PowerShell Ezine, Logon Scripts

Guy's Scripting Ezine 38 - Groups part 2

Contents for Guy's Scripting Ezine 38 - Groups part 2

This week’s secret

This week's scripting secret is - keep it short and simple.  However, I do like to add extras for those who wish to dissect the scripts rather than merely copy and paste.

In this ezine I have two scripts for you, the first script will create the actual global group.  The second will display the groups or MemberOf, that the Administrator belongs.

ˆ

Scripting MemberOf

MemberOf (not MemberSof) is one of the key LDAP attributes for controlling groups via VBScript.  Here is a script that will check to which groups your administrator belongs.

Instructions

  1. Pre-requisites.  You need either a Windows 2000 or Server 2003 domain controller for this script to work.
  2. Optional : Edit the CN=Administrator.  Remember that in this scenario, you want the script to enumerate the groups to which the administrator is a 'member of'.
  3. Copy and paste the script below into notepad.  For once, the script should run without alterations, that is because I choose the administrator's account, and unless you have renamed that account, it should work.  If you have altered the Administrator's account then do edit the script.
  4. Save the file with .vbs extension e.g. AdminMember.vbs
  5. Double click and observe the message box

 

 

' AdminMember.vbs
' Version 1.3
' Guy Thomas 25th July 2004

Option Explicit

Dim objGroup, objUser, objRootDSE
Dim objDomain, objOU, objMemberOf ' Objects
Dim strGroup, strPath, strUser, strOU, strDNSDomain

' Commands to bind to AD and extract domain name
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

WScript.Echo "Active Directory Path: " & strDNSDomain
' Edit the next line to reflect your OU
' N.B. OU=Managers is correct not CN=Managers
strOU ="CN=Users,"

' I choose CN=Users and strUser = Administrator
' Because they will exist. Feel free to amend
strUser ="cn=Administrator,"

' Building the LDAP path
strPath ="LDAP://" & strUser & strOU & strDNSDomain

Set objUser = GetObject(strPath)
Wscript.Echo "DN "& objUser.get("distinguishedName")

objMemberOf = objUser.GetEx("MemberOf")

' Here is the heart of the script, extract MemberOf
For Each objGroup in objMemberOf
WScript.Echo strUser & " is a member of: " & objGroup
' Wscript.echo Group
Next
WSCript.Quit

' End of example VBScript
 

Learning Points

Note 1:  The script enumerates all groups that the CN=Administrator is a member of, even if these groups are in a different containers, for example the Local Group Administrators in in the Builtin container whereas the Administrator account is in the Users container.

Note 2:  Feel free to remove, or adjust the WScript.Echo lines

Note 3:  Spot the:  For Each... Next.  This is your loop which cycles through all the groups that the cn=administrator is a memberOf.

Note 4: See more on MemberOf here

ˇ

Guy's Challenges to you.

1) Adjust (or remove) the WScript.Echo lines.  I employ the message boxes for troubleshooting and for confirming that something has actually happened.

2) Choose a new user in a different OU.  For example, if you have an OU called MANAGERS and a user called boss, then alter these two lines.
strOU ="CN=Users,"  .................  strOU = "OU=MANAGERS" (n.b. OU not cn)
strUser="CN=Administrator" ........  strUser = "CN=Boss"

Script 2 Creating a Global Group

Scenario: You wish to create a global group in the default Users container.

Instructions

  1. Pre-requisites.  You need either a Windows 2000 or Server 2003 domain controller for this script to work.
  2. Optional : edit this strGroupShort ="Managers"  to reflect the name of a group you want to create.
  3. Copy and paste the script below into notepad.  For once, the script should run without alterations, that is because I choose the CN=Users to hold the new group.
  4. Save the file with .vbs extension e.g. Managers.vbs.
  5. Double click and observe the group name in the message box.

 

 

' Managers.vbs
' Version 1.2
' Guy Thomas 25th July 2004

Option Explicit

Dim objGroup, objRootDSE, objDomain, objOU ' Objects
Dim strGroup, strGroupShort, strOU, strDNSDomain ' Strings

' Commands to bind to AD and extract domain name
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
WScript.Echo "Active Directory Path: " & strDNSDomain

' Edit the next line to reflect your OU for the group
strOU = "CN=Users,"

' N.B. here is the name of your Global Group
strGroupShort ="Managers"
strGroup ="CN="& strGroupShort

' This is the actiion part of the script
Set objOU = GetObject("LDAP://"& strOU & strDNSDomain)
Set objGroup = objOU.Create("Group", strGroup)
objGroup.Put "sAMAccountName", strGroupShort
objGroup.SetInfo

WScript.Echo strGroupShort &" added to " & strOU

WSCript.Quit

' End of example VBScript
 

Learning Points

Note 1:  Case sensitivity, VBScript is not case sensitive so either cn or CN would be correct.  However, when you are referring to the USERS container that object is CN=USERS, OU=Users would be wrong.  Check the little book symbol on OUs, note that symbol is absent from the Users and Built-in containers.

Note 2: A reminder how we get the domain name by using
GetObject("LDAP://RootDSE"), instead of GetObject("LDAP://dc=ab,dc=xy")

Note 3: The trickiest part of the script turned out to be
objOU.Create("Group", strGroup), specifically
objOU.Create("Group", "Managers") does not work, it would have to be:
objOU.Create("Group", "CN=Managers")

This is why I like to use string variables to control the names of OUs, Users and Groups.  The benefit is that you can then easily amend the scripts to suit your situation.

Guy's Challenges to you.

1) Change strOU = "Users," to strOU = "YourOU,"  (note the comma)

2) Change strGroupShort = "something else" (note commaless!)

Summary

With VBScript you can create new global groups.  Another handy scripting job is to use MemberOf so that you can enumerate the membership of any group no matter which OU holds that groups.

See more on Scripting Groups - Whole Section here

Computer Training Software - Recommended Training VideosGuy Thomas recommends Computer Training Software

Their topics and material are ideal for getting you started with VBScript.  The videos are easy to follow and you can control the pace.  Try their free demo material and then see if you want to buy the full package. See more about VB Script Training CD.

 *

Google

Webcomputerperformance.co.uk

GFi Events Manager

Guy Recommends: GFi EventsManager

Here is a solution to monitor, manage and archive thousands of events that are generated by devices across your entire network.  Get your free evaluation copy of GFI EventsManager.

 

Home Copyright © 1999-2008 Computer Performance LTD All rights reserved

Please report a broken link, or an error.