Skip to content

Josh's IT-Blog

Information Technology, and other interesting things …

  • Home
  • About
  • Contact
  • Links

Remove all disabled users from distribution lists

Posted on 23. June 201114. July 2011 By Burkard Josh 9 Comments on Remove all disabled users from distribution lists
Active Directory, Windows 2008 R2

Cause of company policy we don’t delete users which are leaving, but we disabled them. The exchange mailbox will be removed after some months. For this incomming mails have to be forwarded to an exchange contact with an unresolvable address, so the sender receives an error message.

Cause of this, we need to remove the disabled users from all distribution list. If not, senders receive error messages each time a message was send to a distribution list with disabled users.

To automate this, i wrote a script. You can filter it by OU and run it first in a display-only mode before you remove the disabled users definitely from all distribution lists.

You can download the script RemoveDisabledUsers.vbs or copy/paste it from here:

' ===========================================================================================
'
'   Script Information
'
'   Title:              RemoveDisabledUsers.vbs
'   Author:             Josh Burkard
'   Date:               23.06.2011
'   Description:        - displays or removes disabled users from all distribution lists
'                       - you can filter the output / removal by User-OU
'                       - to remove users from AD, you need to start the script with an
'                         administrator account
'
'   Startup:            only display disabled users in distribution lists:
'                       --------------------------------------------------
'                            cscript RemoveDisabledUsers.vbs
'
'                       remove disabled users from distribution lists:
'                       ----------------------------------------------
'                            cscript RemoveDisabledUsers.vbs remove
'
' ===========================================================================================

' If enabled users are filtered by OU's:
booFilterOUs = true
' User-OU's (this array will be ignored if booFilterOUs is false):
strOUs = Array (	"OU=OU1,DC=domain,DC=local", _
					"OU=OU2,DC=domain,DC=local", _
					"OU=OU3,DC=domain,DC=local")

if wscript.arguments.length = 0 then
	wscript.echo "Display Mode"
	wscript.echo "To remove this users from distribution lists, start the script with parameter 'remove'."
else
	if lcase(wscript.arguments(0)) = "remove" then
		mode = "remove"
		wscript.echo "Remove Mode"
	else
		wscript.echo "Display Mode"
		wscript.echo "To remove this users from distribution lists, start the script with parameter 'remove'."
	end if
end if
wscript.echo
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
set conn1 = createobject("ADODB.Connection")
strConnString = "Data Provider=NONE; Provider=MSDataShape"
conn1.Open strConnString
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("configurationNamingContext")
strDefaultNamingContext = iAdRootDSE.Get("defaultNamingContext")
set objParentRS = createobject("adodb.recordset")
set objChildRS = createobject("adodb.recordset")
strSQL = "SHAPE APPEND" & _
			"  NEW adVarChar(255) AS GRPDisplayName, " & _
			"  NEW adVarChar(255) AS GRPDN, " & _
			" ((SHAPE APPEND  " & _
			"      NEW adVarChar(255) AS USDisplayName, " & _
			"      NEW adVarChar(255) AS USDN, " & _
			"      NEW adVarChar(255) AS USGRPDisplayName, " & _
			"      NEW adVarChar(255) AS USGRPDN " & _
			")" & _
			"      RELATE GRPDN TO USGRPDN) AS rsGRPUS "
objParentRS.LockType = 3
objParentRS.Open strSQL, conn1
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"

' Read distribution lists from AD
GALQueryFilter =  "(&(mailnickname=*)(|(objectCategory=group)))"
strQuery = "<LDAP://"  & strDefaultNamingContext & ">;" & GALQueryFilter & ";distinguishedName,displayname,legacyExchangeDN,homemdb;subtree"
Com.ActiveConnection = Conn
Com.CommandText = strQuery
Set Rs = Com.Execute
while not rs.eof
	objParentRS.addnew
	objParentRS("GRPDisplayName") = rs.fields("displayname")
	objParentRS("GRPDN") = rs.fields("distinguishedName")
	objParentRS.update
	rs.movenext
wend

' Read users from AD
GALQueryFilter = "(&(&(mailnickname=*)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2)))"
strQuery = "<LDAP://"  & strDefaultNamingContext & ">;" & GALQueryFilter & ";distinguishedName,displayname,legacyExchangeDN,homemdb;subtree"
Com.ActiveConnection = Conn
Com.CommandText = strQuery
Set Rs1 = Com.Execute
Set objChildRS = objParentRS("rsGRPUS").Value
while not rs1.eof
	if instr(rs1.fields("displayname"),"SystemMailbox{") = 0 then
		set objuser = getobject("LDAP://" & replace(rs1.fields("distinguishedName"),"/","\/"))

		' Check if user is in one of the defined OU's
		If booFilterOUs = true then
			booOU = false
			For Each strOU In strOUs
				If instr(lcase(objuser.distinguishedName), lcase(strOU)) Then
					booOU = true
				End If
			Next
		end if

		If (booOU = true) or (booFilterOUs = false) then
			For each objgroup in objuser.groups
				objChildRS.addnew
				objChildRS("USDisplayName") = rs1.fields("displayname")
				objChildRS("USDN") = rs1.fields("distinguishedName")
				objChildRS("USGRPDisplayName") = objgroup.name
				objChildRS("USGRPDN") = objgroup.distinguishedName
				objChildRS.update
			Next
		End If
	end if
	rs1.movenext
wend

