|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
VB Script returns all group memberships for a user EXCEPT Exchange Dist groupsI have a VB script which queries AD and returns all the groups a user is
a member of. This works great, except as it turns out, it is only
returning the groups which are "security" groups, and not "distribution"
groups. Not sure what the difference here would be from the
investigations I've done using LDIFDE.
Any help would be appreciated Thanks -- SecurityGuy ------------------------------------------------------------------------ SecurityGuy's Profile: http://forums.techarena.in/members/85156.htm View this thread: http://forums.techarena.in/active-directory/1147902.htmhttp://forums.techarena.in Can you post the script??
-- Show quoteHide quoteJames Yeomans, BSc, MCSE, MCITP "SecurityGuy" wrote: > > I have a VB script which queries AD and returns all the groups a user is > a member of. This works great, except as it turns out, it is only > returning the groups which are "security" groups, and not "distribution" > groups. Not sure what the difference here would be from the > investigations I've done using LDIFDE. > > Any help would be appreciated > > Thanks > > > -- > SecurityGuy > ------------------------------------------------------------------------ > SecurityGuy's Profile: http://forums.techarena.in/members/85156.htm > View this thread: http://forums.techarena.in/active-directory/1147902.htm > > http://forums.techarena.in > > "SecurityGuy" <SecurityGuy.3pmc3b@DoNotSpam.com> wrote in message If you are using the tokenGroups attribute, this never includes any news:SecurityGuy.3pmc3b@DoNotSpam.com... > > I have a VB script which queries AD and returns all the groups a user is > a member of. This works great, except as it turns out, it is only > returning the groups which are "security" groups, and not "distribution" > groups. Not sure what the difference here would be from the > investigations I've done using LDIFDE. > > Any help would be appreciated > > Thanks distribution groups. It includes all nested group memberships, and the "primary" group, but only security groups. Every other method I can think of would include distribution groups. Here is the script in question
Option Explicit On Error Resume Next Const FileRead = 1 Const FileWrite = 2 Const OverwriteExisting = True Dim ObjUser, objFso, WriteToFile, strDomain, member, strUsrName, objWshShell, strCurrenttime, strFileName strUsrName = inputbox ("User Name", "Display User Group Membership") strCurrenttime = Now() strDomain = "MyDomain" Set ObjUser = Getobject("WinNT://" & strDomain & "/" & strUsrName & ",user") set objFso = CreateObject("Scripting.FileSystemObject") objFso.CreateTextFile(strUsrName & ".txt") set WriteToFile = objFso.OpenTextFile(strUsrName & ".txt", FileWrite, True) writetofile.write "These are the group memberships for " & strUsrName & vbcrlf writetofile.write "Memberships as of " & strCurrenttime & vbcrlf & vbcrlf writetofile.write "Groupname" & vbcrlf & vbcrlf For Each Member in ObjUser.Groups WriteToFile.write member.name & vbcrlf next WriteToFile.close 'objFSO.CopyFile strUsrName & ".txt" , "\\MyDomain\files\public\temp", OverwriteExisting objFSO.deleteFile "\\MyDomain\files\IT\Support\Staff Change Requests\GroupMembershipQueries\" & strUsrName & ".txt" objFSO.MoveFile strUsrName & ".txt" , "\\MyDomain\files\IT\Support\Staff Change Requests\GroupMembershipQueries\" Set objWshShell = Wscript.CreateObject("WScript.Shell") 'objWshShell.Run "%comspec% /c notepad.exe " & "\\MyDomain\files\public\temp" & strUsrName & ".txt",0,True objWshShell.Run "%comspec% /c notepad.exe " & "\\MyDomain\files\IT\Support\Staff Change Requests\GroupMembershipQueries\" & strUsrName & ".txt",0,True set objFso = Nothing set WriteToFile = Nothing set ObjUser = Nothing set objWshShell = Nothing -- SecurityGuy ------------------------------------------------------------------------ SecurityGuy's Profile: http://forums.techarena.in/members/85156.htm View this thread: http://forums.techarena.in/active-directory/1147902.htmhttp://forums.techarena.in
