft.com/cdo/configuration/smtpserverport">http://schemas.microsoft.com/cdo/configuration/smtpserverport</a>") = 25
	objMail.Configuration.Fields.Update

	objMail.From = STRFROM
	objMail.To = objMember.Mail

	objMail.Subject = "The Windows password is going to expire for " &amp; Mid (objMember.Name, 4)
	objMail.Textbody = "The Windows Active Directory password for user " &amp; objMember.givenName &amp; " " &amp; objMember.sn &amp; _
	" (" &amp; objMember.sAMAccountName &amp; ")" &amp; " will expire in " &amp; iResult &amp; " days. " &amp; vbCRLF &amp; vbCRLF &amp; _
	"Please use Outlook Web Access (<a href="https://www.company.com">https://www.company.com</a>) to change it before it expires." &amp; vbCRLF &amp; vbCRLF &amp; _
	"Thank you," &amp; vbCRLF &amp; _
	"Company Exchange Team" &amp; vbCRLF &amp; vbCRLF &amp; _
	"Note: You have received this email because you are a member of a group that is authorized to change your " &amp; _
	"password via Outlook Web Access since you do not log in to the corporate network.  If this no longer applies to you, " &amp; _
	"please notify the Company Email Team (SMTPAddress) so you can be removed from the group."

	objMail.Send
	Set objMail = Nothing
End Sub

Sub dp (str)
	If bDebug Then
		objFile.WriteLine str
	End If
End Sub

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

Option Explicit

' Per environment constants - you should change these

Const SMTP_SERVER = "ServerName"

Const STRFROM = "From SMTP Address"

Const DAYS_FOR_EMAIL = 14 'Send notification when pwd will expire in this number of days

Const GROUPDN = "DN of group to enumerate"

Const LOGFILE = "Patch and filename of log file"

' System Constants - do not change

Const ONE_HUNDRED_NANOSECOND = .000000100 ' .000000100 is equal to 10^-7

Const SECONDS_IN_DAY = 86400

Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000

Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D

' Change to "True" for extensive debugging output

Const bDebug = False

Dim numDays, iResult

Dim strDomain

Dim objGroup, objMember, member

Dim objFSO, objFile, strOutput

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objFile = objFSO.OpenTextFile(LOGFILE, 8, True)

Set objGroup = GetObject("LDAP://" & GROUPDN)

objFile.WriteLine "Executed at " & Now() & vbCRLF

objFile.WriteLine "Enumerating members of " & objGroup.distinguishedName & ":" & vbCRLF

For each member in objGroup.member

Set objMember = GetObject("LDAP://" & member)

objFile.WriteLine objMember.distinguishedname

strDomain = Mid(objMember.distinguishedname, InStr(objMember.distinguishedname, "DC="))

numdays = GetMaximumPasswordAge (strDomain)

Call ProcessUser (numDays)

objFile.WriteLine "Done. Finished at " & Now() & "."

objFile.Close

Function GetMaximumPasswordAge (ByVal strDomainDN)

Dim objDomain, objMaxPwdAge

Dim dblMaxPwdNano, dblMaxPwdSecs, dblMaxPwdDays

Set objDomain = GetObject("LDAP://" & strDomainDN)

Set objMaxPWdAge = objDomain.maxPwdAge

If objMaxPwdAge.LowPart = 0 And objMaxPwdAge.Highpart = 0 Then

' Maximum password age is set to 0 in the domain

' Therefore, passwords do not expire

GetMaximumPasswordAge = 0

Else

dblMaxPwdNano = Abs (objMaxPwdAge.HighPart * 2^32 + objMaxPwdAge.LowPart)

dblMaxPwdSecs = dblMaxPwdNano * ONE_HUNDRED_NANOSECOND

dblMaxPwdDays = Int (dblMaxPwdSecs / SECONDS_IN_DAY)

GetMaximumPasswordAge = dblMaxPwdDays

End If

End Function

Function UserIsExpired (objMember, iMaxAge, iDaysForEmail, iRes)

Dim intUserAccountControl, dtmValue, intTimeInterval

Dim strName

On Error Resume Next

Err.Clear

strName = Mid (objMember.Name, 4)

intUserAccountControl = objMember.Get ("userAccountControl")

If intUserAccountControl And ADS_UF_DONT_EXPIRE_PASSWD Then

dp "The password for " & strName & " does not expire."

