Server 2016之前的组成员资格过期工具

介绍 (Introduction)

Group membership expiration gives the ability to add a user to a group with the notion of a membership expiration.

组成员资格过期使您可以使用成员资格过期的概念将用户添加到组中。

This means you can add a user to a group and the user will automatically be removed from the group when the configure timespan has passed.

这意味着您可以将用户添加到组中，并且在经过配置时间跨度后，该用户将自动从组中删除。

Unfortunately, some environments do not yet run at an Active Directory 2016 functional level.

不幸的是，某些环境尚未在Active Directory 2016功能级别上运行。

For those, I developed the GroupMembershipExpiration tool.

为此，我开发了GroupMembershipExpiration工具。

建立 (Setup)

1) Download the GroupMembershipExpiration tool and extract its contents to a folder on a computer that you are planning to install this tool on. 

1） 下载GroupMembershipExpiration工具，并将其内容提取到打算安装此工具的计算机上的文件夹中。

(I recommend extracting to C:\Program Files\GroupMembershipExpiration)

（我建议解压缩到C：\ Program Files \ GroupMembershipExpiration）

2) Run Configurator.exe (Configurator Editor).

2）运行Configurator.exe （ 配置器编辑器）。

a) On the Encrypt tab, enter the password for the account that will be performing the cleanup task. Encrypt it with key aubXjiUZhyl6XnfBVQ920Y9rOWaEWSre and record the encrypted password.

a）在“ 加密”选项卡上，输入将执行清除任务的帐户的密码。 使用密钥aubXjiUZhyl6XnfBVQ920Y9rOWaEWSre对其进行加密   并记录加密的密码。

b) On the Settings tab, enter the distinguished name, fully qualified domain name, NetBIOS, and username and the encrypted password recorded in step 2a.

b）在“ 设置”选项卡上，输入专有名称，标准域名，NetBIOS和用户名以及在步骤2a中记录的加密密码。

Specify a location where the tool can save a history file, the interval in seconds the task should be performed and the allowed number of minutes a member may be part of a group.

指定该工具可以保存历史记录文件的位置，应该执行任务的间隔（以秒为单位）以及成员可能成为组成员的允许的分钟数。

c) On the Groups tab, specify the group name that tool should manage the members for (+ or INS to add, - or DEL to delete, Enter or double-click to edit)

c）在“ 组”选项卡上，指定工具应为其管理成员的组名（+或INS添加，-或DEL删除，输入或双击编辑）

d) Although you can just run the tool by executing GroupMembershipExpiration.WindowsService.exe, I recommend you install it as a service by running GroupMembershipExpiration.WindowsService.exe INSTALL from an elevated command prompt. You may need to start the service manually the first time

d）尽管您可以通过执行GroupMembershipExpiration.WindowsService.exe来运行该工具，但我建议您通过从提升的命令提示符下运行GroupMembershipExpiration.WindowsService.exe安装来将其作为服务安装 。 您可能需要在第一次时手动启动服务

代码 (The Code)

private void ProcessGroup(string groupName)
{
    List historicalyGroupMembers = new List();

    // Read previous history file if it exists
    if (File.Exists(_historyFile))
    {
        historicalyGroupMembers = Newtonsoft.Json.JsonConvert.DeserializeObject>(File.ReadAllText(_historyFile));
    }

    // Get current members of group
    List genericGroupMembers = new List();
    genericGroupMembers = ActiveDirectory.GenericGetGroupMembers(_domainInfo, groupName);

    List groupMembers = new List();

    // Compare histrory file with current members
    foreach (var genericGroupMember in genericGroupMembers)
    {
        Models.GroupMember historicalyGroupMember = historicalyGroupMembers.Where(g => g.DistinguishedName == genericGroupMember.DistinguishedName).FirstOrDefault();

        // If group member not in history, add it with current date and time as FirstDateObserved
        if (historicalyGroupMember == null)
        {
            // Add to history
            groupMembers.Add(new Models.GroupMember() { GroupName = genericGroupMember.GroupName, DistinguishedName = genericGroupMember.DistinguishedName, sAMAccountName = genericGroupMember.sAMAccountName, FirstDateObserved = DateTime.Now });
        }
        else
        {
            // If group member in history and it is pass the maximum allowed timespan, remove it
            if ((DateTime.Now - historicalyGroupMember.FirstDateObserved).TotalMinutes > _allowedNumberOfMinutes)
            {
                // Remove Group from AD group and group history
                groupMembers.Remove(historicalyGroupMember);
                ActiveDirectory.GenericRemoveGroupMember(_domainInfo, groupName, genericGroupMember.DistinguishedName);
            }
            // If group member in history and it is not passed the maximum allowed timespan, ignore it
            else
            {
                // Ignored
                groupMembers.Add(historicalyGroupMember);
            }
        }
    }

    // Save current members to new history file
    File.WriteAllText(_historyFile, Newtonsoft.Json.JsonConvert.SerializeObject(groupMembers));
} 

结论 (Conclusion)

There you have it. Essentially everytime the timer triggers in the Windows Service, the process will reference the history file and use it to determine if a member's membership has expired.

你有它。 基本上，每次计时器在Windows服务中触发时，该进程都会引用历史记录文件并使用它来确定成员的成员资格是否已过期。

I hope you found this tutorial useful. You are encouraged to ask questions, report any bugs or make any other comments about it below.

希望本教程对您有所帮助。 鼓励您在下面提出问题，报告任何错误或对此作出任何其他评论。

Note: If you need further "Support" about this topic, please consider using the Ask a Question feature of Experts Exchange. I monitor questions asked and would be pleased to provide any additional support required in questions asked in this manner, along with other EE experts...  

注意 ：如果您需要有关此主题的更多“支持”，请考虑使用Experts Exchange 的“提问”功能。 我会监督提出的问题，并很高兴与其他电子工程师一起提供以这种方式提出的问题所需的任何其他支持...

Please do not forget to press the "Thumb's Up" button if you think this article was helpful and valuable for EE members.

如果您认为本文对EE成员有用且有价值，请不要忘记按“ Thumb's Up”按钮。

It also provides me with positive feedback. Thank you!

它还为我提供了积极的反馈。 谢谢！

翻译自: https://www.experts-exchange.com/articles/33315/Pre-Server-2016-Group-Membership-Expiration-Tool.html