Show quote
Hide quote
"SecurityGuy" <SecurityGuy.3pmkfc@DoNotSpam.com> wrote in message Ah, the WinNT provider. It only supports features that were available in news:SecurityGuy.3pmkfc@DoNotSpam.com... > > Here is the script in question > > > > Option Explicit > On Error Resume Next > Const FileRead = 1 > Const FileWrite = 2 > Const OverwriteExisting = True > > Dim ObjUser, objFso, WriteToFile, strDomain, member, strUsrName, > objWshShell, strCurrenttime, strFileName > > strUsrName = inputbox ("User Name", "Display User Group Membership") > > strCurrenttime = Now() > strDomain = "MyDomain" > Set ObjUser = Getobject("WinNT://" & strDomain & "/" & strUsrName & > ",user") > set objFso = CreateObject("Scripting.FileSystemObject") > objFso.CreateTextFile(strUsrName & ".txt") > set WriteToFile = objFso.OpenTextFile(strUsrName & ".txt", FileWrite, > True) > > writetofile.write "These are the group memberships for " & strUsrName & > vbcrlf > writetofile.write "Memberships as of " & strCurrenttime & vbcrlf & > vbcrlf > writetofile.write "Groupname" & vbcrlf & vbcrlf > > For Each Member in ObjUser.Groups > WriteToFile.write member.name & vbcrlf > next > > WriteToFile.close > > 'objFSO.CopyFile strUsrName & ".txt" , "\\MyDomain\files\public\temp", > OverwriteExisting > objFSO.deleteFile "\\MyDomain\files\IT\Support\Staff Change > Requests\GroupMembershipQueries\" & strUsrName & ".txt" > objFSO.MoveFile strUsrName & ".txt" , > "\\MyDomain\files\IT\Support\Staff Change > Requests\GroupMembershipQueries\" > > Set objWshShell = Wscript.CreateObject("WScript.Shell") > > 'objWshShell.Run "%comspec% /c notepad.exe " & > "\\MyDomain\files\public\temp" & strUsrName & ".txt",0,True > objWshShell.Run "%comspec% /c notepad.exe " & > "\\MyDomain\files\IT\Support\Staff Change > Requests\GroupMembershipQueries\" & strUsrName & ".txt",0,True > > set objFso = Nothing > set WriteToFile = Nothing > set ObjUser = Nothing > set objWshShell = Nothing Windows NT, and this does not include distribution groups (or nested global groups). You will need to use the LDAP provider, as my previous linked example does. If you need to query for the "pre-Windows 2000 logon name", rather than the Distinguished Name, you can use the NameTranslate object to convert the former into the later. See this link for details: http://www.rlmueller.net/NameTranslateFAQ.htm For example: =========== Dim strDomain, strUsrName, strNTName, objTrans, strUserDN Dim objUser, objGroup ' Constants for the NameTranslate object. Const ADS_NAME_INITTYPE_GC = 3 Const ADS_NAME_TYPE_NT4 = 3 Const ADS_NAME_TYPE_1779 = 1 ' Specify the NetBIOS name of the domain. strDomain = "MyDomain" strUsrName = inputbox ("User Name", "Display User Group Membership") strNTName = strDomain & "\" & strUsrName ' Use the NameTranslate object to convert the NT user name to the ' Distinguished Name required for the LDAP provider. Set objTrans = CreateObject("NameTranslate") ' Initialize NameTranslate by locating the Global Catalog. objTrans.Init ADS_NAME_INITTYPE_GC, "" ' Use the Set method to specify the NT format of the object name. ' Trap the error if the user does not exist. On Error Resume Next objTrans.Set ADS_NAME_TYPE_NT4, strNTName If (Err.Number <> 0) Then Wscript.Echo "User " & strUsrName & " not found." Wscript.Quit End If On Error GoTo 0 ' Use the Get method to retrieve the RPC 1779 Distinguished Name. strUserDN = objTrans.Get(ADS_NAME_TYPE_1779) ' Bind to the user object in Active Directory with the LDAP provider. Set objUser = GetObject("LDAP://" & strUserDN) Wscript.Echo "Group memberships for user " & strUsrName ' Enumerate direct group memberships. ' This will not reveal membership in the "primary" group ' or memberships due to group nesting. For Each objGroup In objUser.Groups Wscript.Echo objGroup.Name Next ======== You can run this script at a command prompt using the cscript host and redirect the output to a text file. You can also add the code that uses NameTranslate to the previous example I linked.
