通过 php 来批量禁用 active directory 用户

我们可以通过 php 的 ldap 来对 windows server 的 active directory 上的用户进行操作，比如建立、禁用、启用、重置密码等。这里说一下它的禁用操作。
实现的前提条件是：
1、有自己的 hr 系统，系统中记录每个人的工号和在职状态；
2、在 active directory 中用工号做为每个人的用户名。

$stringLDAPConnectUserName = 'administrator@mydomain.com';
$stringLDAPConnectPassword = 'adminpassword';
$stringLDAPServer = 'activedirectoryserver-ip';
$connectionLDAP = ldap_connect($stringLDAPServer);
$stringLDAPServerDC1 = 'mydomain';
$stringLDAPServerDC2 = 'com';

if (false === $connectionLDAP){
    echo 'LDAP 服务器连接失败！';
    exit();
}

ldap_set_option($connectionLDAP, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version');
ldap_set_option($connectionLDAP, LDAP_OPT_REFERRALS, 0);

if (false === ldap_bind($connectionLDAP, $stringLDAPConnectUserName, $stringLDAPConnectPassword)){
    echo 'LDAP 服务器绑定失败。';
    exit();
}

$stringLDAPBaseDN = 'DC=' . $stringLDAPServerDC1 . ',DC=' . $stringLDAPServerDC2;
$stringSearchFilter = '(&(objectClass=user)(objectCategory=person)(samaccountname=*))';
$arrayLDAPUserAttributes = array();
$arrayLDAPUserAttributes[] = 'givenname';
$arrayLDAPUserAttributes[] = 'displayName';
$arrayLDAPUserAttributes[] = 'mail';
$arrayLDAPUserAttributes[] = 'samaccountname';
$arrayLDAPUserAttributes[] = 'userprincipalname';
$arrayLDAPUserAttributes[] = 'userAccountControl';
$arrayLDAPUserAttributes[] = 'sn';

// enable pagination with a page size of 100.
$intPageSize = 100;

$stringCookie = '';

do {
    ldap_control_paged_result($connectionLDAP, $intPageSize, true, $stringCookie);

    $resultLDAPSearch = ldap_search($connectionLDAP, $stringLDAPBaseDN, $stringSearchFilter, $arrayLDAPUserAttributes);
    $arraySearchResult = ldap_get_entries($connectionLDAP, $resultLDAPSearch);

    if(!empty($arraySearchResult)){
        for ($i = 0; $i < $arraySearchResult['count']; $i++) {
            // 找到状态是启用的，并且不是 administrator 的用户
            if (in_array($arraySearchResult[$i]['useraccountcontrol'][0], array(512, 544, 66048, 66080, 262656, 262688, 328192, 328224)) and $arraySearchResult[$i]['samaccountname'][0] <> 'Administrator'){
                $arrayData[] = array(
                        'samaccountname' => $arraySearchResult[$i]['samaccountname'][0],
                        'userprincipalname' => $arraySearchResult[$i]['userprincipalname'][0],
                        'status' => 0
                );
            }
        }
    }
    ldap_control_paged_result_response($connectionLDAP, $resultLDAPSearch, $stringCookie);

} while($stringCookie !== null && $stringCookie != '');

$arrayEmployeeList = array();
foreach($arrayData as $arrayValue){
    if ($arrayValue['status'] == 0 and $arrayValue['userprincipalname'] <> ''){
        $arrayEmployeeList[] = str_replace('@mydomain.com', '', $arrayValue['userprincipalname']);
    }
}

$stringEmployeeList = "'" . implode("','", $arrayEmployeeList) . "'";

// 假如我们有一个 hr 系统数据库，可以在里面通过 employee code 来获取员工状态
$stringSQL_202005091756 = "select employee_code from hr_user_db where employee_code in ($stringEmployeeList) and employee_status = 1";
$arrayResult_202005091756 = mySQLExec('eHR-DB', $stringSQL_202005091756);

$connectionLDAP = ldap_connect($stringLDAPServer);
ldap_set_option($connectionLDAP, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version');
ldap_set_option($connectionLDAP, LDAP_OPT_REFERRALS, 0);

if (false === ldap_bind($connectionLDAP, $stringLDAPConnectUserName, $stringLDAPConnectPassword)){
    echo 'LDAP 服务器绑定失败。';
    exit();
}

foreach($arrayResult_202005091756 as $arrayValue){
    echo $arrayValue['Code'];
    echo ' - ';

    $stringCurrentEmployeeFullName = $arrayValue['Code'] . '@' . $stringLDAPServerDC1 . '.' . $stringLDAPServerDC2;

    $stringSearchFilter = '(&(objectClass=user)(objectCategory=person)(userprincipalname=' . $stringCurrentEmployeeFullName . '))';
    $arrayLDAPUserAttributes = array();
    $arrayLDAPUserAttributes[] = 'givenname';
    $arrayLDAPUserAttributes[] = 'displayName';
    $arrayLDAPUserAttributes[] = 'mail';
    $arrayLDAPUserAttributes[] = 'samaccountname';
    $arrayLDAPUserAttributes[] = 'userPrincipalName';
    $arrayLDAPUserAttributes[] = 'userAccountControl';
    $arrayLDAPUserAttributes[] = 'sn';

    $resultLDAPSearch = ldap_search($connectionLDAP, $stringLDAPBaseDN, $stringSearchFilter, $arrayLDAPUserAttributes);
    $arraySearchResult = ldap_get_entries($connectionLDAP, $resultLDAPSearch);

    $stringCurrentEmployeeDN = $arraySearchResult[0]['dn'];

    // 66048 是启用；66050 是禁用
    //$arrayCurrentEmployeeStatusData["useraccountcontrol"][0] = 66048;
    $arrayCurrentEmployeeStatusData["useraccountcontrol"][0] = 66050;

    $resultLDAPModify = ldap_modify($connectionLDAP, $stringCurrentEmployeeDN, $arrayCurrentEmployeeStatusData);

    if ($resultLDAPModify){
        echo '禁用成功。';
    }else{
        echo '禁用失败。';
    }
    
}

顺便列一下整理的 Active Directory 中的用户状态值的对应关系：

512: Enabled Account
514: Disabled Account
544: Enabled, Password Not Required
546: Disabled, Password Not Required
66048: Enabled, Password Doesn't Expire
66050: Disabled, Password Doesn't Expire
66080: Enabled, Password Doesn't Expire & Not Required
66082: Disabled, Password Doesn't Expire & Not Required
262656: Enabled, Smartcard Required
262658: Disabled, Smartcard Required
262688: Enabled, Smartcard Required, Password Not Required
262690: Disabled, Smartcard Required, Password Not Required
328192: Enabled, Smartcard Required, Password Doesn't Expire
328194: Disabled, Smartcard Required, Password Doesn't Expire
328224: Enabled, Smartcard Required, Password Doesn't Expire & Not Required
328226: Disabled, Smartcard Required, Password Doesn't Expire & Not Required