Remove all disabled users from distribution lists

Burkard JoshActive Directory, Windows 2008 R2Tagged ,

Cause of company policy we don’t delete users which are leaving, but we disabled them. The exchange mailbox will be removed after some months. For this incomming mails have to be forwarded to an exchange contact with an unresolvable address, so the sender receives an error message.

Cause of this, we need to remove the disabled users from all distribution list. If not, senders receive error messages each time a message was send to a distribution list with disabled users.

To automate this, i wrote a script. You can filter it by OU and run it first in a display-only mode before you remove the disabled users definitely from all distribution lists.

You can download the script RemoveDisabledUsers.vbs or copy/paste it from here:

' ===========================================================================================
'
'   Script Information
'
'   Title:              RemoveDisabledUsers.vbs
'   Author:             Josh Burkard
'   Date:               23.06.2011
'   Description:        - displays or removes disabled users from all distribution lists
'                       - you can filter the output / removal by User-OU
'                       - to remove users from AD, you need to start the script with an
'                         administrator account
'
'   Startup:            only display disabled users in distribution lists:
'                       --------------------------------------------------
'                            cscript RemoveDisabledUsers.vbs
'
'                       remove disabled users from distribution lists:
'                       ----------------------------------------------
'                            cscript RemoveDisabledUsers.vbs remove
'
' ===========================================================================================

' If enabled users are filtered by OU's:
booFilterOUs = true
' User-OU's (this array will be ignored if booFilterOUs is false):
strOUs = Array (	"OU=OU1,DC=domain,DC=local", _
					"OU=OU2,DC=domain,DC=local", _
					"OU=OU3,DC=domain,DC=local")

if wscript.arguments.length = 0 then
	wscript.echo "Display Mode"
	wscript.echo "To remove this users from distribution lists, start the script with parameter 'remove'."
else
	if lcase(wscript.arguments(0)) = "remove" then
		mode = "remove"
		wscript.echo "Remove Mode"
	else
		wscript.echo "Display Mode"
		wscript.echo "To remove this users from distribution lists, start the script with parameter 'remove'."
	end if
end if
wscript.echo
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
set conn1 = createobject("ADODB.Connection")
strConnString = "Data Provider=NONE; Provider=MSDataShape"
conn1.Open strConnString
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("configurationNamingContext")
strDefaultNamingContext = iAdRootDSE.Get("defaultNamingContext")
set objParentRS = createobject("adodb.recordset")
set objChildRS = createobject("adodb.recordset")
strSQL = "SHAPE APPEND" & _
			"  NEW adVarChar(255) AS GRPDisplayName, " & _
			"  NEW adVarChar(255) AS GRPDN, " & _
			" ((SHAPE APPEND  " & _
			"      NEW adVarChar(255) AS USDisplayName, " & _
			"      NEW adVarChar(255) AS USDN, " & _
			"      NEW adVarChar(255) AS USGRPDisplayName, " & _
			"      NEW adVarChar(255) AS USGRPDN " & _
			")" & _
			"      RELATE GRPDN TO USGRPDN) AS rsGRPUS "
objParentRS.LockType = 3
objParentRS.Open strSQL, conn1
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"

' Read distribution lists from AD
GALQueryFilter =  "(&(mailnickname=*)(|(objectCategory=group)))"
strQuery = "<LDAP://"  & strDefaultNamingContext & ">;" & GALQueryFilter & ";distinguishedName,displayname,legacyExchangeDN,homemdb;subtree"
Com.ActiveConnection = Conn
Com.CommandText = strQuery
Set Rs = Com.Execute
while not rs.eof
	objParentRS.addnew
	objParentRS("GRPDisplayName") = rs.fields("displayname")
	objParentRS("GRPDN") = rs.fields("distinguishedName")
	objParentRS.update
	rs.movenext
wend

' Read users from AD
GALQueryFilter = "(&(&(mailnickname=*)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2)))"
strQuery = "<LDAP://"  & strDefaultNamingContext & ">;" & GALQueryFilter & ";distinguishedName,displayname,legacyExchangeDN,homemdb;subtree"
Com.ActiveConnection = Conn
Com.CommandText = strQuery
Set Rs1 = Com.Execute
Set objChildRS = objParentRS("rsGRPUS").Value
while not rs1.eof
	if instr(rs1.fields("displayname"),"SystemMailbox{") = 0 then
		set objuser = getobject("LDAP://" & replace(rs1.fields("distinguishedName"),"/","\/"))

		' Check if user is in one of the defined OU's
		If booFilterOUs = true then
			booOU = false
			For Each strOU In strOUs
				If instr(lcase(objuser.distinguishedName), lcase(strOU)) Then
					booOU = true
				End If
			Next
		end if

		If (booOU = true) or (booFilterOUs = false) then
			For each objgroup in objuser.groups
				objChildRS.addnew
				objChildRS("USDisplayName") = rs1.fields("displayname")
				objChildRS("USDN") = rs1.fields("distinguishedName")
				objChildRS("USGRPDisplayName") = objgroup.name
				objChildRS("USGRPDN") = objgroup.distinguishedName
				objChildRS.update
			Next
		End If
	end if
	rs1.movenext
wend

' Output of Groups and Users
objParentRS.MoveFirst
wscript.echo "GroupName,Disabled User's Name"
wscript.echo
Do While Not objParentRS.EOF
	Set objChildRS = objParentRS("rsGRPUS").Value
    if objChildRS.recordCount <> 0 then
		Do While Not objChildRS.EOF
			Wscript.echo objParentRS.fields("GRPDisplayName") & ", " & objChildRS.fields("USDisplayName")

			if mode = "remove" then
				' Removing users from groups
				set objgroup = getobject("LDAP://" & replace(objChildRS.fields("USGRPDN"),"/","\/"))
				Set objUser = getobject("LDAP://" & replace(objChildRS.fields("USDN"),"/","\/"))
				objGroup.Remove(objUser.AdsPath)
				objgroup.setinfo
				wscript.echo "User-Removed"
			end if
			objChildRS.MoveNext
		loop
	end if
	objParentRS.MoveNext
Loop