對接SAP人事檔完成AD帳號的自動受權
一、功能介紹
SAP上線後提供人事異動主檔查詢,經過本地創建數據庫,對異動人事主檔進行每日的資料整理,串接出每日的新增、離職、異動人員。將此類資料轉成csv模式,提供ftp服務供AD服務器抓取。sql
AD服務器抓取每日資料後經過編寫powershell腳本進行帳號的自動受權處理。shell
二、環境
AD環境:Windows server 2003數據庫
SAP異動主檔庫:SqlServer 2012api
本地庫:SqlServer 2012服務器
操做AD腳本環境:ActiveRolesManagementShellforActiveDirectoryx86_130.msi架構
三、詳細
人員離職
VIEW_SAP:本地庫進行鏈接服務器建立,鏈接之SAP提供的人事異動檔庫,並串接出當日最晚一筆異動檔資料ide
SELECT a.MANDT, a.PERNR, a.BUILD_DATE, a.BUILD_TIME, a.LAST_CHG, a.ENAME, a.BUKRS, a.FIRST_HDATE, a.LAST_WDATE, a.HIRE_DATE, a.LEAVE_DATE, a.TRFGR, a.TRFST, a.TRFGR_DATE, a.PRE_ORGEH, a.ORGEH, a.OSHORT, a.OSTEXT, a.ZORGLONG, a.STELL, a.STELL_BEGDA, a.PLANS, a.KOSTL, a.ZLOCALID, a.SCHKZ, a.MASSN, a.ACTION_CODE, a.ZZAUSW, a.WERKS, a.ZORGJGID, a.ZOPADMINID FROM HCMPRD.hcmprd.dbo.HRPA02_WJ AS a INNER JOIN (SELECT PERNR, BUILD_DATE, MAX(BUILD_TIME) AS time FROM HCMPRD.hcmprd.dbo.HRPA02_WJ AS HRPA02_WJ_1 WHERE (BUILD_DATE = CONVERT(varchar(100), GETDATE(), 112)) GROUP BY BUILD_DATE, PERNR) AS b ON a.BUILD_DATE = b.BUILD_DATE AND a.BUILD_TIME = b.time AND a.PERNR = b.PERNR WHERE (a.BUILD_DATE = CONVERT(varchar(100), GETDATE(), 112))
infra欄位介紹:工具
PDPT:人員所在部門編碼 INFM:帳號權限 PART:部門名稱 PDPTUP:所在部門的上階部門
VIEW_ADdisableuser:經過此視圖,本地即創建了人員與AD的對應關係表sqlserver
SELECT RIGHT(a.PERNR, 7) AS name, a.ENAME AS givenname, RIGHT(a.PERNR, 7) + '@test.com.cn' AS UserPrincipalName, RIGHT(a.PERNR, 7) AS SAMACCOUNTNAME, RIGHT(a.PERNR, 7) + ' ' + a.ENAME AS displayname, a.ORGEH + '/' + a.ENAME AS description, 'test' AS company, a.STELL AS title, b.PART AS department, '"CN=' + b.INFM + ',OU=GlobalGroups,OU=CustomGroups,DC=test,DC=COM,DC=CN"' AS gonggongcao, 'lcmuser.bat' AS dengrujiaoben, 'K:' AS lianjiedao, '\\wufile1.test.com.cn\personal\' + RIGHT(a.PERNR, 7) AS kdizhi, '"OU=' + b.PDPTUP + ',OU=MASTER GROUP,DC=test,DC=COM,DC=CN"' AS path, 'test' AS password, 'test\' + RIGHT(a.PERNR, 7) AS [IDENTITY], a.PERNR AS employeeID, 'W' + RIGHT(a.PERNR, 7) + '@test.com.cn' AS mail FROM dbo.View_sap AS a INNER JOIN dbo.infra AS b ON a.ORGEH = b.PDPT WHERE (a.ACTION_CODE = 'D') #D欄位爲離職人員的定義欄位
BCP腳本:天天經過sqlserver的bcp工具,定時生成csv資料ui
bcp "select col1 = 'NAME',col2 = 'GIVENNAME',col3='USERPRINCIPALNAME',col4='SAMACCOUNTNAME',col5='DISPLAYNAME',col6='DESCRIPTION',col7='COMPANY',col8='TITLE',col9='DEPARTMENT',col10='GONGGONGCAO',col11='DENGRUJIAOBEN',col12='LIANJIEDAO',col13='KDIZHI',col14='PATH',col15='PASSWORD',col16='IDENTITY',col17='EMPLOYEEID',col18='MAIL' union all select * from wuhcmint.dbo.view_ADdisableuser" queryout D:\data\disableuser\addisableuser.csv -t "," -w -Usa -P***** -S"wumssql\wuhcmint"
csv資料:
