PowerShell Ezine, Logon Scripts

Guy's Scripting Ezine 57 - More Groups 1

Contents for Guy's Scripting Ezine 57 - More Groups 1

This week’s secret

Groups have enough material to write an ebook of their own.  Groups are also a classic illustration of my spiral method of learning.  In order to master a subject like groups, you have to go around again and again.  Learning is like drawing a spiral, with each turn of the spiral the topic grows in breadth and rises in knowledge.

While I have been enjoying my winter break (last ezine 56 Dec 12), I have used the time to take stock.  Here are my resolutions for 2005.  Listen to my readers.  Explain both the purpose of the script and the reason for each step.  Include more Active Directory Scripts.  Set you a series of challenges.

If there is one area that you and I should work on, then that area is error correcting code.  Time is always short, but error correcting code pays back both in time saved in the long term, and true understanding of the script in the short term.

ˆ

This week's mission - Truly understanding groups

I ask you to open your mind to the possibility that there may be aspects of groups and Active Directory that you did not know or have forgotten.  When it comes to scripting groups, you either take a user perspective, in which case you want to add groups to your user.  Or you take the groups point of view and add users to that group.  The two key properties are firstly ' Member ': who is in my group?   Secondly 'MemberOf', to which groups do I belong?

Groups themselves have two properties you should know about.  Firstly the property called Type, which could be Security or Distribution.  Secondly, the property called Scope which could be Global, Domain Local or Universal.  Before you get down to scripting, I recommend a visit to Active Directory Users and Computers (ADUC), and I challenge you to create a new group just to check out all these properties.  Do you see the Type and Scope properties?  What would it mean if the Universal scope was greyed out?  Answer: your domain is in mixed mode. 

While you are in the ADUC, take the time to examine the Member and MemberOf tabs.  Another question, which object has both Member and MemberOf tabs?  Answer: groups.  Users have a Member tab, but no MemberOf tab.

Minor Shocks with groups

Starting in Windows 2000, computers can be members of groups, this useful for group policies.

When you create a new user they are automatically a member of the Domain Users global group.  However when you create a computer in ADUC which default group is the computer a member of?  Answer: Domain Computers

Major Shock with groups.

If you create a script to display 'member' (as apposed to using the ADUC), the default or primary group does not appear in the list.  Strangely, if you add a user to another group then both groups appear when you run the script.  Incidentally, this is why the second example script includes the 'Property not found' error correcting code.

If you are looking for handy network utilities, try some of the free downloads at Tools4Ever

Example 1 - To Enumerate Administrators membership.

Here is a straightforward script which will run unaltered on any domain controller.  The idea is to display who are members of the builtin administrators group.

Instructions

  1. Copy and paste the script below into notepad.
  2. Save the file with .vbs extension e.g. Administrators.vbs.
  3. Double click and examine the message boxes.

 

 

' VBscript to enumerate Group members of Administrators
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.5 - January 2nd 2005
' ----------------------------------------------------------'
Option Explicit
Dim strUser, strMember, strDNSDomain, strContainer
Dim objGroup, objUser, objRootDSE
Dim arrMemberOf

' Bind to Active Directory'
strContainer = "cn=Administrators,cn=Builtin, "
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

'  Get the Builtin Administrators group
Set objGroup = GetObject ("LDAP://"& strContainer & strDNSDomain)
objGroup.getInfo

arrMemberOf = objGroup.GetEx("member")

'  Loop = For Each .... Next
WScript.Echo "Members of Group " & strContainer
   For Each strMember in arrMemberOf
      WScript.echo strMember
   Next

Wscript.Quit

' End of Script
 

Learning Points

Note 1: The whole point of this script is to demonstrate 'member', who is in the group.  I also want to make the point that there are two similar properties, members used here, and also a 'memberOf' which we will use later.

Note 2: Observe how many 'Get' instructions the script uses, GetObject, .getInfo and .GetEx.  GetEx is used when an object such as a group has multiple values for a property.  In this instance, multiple members.