UserIsExpired = False

Else

iRes = 0

dtmValue = objMember.PasswordLastChanged

If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then

UserIsExpired = True

dp "The password for " & strName & " has never been set."

Else

intTimeInterval = Int (Now - dtmValue)

dp "The password for " & strName & " was last set on " & _

DateValue(dtmValue) & " at " & TimeValue(dtmValue) & _

" (" & intTimeInterval & " days ago)"

If intTimeInterval >= iMaxAge Then

dp "The password for " & strName & " has expired."

UserIsExpired = True

Else

iRes = Int ((dtmValue + iMaxAge) - Now)

dp "The password for " & strName & " will expire on " & _

DateValue(dtmValue + iMaxAge) & " (" & _

iRes & " days from today)."

If iRes <= iDaysForEmail Then

dp strName & " needs an email for password change"

UserIsExpired = True

Else

dp strName & " does not need an email for password change"

'Swap commented variable below to force email to be sent (for testing).

UserIsExpired = False

'UserIsExpired = True

End If

End Function

Sub ProcessUser (iMaxPwdAge)

Dim iResult, strExpire

If Right (objMember.Name, 1) <> "$" Then

If IsEmpty (objMember.Mail) or IsNull (objMember.Mail) Then

dp Mid (objMember.Name, 4) & " has no mailbox"

Else

If UserIsExpired (objMember, iMaxPwdAge, DAYS_FOR_EMAIL, iResult) Then

objFile.WriteLine "Sending an email to " & objMember.givenName & " " & objMember.sn & _

" (" & objMember.Mail & "). Password expires in " & iResult & " days." & vbCRLF

Call SendEmail (iResult)

Else

If iResult = "" Then

strExpire = "."

Else

strExpire = " for " & iResult & " days."

End If

objFile.WriteLine "Skipping " & objMember.givenName & " " & objMember.sn & _

". Password does not expire" & strExpire & vbCRLF

End If

End Sub

Sub SendEmail (iResult)

Dim objMail

Set objMail = CreateObject ("CDO.Message")

objMail.Configuration.Fields.Item ("<a href="http://schemas.microsoft.com/cdo/configuration/sendusing">http://schemas.microsoft.com/cdo/configuration/sendusing</a>") = 2

objMail.Configuration.Fields.Item ("<a href="http://schemas.microsoft.com/cdo/configuration/smtpserver">http://schemas.microsoft.com/cdo/configuration/smtpserver</a>") = SMTP_SERVER

objMail.Configuration.Fields.Item ("<a href="http://schemas.microsoft.com/cdo/configuration/smtpserverport">http://schemas.microsoft.com/cdo/configuration/smtpserverport</a>") = 25

objMail.Configuration.Fields.Update

objMail.From = STRFROM

objMail.To = objMember.Mail

objMail.Subject = "The Windows password is going to expire for " & Mid (objMember.Name, 4)

objMail.Textbody = "The Windows Active Directory password for user " & objMember.givenName & " " & objMember.sn & _

" (" & objMember.sAMAccountName & ")" & " will expire in " & iResult & " days. " & vbCRLF & vbCRLF & _

"Please use Outlook Web Access (<a href="https://www.company.com">https://www.company.com</a>) to change it before it expires." & vbCRLF & vbCRLF & _

"Thank you," & vbCRLF & _

"Company Exchange Team" & vbCRLF & vbCRLF & _

"Note: You have received this email because you are a member of a group that is authorized to change your " & _

"password via Outlook Web Access since you do not log in to the corporate network. If this no longer applies to you, " & _

"please notify the Company Email Team (SMTPAddress) so you can be removed from the group."

objMail.Send

Set objMail = Nothing

End Sub

Sub dp (str)

If bDebug Then

objFile.WriteLine str

End If

End Sub

sidefumbling

The consequence of not having six hydrocoptic marzelvanes fitted to the ambifacient lunar waneshaft.

Category Archives: Exchange 2007

Quick and dirty script to copy DLs from one user to another

Updated Exchange ActiveSync disable script

Change users’ default calendar permission (and email the users and admin)

Script to disable Exchange ActiveSync for unauthorized users

Use Outlook rules to delete public folder conflict messages

Send email notification for password expiration to “remote” users