通过 php 来批量禁用 active directory 用户
我们可以通过 php 的 ldap 来对 windows server 的 active directory 上的用户进行操作,比如建立、禁用、启用、重置密码等。这里说一下它的禁用操作。
实现的前提条件是:
1、有自己的 hr 系统,系统中记录每个人的工号和在职状态;
2、在 active directory 中用工号做为每个人的用户名。
001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 | $stringLDAPConnectUserName = 'administrator@mydomain.com' ; $stringLDAPConnectPassword = 'adminpassword' ; $stringLDAPServer = 'activedirectoryserver-ip' ; $connectionLDAP = ldap_connect( $stringLDAPServer ); $stringLDAPServerDC1 = 'mydomain' ; $stringLDAPServerDC2 = 'com' ; if (false === $connectionLDAP ){ echo 'LDAP 服务器连接失败!' ; exit (); } ldap_set_option( $connectionLDAP , LDAP_OPT_PROTOCOL_VERSION, 3) or die ( 'Unable to set LDAP protocol version' ); ldap_set_option( $connectionLDAP , LDAP_OPT_REFERRALS, 0); if (false === ldap_bind( $connectionLDAP , $stringLDAPConnectUserName , $stringLDAPConnectPassword )){ echo 'LDAP 服务器绑定失败。' ; exit (); } $stringLDAPBaseDN = 'DC=' . $stringLDAPServerDC1 . ',DC=' . $stringLDAPServerDC2 ; $stringSearchFilter = '(&(objectClass=user)(objectCategory=person)(samaccountname=*))' ; $arrayLDAPUserAttributes = array (); $arrayLDAPUserAttributes [] = 'givenname' ; $arrayLDAPUserAttributes [] = 'displayName' ; $arrayLDAPUserAttributes [] = 'mail' ; $arrayLDAPUserAttributes [] = 'samaccountname' ; $arrayLDAPUserAttributes [] = 'userprincipalname' ; $arrayLDAPUserAttributes [] = 'userAccountControl' ; $arrayLDAPUserAttributes [] = 'sn' ; // enable pagination with a page size of 100. $intPageSize = 100; $stringCookie = '' ; do { ldap_control_paged_result( $connectionLDAP , $intPageSize , true, $stringCookie ); $resultLDAPSearch = ldap_search( $connectionLDAP , $stringLDAPBaseDN , $stringSearchFilter , $arrayLDAPUserAttributes ); $arraySearchResult = ldap_get_entries( $connectionLDAP , $resultLDAPSearch ); if (! empty ( $arraySearchResult )){ for ( $i = 0; $i < $arraySearchResult [ 'count' ]; $i ++) { // 找到状态是启用的,并且不是 administrator 的用户 if (in_array( $arraySearchResult [ $i ][ 'useraccountcontrol' ][0], array (512, 544, 66048, 66080, 262656, 262688, 328192, 328224)) and $arraySearchResult [ $i ][ 'samaccountname' ][0] <> 'Administrator' ){ $arrayData [] = array ( 'samaccountname' => $arraySearchResult [ $i ][ 'samaccountname' ][0], 'userprincipalname' => $arraySearchResult [ $i ][ 'userprincipalname' ][0], 'status' => 0 ); } } } ldap_control_paged_result_response( $connectionLDAP , $resultLDAPSearch , $stringCookie ); } while ( $stringCookie !== null && $stringCookie != '' ); $arrayEmployeeList = array (); foreach ( $arrayData as $arrayValue ){ if ( $arrayValue [ 'status' ] == 0 and $arrayValue [ 'userprincipalname' ] <> '' ){ $arrayEmployeeList [] = str_replace ( '@mydomain.com' , '' , $arrayValue [ 'userprincipalname' ]); } } $stringEmployeeList = "'" . implode( "','" , $arrayEmployeeList ) . "'" ; // 假如我们有一个 hr 系统数据库,可以在里面通过 employee code 来获取员工状态 $stringSQL_202005091756 = "select employee_code from hr_user_db where employee_code in ($stringEmployeeList) and employee_status = 1" ; $arrayResult_202005091756 = mySQLExec( 'eHR-DB' , $stringSQL_202005091756 ); $connectionLDAP = ldap_connect( $stringLDAPServer ); ldap_set_option( $connectionLDAP , LDAP_OPT_PROTOCOL_VERSION, 3) or die ( 'Unable to set LDAP protocol version' ); ldap_set_option( $connectionLDAP , LDAP_OPT_REFERRALS, 0); if (false === ldap_bind( $connectionLDAP , $stringLDAPConnectUserName , $stringLDAPConnectPassword )){ echo 'LDAP 服务器绑定失败。' ; exit (); } foreach ( $arrayResult_202005091756 as $arrayValue ){ echo $arrayValue [ 'Code' ]; echo ' - ' ; $stringCurrentEmployeeFullName = $arrayValue [ 'Code' ] . '@' . $stringLDAPServerDC1 . '.' . $stringLDAPServerDC2 ; $stringSearchFilter = '(&(objectClass=user)(objectCategory=person)(userprincipalname=' . $stringCurrentEmployeeFullName . '))' ; $arrayLDAPUserAttributes = array (); $arrayLDAPUserAttributes [] = 'givenname' ; $arrayLDAPUserAttributes [] = 'displayName' ; $arrayLDAPUserAttributes [] = 'mail' ; $arrayLDAPUserAttributes [] = 'samaccountname' ; $arrayLDAPUserAttributes [] = 'userPrincipalName' ; $arrayLDAPUserAttributes [] = 'userAccountControl' ; $arrayLDAPUserAttributes [] = 'sn' ; $resultLDAPSearch = ldap_search( $connectionLDAP , $stringLDAPBaseDN , $stringSearchFilter , $arrayLDAPUserAttributes ); $arraySearchResult = ldap_get_entries( $connectionLDAP , $resultLDAPSearch ); $stringCurrentEmployeeDN = $arraySearchResult [0][ 'dn' ]; // 66048 是启用;66050 是禁用 //$arrayCurrentEmployeeStatusData["useraccountcontrol"][0] = 66048; $arrayCurrentEmployeeStatusData [ "useraccountcontrol" ][0] = 66050; $resultLDAPModify = ldap_modify( $connectionLDAP , $stringCurrentEmployeeDN , $arrayCurrentEmployeeStatusData ); if ( $resultLDAPModify ){ echo '禁用成功。' ; } else { echo '禁用失败。' ; } } |
顺便列一下整理的 Active Directory 中的用户状态值的对应关系:
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 | 512: Enabled Account 514: Disabled Account 544: Enabled, Password Not Required 546: Disabled, Password Not Required 66048: Enabled, Password Doesn't Expire 66050: Disabled, Password Doesn't Expire 66080: Enabled, Password Doesn't Expire & Not Required 66082: Disabled, Password Doesn't Expire & Not Required 262656: Enabled, Smartcard Required 262658: Disabled, Smartcard Required 262688: Enabled, Smartcard Required, Password Not Required 262690: Disabled, Smartcard Required, Password Not Required 328192: Enabled, Smartcard Required, Password Doesn't Expire 328194: Disabled, Smartcard Required, Password Doesn't Expire 328224: Enabled, Smartcard Required, Password Doesn't Expire & Not Required 328226: Disabled, Smartcard Required, Password Doesn't Expire & Not Required |