Show quote
Hide quote
"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in I have an example VBScript program to document all groups a specified user message news:ur9tV7YrJHA.1748@TK2MSFTNGP05.phx.gbl... > > "SecurityGuy" <SecurityGuy.3pmc3b@DoNotSpam.com> wrote in message > news:SecurityGuy.3pmc3b@DoNotSpam.com... >> >> I have a VB script which queries AD and returns all the groups a user is >> a member of. This works great, except as it turns out, it is only >> returning the groups which are "security" groups, and not "distribution" >> groups. Not sure what the difference here would be from the >> investigations I've done using LDIFDE. >> >> Any help would be appreciated >> >> Thanks > > If you are using the tokenGroups attribute, this never includes any > distribution groups. It includes all nested group memberships, and the > "primary" group, but only security groups. Every other method I can think > of would include distribution groups. > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab - http://www.rlmueller.net > -- > is a member of linked here: http://www.rlmueller.net/List%20User%20Groups.htm The program uses a recursive subroutine and the memberOf attribute. It documents all group memberships, security and distribution, including membership due to group nesting. However, it does not document membership in the "primary" group of the user (usually "Domain Users"). In addition to the info provided by Richard, you also can find a sample
script at http://technet.microsoft.com/en-us/magazine/2006.03.scriptingguy.aspx Note, however, that this one does not take into account the primary group membership... hth Marcin Show quoteHide quote "SecurityGuy" <SecurityGuy.3pmc3b@DoNotSpam.com> wrote in message news:SecurityGuy.3pmc3b@DoNotSpam.com... > > I have a VB script which queries AD and returns all the groups a user is > a member of. This works great, except as it turns out, it is only > returning the groups which are "security" groups, and not "distribution" > groups. Not sure what the difference here would be from the > investigations I've done using LDIFDE. > > Any help would be appreciated > > Thanks > > > -- > SecurityGuy > ------------------------------------------------------------------------ > SecurityGuy's Profile: http://forums.techarena.in/members/85156.htm > View this thread: http://forums.techarena.in/active-directory/1147902.htm > > http://forums.techarena.in > Thank you Richard, you've been most helpful. I am posting below the
finished product which works fine with the exception of as we've
discussed, not including the user's "primary group".
How would I add this to the final output? I need to include the "Primary Group membership" as well in the final output, so let me know how I would go about that if you can Script thus far: Option Explicit On Error Resume Next Dim ObjUser, objFso, WriteToFile, strDomain, member, strUsrName, objWshShell, strTime Dim strCurrenttime, strDateStart, strDateMid, strDateEnd, strSecond, strFileName Dim strNTName, objTrans, strUserDN, objGroup Const FileRead = 1 Const FileWrite = 2 Const OverwriteExisting = True Const ADS_NAME_INITTYPE_GC = 3 Const ADS_NAME_TYPE_NT4 = 3 Const ADS_NAME_TYPE_1779 = 1 strDomain = "MyDomain" strUsrName = inputbox ("User Name", "Display User Group Membership") strNTName = strDomain & "\" & strUsrName ' Use the NameTranslate object to convert the NT user name to the ' Distinguished Name required for the LDAP provider. Set objTrans = CreateObject("NameTranslate") ' Initialize NameTranslate by locating the Global Catalog. objTrans.Init ADS_NAME_INITTYPE_GC, "" ' Use the Set method to specify the NT format of the object name. ' Trap the error if the user does not exist. On Error Resume Next objTrans.Set ADS_NAME_TYPE_NT4, strNTName If (Err.Number <> 0) Then Wscript.Echo "User " & strUsrName & " not found." Wscript.Quit End If On Error GoTo 0 strUserDN = objTrans.Get(ADS_NAME_TYPE_1779) ' Bind to the user object in Active Directory with the LDAP provider. Set objUser = GetObject("LDAP://" & strUserDN) ' Setting relatively random file name so we don't overwrite due to multiple queries on same user strCurrenttime = Now() strDateStart = Left(DATE,1)) strDateEnd = Right(DATE,4) strTime = Trim(strSecond) set objFso = CreateObject("Scripting.FileSystemObject") objFso.CreateTextFile(strUsrName & strDateStart & strDateEnd & strTime & ".txt") set WriteToFile = objFso.OpenTextFile(strUsrName & strDateStart & strDateEnd & strTime & ".txt", FileWrite, True) writetofile.write "These are the group memberships for " & strUsrName & vbcrlf writetofile.write "Memberships as of " & strCurrenttime & vbcrlf & vbcrlf writetofile.write "Groupname" & vbcrlf & vbcrlf For Each objGroup In objUser.Groups WriteToFile.write (Mid(objGroup.Name,4)) & vbcrlf next WriteToFile.close objFSO.MoveFile strUsrName & strDateStart & strDateEnd & strTime & ".txt" , "\\MyDomain\files\IT\Support\Staff Change Requests\GroupMembershipQueries\" Set objWshShell = Wscript.CreateObject("WScript.Shell") objWshShell.Run "%comspec% /c notepad.exe " & "\\MyDomain\files\IT\Support\Staff Change Requests\GroupMembershipQueries\" & strUsrName & strDateStart & strDateEnd & strTime & ".txt",0,True set objFso = Nothing set WriteToFile = Nothing set ObjUser = Nothing set objWshShell = Nothing -- SecurityGuy ------------------------------------------------------------------------ SecurityGuy's Profile: http://forums.techarena.in/members/85156.htm View this thread: http://forums.techarena.in/active-directory/1147902.htmhttp://forums.techarena.in Remember that all users have the "Domain Users" group assigned as their