NAME,GIVENNAME,USERPRINCIPALNAME,SAMACCOUNTNAME,DISPLAYNAME,DESCRIPTION,COMPANY,TITLE,DEPARTMENT,GONGGONGCAO,DENGRUJIAOBEN,LIANJIEDAO,KDIZHI,PATH,PASSWORD,IDENTITY,EMPLOYEEID,MAIL 1150027,掃地僧,1150027@test.com.cn,1150027,1150027 掃地僧,00001409/掃地僧,TEST,28000200,少林寺,"CN=GO_EN,OU=GlobalGroups,OU=CustomGroups,DC=TEST,DC=COM,DC=CN",user.bat,K:,\\file.test.com.cn\personal\1150027,"OU=00001400,OU=MASTER GROUP,DC=TEST,DC=COM,DC=CN",password,test\1150027,31150027,1150027@test.com.cn
AD架構:
AD服務器上FTP腳本編寫,每日進行資料抓取
FTP -n -s:SCRIPT2.DAT @echo %date:~0,4%%date:~5,2%%date:~8,2% up ok >>ftplog2.txt open ****** USER administrator ****** lcd D:\AD\ADadduser ASCII quote type c 1208 get adduser/adadduser.csv lcd D:\AD\ADdisableuser ASCII #這裏注意相關的轉碼 quote type c 1208 get disableuser/addisableuser.csv quit
powershell腳本:
#Add-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue;
$SourceFile = "D:\AD\ADdisableuser\addisableuser.csv";
$LogFile = "D:\AD\ADdisableuser\LOG.txt";
$ErrorFile = "D:\AD\ADdisableuser\Error.txt";
Import-Csv $SourceFile | Foreach{
$user2= Get-QADuser -Name $_.NAME -SearchRoot "OU=Master Group,DC=test,DC=com,DC=cn" -SizeLimit 0 | Select-Object name
if ($user2.Name -ne $null )
{
Disable-QADUSer -identity $_.IDENTITY;
move-QADObject -identity $_.IDENTITY -NewParentContainer 'test.com.cn/Master Group/DeniedUser';
$Date=Get-Date
$ExportContent += $_.NAME + " 帳號已註銷 " + $Date + "`r`n";
Out-File -InputObject $ExportContent -FilePath $LogFile -Append
}
else
{
$Date=Get-Date
$E += $_.NAME + " 無此帳號 " + $Date + "`r`n";
Out-File -InputObject $E -FilePath $LogFile -Append
}
$ExportContent= ""
}
按期執行powershell的bat:調用ActiveRolesManagementShellforActiveDirectory工具
C:\WINDOWS\system32\WINDOW~2\v1.0\POWERS~1.EXE -psconsolefile "%ProgramFiles%\Quest Software\Management Shell for AD\ConsoleSettings.psc1" -command ". 'D:\AD\ADdisableuser\disableuser1.ps1'"
人員新增
具體SQL再也不作詳細介紹
powershell腳本:
#Add-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue;
$SourceFile = "D:\AD\ADadduser\adduser.csv";
$LogFile = "D:\AD\ADadduser\LOG.txt";
$ErrorFile = "D:\AD\ADadduser\Error.txt";
Import-Csv $SourceFile | Foreach{
$user2= Get-QADuser -Name $_.NAME -SearchRoot "OU=Master Group,DC=test,DC=com,DC=cn" -SizeLimit 0 | Select-Object name
if ($user2.Name -eq $null )
{
New-qaduser -Name $_.NAME -LastName $_.NAME -GivenName $_.GIVENNAME -UserPrincipalName $_.USERPRINCIPALNAME -SamAccountName $_.SAMACCOUNTNAME -DisplayName $_.DISPLAYNAME -Description $_.DESCRIPTION -Company $_.COMPANY -Title $_.TITLE -Department $_.DEPARTMENT -ParentContainer $_.PATH -UserPassword $_.PASSWORD;