' Output of Groups and Users
objParentRS.MoveFirst
wscript.echo "GroupName,Disabled User's Name"
wscript.echo
Do While Not objParentRS.EOF
	Set objChildRS = objParentRS("rsGRPUS").Value
    if objChildRS.recordCount <> 0 then
		Do While Not objChildRS.EOF
			Wscript.echo objParentRS.fields("GRPDisplayName") & ", " & objChildRS.fields("USDisplayName")

			if mode = "remove" then
				' Removing users from groups
				set objgroup = getobject("LDAP://" & replace(objChildRS.fields("USGRPDN"),"/","\/"))
				Set objUser = getobject("LDAP://" & replace(objChildRS.fields("USDN"),"/","\/"))
				objGroup.Remove(objUser.AdsPath)
				objgroup.setinfo
				wscript.echo "User-Removed"
			end if
			objChildRS.MoveNext
		loop
	end if
	objParentRS.MoveNext
Loop

Share this:

  • Facebook
  • Twitter
  • Email
  • Print
Tags: Active Directory VBScript

Post navigation

❮ Previous Post: Add third-party SSL-Certificate to Cisco WLC’s web authentication page
Next Post: Notify AD user with mail when password expires ❯

9 thoughts on “Remove all disabled users from distribution lists”

  1. Jose says:
    14. July 2011 at 08:06

    Hi,
    I’m looking for something similar. In my case I want to search for disabled users who are owners of distribution list so we can change ownership.

    Any help is appreciated.

    Reply
    1. Josh Burkard says:
      14. July 2011 at 10:38

      Hello Jose

      You can run the script like this:
      cscript RemoveDisabledUsers.vbs > list.txt
      Then you will get a text-file with all disabled users, which are in distribution lists.

      Reply
  2. Jose says:
    14. July 2011 at 22:04

    After running I got an error: ” The size limit for this request has exceeded”.
    Will the script actually remove the owner of the DL? Because even after we remove disabled accounts from DL’s a Disabled user can still be the owner of it.

    Reply
    1. Josh Burkard says:
      26. July 2011 at 07:47

      Hello Jose
      By default there is a limit in Active Directory for 10000 objects per search. You can split your search to different OU’s or increase the limit, see http://www.petri.co.il/active_directory_search_limit.htm (sorry, but i didn’t test it)

      Reply
  3. Chris says:
    26. July 2011 at 04:27

    Josh.

    Great script.

    I’d like to use this script while my help desk staff are disabling user accounts via Active Directory Users and Computers. So, rather than searching for all users, I’d like to have this as part of the process for the currently selected user.

    Similar to this; http://deenaik.blogspot.com/2009/11/add-custom-field-to-aduc-employee-id.html

    I’ve tried to manipulate the script, but it seems to error out.

    Any ideas/suggestions?

    Reply
    1. Josh Burkard says:
      26. July 2011 at 07:48

      What kind of error do you get?

      Reply
      1. Chris says:
        26. July 2011 at 18:21

        Actually no more error.

        Rather than doing a full AD query for all users, I changed it to look for the currently selected user.

        Set wshArguments = WScript.Arguments
        Set objCurrentUser = GetObject(wshArguments(0))
        strCurrentUser = objCurrentUser.distinguishedName
        
        ' Original AD User query (comment it out)
        'GALQueryFilter = "(&(&(!mailnickname=*)(objectCategory=person)(physicalDeliveryOfficeName=Disabled)(userAccountControl:1.2.840.113556.1.4.803:=2)))"
        
        ' New query, no longer using "GALQueryFilter"
        strQuery = "<LDAP://" & strCurrentUser & ">;" & ";distinguishedName,displayname,legacyExchangeDN,homemdb;subtree"
        

        I’m sure it can be a lot cleaner, and/or even simpler to just search the groups the user is currently a member of, but that’s out of my depth of knowledge.

        Again, great script. Will continue to check back and see what other kind of cool tricks you come up with.

        Reply
  4. Péo says:
    7. November 2011 at 12:21

    Thanks a lot for this great script.

    Reply
  5. Peter@windows user account password remover says:
    18. April 2012 at 22:53

    This information very helpful.Thanks

    Reply

Leave a Reply Cancel reply

About

Author Image
My name is Josh Burkard.
I'm a DevOps Engineer working with one of swiss largest telecom and full-service hosting provider. in my work I have a lot to do with Microsoft server operating systems, System Center, VMware, Microsoft Azure Cloud and other software.
On this site I will write some posts about different technology problems and their solutions.
please note also my tweets and retweets from this area.

Follow me on Twitter

My Tweets

Categories

  • General (13)
  • Hardware (9)
    • Network (8)
      • Cisco (2)
    • Storage (2)
  • Microsoft Azure (1)
    • Automation (1)
  • PowerShell (1)
  • Software (1)
    • Excel (1)
  • System Center (19)
    • SCCM (3)
    • SCDPM (1)
    • SCOM (13)
    • SCSM (1)
    • SMA (1)
  • VMware (8)
  • Windows 2008 R2 (10)
    • Active Directory (7)
  • Windows 2012 R2 (1)
  • Windows 2016 (1)
  • Windows 7 (4)
    • BitLocker (1)
  • WordPress (1)

Links

  • Burkard-Fingerlin Family
  • Swisscom (Schweiz) AG
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

About

Author Image
My name is Josh Burkard.
I'm a DevOps Engineer working with one of swiss largest telecom and full-service hosting provider. in my work I have a lot to do with Microsoft server operating systems, System Center, VMware, Microsoft Azure Cloud and other software.
On this site I will write some posts about different technology problems and their solutions.
please note also my tweets and retweets from this area.

Follow me on Twitter

My Tweets

FOLLOW ME ON GITHUB

joshburkard (Josh Burkard)

Josh Burkard

joshburkard
Belgium
https://www.burkard.it
Joined on Jul 10, 2015
13 Public Repositories
0 Public Gists

Copyright © 2023 Josh's IT-Blog.

Theme: Oceanly by ScriptsTown

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.