"primary" group when the object is created. This happens automatically when the object is created. If you are creating users, there is no need to worry about this. The only reason I have every heard of for assigning any other group as "primary" is if you support Macintosh clients or POSIX-compliant applications. If you are enumerating group memberships, in most cases it is best to just assume that everyone is a member of "Domain Admins". However, to display the "primary" group membership if any user use code similar to this example: http://www.rlmueller.net/Get%20Primary%20Group.htm Show quoteHide quote "SecurityGuy" <SecurityGuy.3po3zb@DoNotSpam.com> wrote in message news:SecurityGuy.3po3zb@DoNotSpam.com... > > Thank you Richard, you've been most helpful. I am posting below the > finished product which works fine with the exception of as we've > discussed, not including the user's "primary group". > > How would I add this to the final output? I need to include the > "Primary Group membership" as well in the final output, so let me know > how I would go about that if you can > > > > Script thus far: > > > Option Explicit > On Error Resume Next > Dim ObjUser, objFso, WriteToFile, strDomain, member, strUsrName, > objWshShell, strTime > Dim strCurrenttime, strDateStart, strDateMid, strDateEnd, strSecond, > strFileName > Dim strNTName, objTrans, strUserDN, objGroup > Const FileRead = 1 > Const FileWrite = 2 > Const OverwriteExisting = True > Const ADS_NAME_INITTYPE_GC = 3 > Const ADS_NAME_TYPE_NT4 = 3 > Const ADS_NAME_TYPE_1779 = 1 > strDomain = "MyDomain" > strUsrName = inputbox ("User Name", "Display User Group Membership") > strNTName = strDomain & "\" & strUsrName > ' Use the NameTranslate object to convert the NT user name to the > ' Distinguished Name required for the LDAP provider. > Set objTrans = CreateObject("NameTranslate") > ' Initialize NameTranslate by locating the Global Catalog. > objTrans.Init ADS_NAME_INITTYPE_GC, "" > ' Use the Set method to specify the NT format of the object name. > ' Trap the error if the user does not exist. > On Error Resume Next > objTrans.Set ADS_NAME_TYPE_NT4, strNTName > If (Err.Number <> 0) Then > Wscript.Echo "User " & strUsrName & " not found." > Wscript.Quit > End If > On Error GoTo 0 > > strUserDN = objTrans.Get(ADS_NAME_TYPE_1779) > > ' Bind to the user object in Active Directory with the LDAP provider. > Set objUser = GetObject("LDAP://" & strUserDN) > > ' Setting relatively random file name so we don't overwrite due to > multiple queries on same user > strCurrenttime = Now() > strDateStart = Left(DATE,1)) > strDateEnd = Right(DATE,4) > strTime = Trim(strSecond) > > set objFso = CreateObject("Scripting.FileSystemObject") > objFso.CreateTextFile(strUsrName & strDateStart & strDateEnd & strTime > & ".txt") > set WriteToFile = objFso.OpenTextFile(strUsrName & strDateStart & > strDateEnd & strTime & ".txt", FileWrite, True) > > writetofile.write "These are the group memberships for " & strUsrName & > vbcrlf > writetofile.write "Memberships as of " & strCurrenttime & vbcrlf & > vbcrlf > writetofile.write "Groupname" & vbcrlf & vbcrlf > > For Each objGroup In objUser.Groups > > WriteToFile.write (Mid(objGroup.Name,4)) & vbcrlf > > next > > WriteToFile.close > objFSO.MoveFile strUsrName & strDateStart & strDateEnd & strTime & > ".txt" , "\\MyDomain\files\IT\Support\Staff Change > Requests\GroupMembershipQueries\" > > Set objWshShell = Wscript.CreateObject("WScript.Shell") > objWshShell.Run "%comspec% /c notepad.exe " & > "\\MyDomain\files\IT\Support\Staff Change > Requests\GroupMembershipQueries\" & strUsrName & strDateStart & > strDateEnd & strTime & ".txt",0,True > > set objFso = Nothing > set WriteToFile = Nothing > set ObjUser = Nothing > set objWshShell = Nothing > > > -- > SecurityGuy > ------------------------------------------------------------------------ > SecurityGuy's Profile: http://forums.techarena.in/members/85156.htm > View this thread: http://forums.techarena.in/active-directory/1147902.htm > > http://forums.techarena.in > 
Other interesting topics
AD Container
Domain functional level changing domain name Is this the last step we need to do? Do Child DC's need unrestricted IP access to Root DC's? DNS during Domain Controller demotion DC's not Replicating Delegate ad workstations to domain Demotion doesn't properly remove server from DNS Best way to give local admin rights only across the domain |
|||||||||||||||||||||||
