I have created a script that will disable a user's account, move it into a
specified ou and then add the associated external account permission to the
SELF account.
My problem is that the associated external account permission only gets
assigned to the SELF account in a newly created user account. If the user
account is used (ie the user logs into OWA or a PC) or pre-existing then
nothing happens.
The script is displayed below.
Any ideas?
************************************************************
'On Error Resume Next
'Defines from which container search will start
Const ADS_SCOPE_SUBTREE = 2
Const ADS_USERDISABLED = &H00002
const E2K_MB_FULL_MB_ACCESS = &H00001
const E2K_MB_SEND_AS = &H00002
const E2K_MB_EXTERNAL_ACCOUNT = &H00004
const E2K_MB_READ_PERMISSIONS = &H20000
const E2K_MB_TAKE_OWNERSHIP = &H80000
const ADS_ACE_REVISION_DS = &H00004
const ADS_ACETYPE_ACCESS_ALLOWED = &H00000
const ADS_ACEFLAG_INHERIT_ACE = &H00002
'Sets User Flag Parameter
Const ADS_UF_ACCOUNTDISABLE = &H2
'Dim strUserName
Dim strUserName
'Creates an input box to type in user's name
strUserName = InputBox("Enter the username:")
'connect to AD
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand = CreateObject("ADODB.Command")
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT ADsPath FROM 'LDAP://DC=london,DC=glenrand'" & _
"WHERE objectCategory='User'" & _
"AND cn='" & strUserName & "'"
Set objRecordSet = objCommand.Execute
'Get user record
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strPath = objRecordSet.Fields("ADsPath").Value
Set objUser = GetObject(strPath)
intUAC = objUser.Get("userAccountControl")
objUser.Put "userAccountControl", intUAC OR ADS_UF_ACCOUNTDISABLE
objUser.SetInfo
Call SetmsExchMasterAccountSid
'Move user to Ex Employees OU
Set objNewOU = GetObject("LDAP://OU=exemployees,DC=london,DC=glenrand")
intReturn = objNewOU.MoveHere(strPath, vbNullString)
objRecordSet.MoveNext
Loop
'msgbox "The user account for " & strUserName & " has been disabled"
msgbox strUserName & "'s user account has been disabled"
'This function sets the msExchMasterAccountSid value in ADSI to SELF.
'ie Adds Associated External Account permission to the SELF account.
Function SetmsExchMasterAccountSid
Dim objSD
Dim objACL
Dim objACE
Dim found
'Set the primary Account to SELF
objUser.Put "msExchMasterAccountSid", objUser.Get("objectSID")
'Get the mailbox security descriptor
set objSD = objUser.Get("msExchMailboxSecurityDescriptor")
set objACL = objSD.DiscretionaryAcl
found = false
for each objACE in objACL 'Iterate through the ACL
to find the SELF-Account
if objACE.Trustee = "NT AUTHORITY\SELF" Then
found = true
wscript.echo "exists"
Exit For
end if
next
if not found then 'If no SELF-Account is present, create it
set objACE = CreateObject("AccessControlEntry")
objACE.Trustee = "NT AUTHORITY\SELF"
wscript.echo "created"
objACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
objACL.AddAce objACE
end if
'Give the SELF-Account the External-Account right
objACE.AccessMask = objACE.AccessMask OR E2K_MB_READ_PERMISSIONS OR
E2K_MB_FULL_MB_ACCESS OR E2K_MB_EXTERNAL_ACCOUNT
'Save the changes
objUser.Put "msExchMailboxSecurityDescriptor", objSD
objUser.setInfo
Set objSD = Nothing
Set objACL = Nothing
Set objACE = Nothing
End Function