Set-QADUSer -identity $_.IDENTITY -UserMustChangePassword $True -LogonScript $_.DENGRUJIAOBEN -HomeDirectory $_.KDIZHI -HomeDrive $_.LIANJIEDAO;
Add-QADGroupMember -identity $_.GONGGONGCAO -Member $_.NAME;
$Date=Get-Date
$ExportContent += $_.NAME + " 帳號已創建" + $Date + "`r`n";
Out-File -InputObject $ExportContent -FilePath $LogFile -Append
}
else
{
$Date=Get-Date
$E += $_.NAME + " 帳號已存在" + $Date + "`r`n";
Out-File -InputObject $E -FilePath $LogFile -Append
}
$ExportContent= ""
}
三、人員異動
具體SQL再也不作詳細介紹
powershell腳本:
#Add-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue;
$SourceFile = "D:\AD\ADmoveuser\admoveuser.csv";
$LogFile = "D:\AD\ADmoveuser\LOG.txt";
$ErrorFile = "D:\AD\ADmoveuser\Error.txt";
Import-Csv $SourceFile | Foreach{
$user2= Get-QADuser -Name $_.NAME -SearchRoot "OU=Master Group,test,DC=com,DC=cn" -SizeLimit 0 | Select-Object name
$testMANAGER = $_.MANAGER
if ($user2.Name -ne $null )
{
move-QADObject -identity $_.IDENTITY -NewParentContainer $_.PATH
Get-QADuser -identity $_.NAME -SearchRoot "OU=Master Group,DC=test,DC=com,DC=cn" -SizeLimit 0 | Select-Object MemberOf |Format-Custom -Property * >"D:\AD\ADmoveuser\tmp.txt"
Select-String D:\AD\ADmoveuser\tmp.txt -pattern "CN" |select-object Line >"D:\AD\ADmoveuser\tmpa.txt"
$member=Get-Content D:\AD\ADmoveuser\tmpa.txt
$linenum=(get-content D:\AD\ADmoveuser\tmpa.txt).count-1
$i=3
for($i=3;$i -le $linenum;$i++)
{
Remove-QADGroupMember -identity $member[$i] -Member $_.IDENTITY
}
Add-QADGroupMember -identity $_.GONGGONGCAO -Member $_.IDENTITY;
if (($testMANAGER -ne "0") -and ($testMANAGER -ne "H20") -and ($testMANAGER -ne "H30"))
{
Add-QADGroupMember -identity "CN=test_Manager,OU=GlobalGroups,OU=CustomGroups,DC=test,DC=COM,DC=CN" -Member $_.IDENTITY;
}
else
{
$Date=Get-Date
$D += $_.NAME + " 非主管" + $Date + "`r`n";
Out-File -InputObject $D -FilePath $LogFile -Append
}
Set-QADUSer -identity $_.IDENTITY -Description $_.DESCRIPTION -Title $_.TITLE -Department $_.DEPARTMENT ;
$Date=Get-Date
$ExportContent += $_.NAME + " 帳號已異動" + $Date + "`r`n";
Out-File -InputObject $ExportContent -FilePath $LogFile -Append
}
else
{
$Date=Get-Date
$E += $_.NAME + " 無此賬戶" + $Date + "`r`n";
Out-File -InputObject $E -FilePath $LogFile -Append
}
$ExportContent= ""
}
相關文章
- 1. 對接SAP人事檔完成AD賬號的自動授權
- 2. 用ShareSDK對第三方帳號受權
- 3. Powershell 自動建立AD帳號
- 4. MYSQL的帳號管理和受權
- 5. GitHub受權登陸沒法獲取受權帳號信息
- 6. android 7.1 權限自動受權(不彈出受權對話框)
- 7. 使用微信測試帳號對網頁進行受權
- 8. AD帳號登錄限制
- 9. ldap3 操做 AD 域帳號
- 10. AD帳號登錄驗證
- 更多相關文章...
- • PHP PDO 事務與自動提交 - PHP參考手冊
- • Spring自動裝配Bean - Spring教程
- • 再有人問你分佈式事務,把這篇扔給他
- • SpringBoot中properties文件不能自動提示解決方法
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章