How to scan network for shares with permissions granted to users which have been deleted (and then delete them)
I'm looking to clean up permissions for u开发者_如何学Goser accounts which have been deleted.
I would like to be able to scan all top-level shares in the domain and remove those permissions. I've taken a look at Share Enum but it doesn't really seem to be set up for this type of activity.
The non-existance of an user can only be determined by a successful failed lookup. This means you need to be able to query AD successfully, and AD needs to respond that the user doesn't exist. You need to be sure you were able to query the whole distribution of your AD-structure. I'm not sure this is the way to go.
You can use the command cacls
or icacls
to list permissions and take action. But I would consider this a highly dangerous route to go. Any network error which causes failure in lookup will result in loss of unwanted files.
Instead you should consider moving users to a quarantine OU and disabling them. Then you could get a list of OU members and process that with cacls
output.
Set objGroup = GetObject ("LDAP://cn=DeletedUsers, dc=your,dc=domain")
For each objMember in objGroup.Members
Wscript.Echo objMember.Name
Next
精彩评论