Note 3: See more on Enumerating Groups here

Example 2 - To create global groups and users.

Purpose of the script.  What this script does is create a security group, then add the user defined in strJoinUser to that group.

My first challenge to you is pay attention to detail.  Investigate where you need to change the strOU and strJoinUser.

Instructions

  1. Important: Which OU will use?  My script uses strOU=cowbridge.  Either create such an OU, or change the script to reflect YOUR ou=.
  2. Make sure the OU has 2 or 3 users.  Check the value of strJoinUser, if necessary, lauch ADSI edit to double check cn=
  3. Copy and paste the script below into notepad.
  4. Save the file with .vbs extension e.g. GlobalGp.vbs.
  5. Double click and examine the message boxes.
  6. Finally, visit Active Directory Users and Computers.

 

 

' VBscript to create a Group, then add a user.
' Note two steps to set domain
' Author Guy Thomas http://computerperformance.co.uk/
' Version 2.4 - January 2nd 2005
' ----------------------------------------------------------'

Dim strOU, strGroup, strUser, strUserMid, strDNSDomain
Dim objOU, objGroup, objUser
Dim arrMemberOf

Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
Const ADS_PROPERTY_APPEND = 3

' Challenge - Make sure you have an OU called strOU
' Challenge - Make sure you have a user called strJoinUser
' Option change the strNewGp = "Giants"
strOU = "OU=Cowbridge,"
strJoinUser = "cn=Gary," & strOU
strNewGp = "Giants NYPD"
strNewGpLong = "CN=" & strNewGp

Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

Wscript.Echo "OU = " & strOU & vbCr & "User = " & strJoinUser
Set objUser = GetObject ("LDAP://"& strJoinUser & strDNSDomain)

On Error Resume Next
' Create new Group
Set objOU = GetObject("LDAP://" & strOU & strDNSDomain )
Set objGroup = objOU.Create("Group",strNewGpLong)
objGroup.Put "sAMAccountName", strNewGp
objGroup.setInfo

'  Error correcting code if the group is already in AD
If err.number <> vbEmpty Then
Wscript.Echo err.number & " Group " & strNewGp & " exists"
End if

' Add user to group
Set objGroup = GetObject("LDAP://"& strNewGp & strDNSDomain)
objGroup.PutEx ADS_PROPERTY_APPEND, _
"member", Array(strJoinUser & strDNSDomain)
objGroup.SetInfo

' GetEx gets multiple values
arrMemberOf = objUser.GetEx("memberOf")

If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
WScript.Echo "The memberOf attribute is not set."
Else
strUserMid = Mid(strJoinUser,4,8)
WScript.Echo strUserMid & " is Member of: "
For each Group in arrMemberOf
WScript.Echo Group
Next
End If
Wscript.Quit
 

Learning Points

Note 1: When Active Directory creates objects, observe the role of .put and .setInfo.

Note 2: As with so many objects, sAMAccountName is a key property for your group.

Note 3: I added the WScript.echo strOU and strJoinUser to remind you check these variables.  My hidden agenda was to show you something was happening because there is rather a long delay while the group is created.

Note 4: If err.number <> vbEmpty Then...  Is my attempt to add error correcting code.

Note 5: Const = ADS_PROPERTY_APPEND.  This week I ask you just to accept that some scripts require Const = ADS_xyz to work, next week all will be revealed about Const. 

The situation with groups is that if you want to create a security group, there is no need to add the Const = ADS, however if you wish to create a Distribution group then you do need Const = ADS_GROUP_TYPE_GLOBAL_GROUP = &h2

ˇ

Summary Groups

Scripting groups is complex.  Firstly, check the two important properties of groups, Type and Scope.  Secondly when it comes to enumerating groups be sure to understand the difference between 'Member'  and  'MemberOf'.  When you script groups, be aware of the CONST = statements.

 

Computer Training Software - Recommended Training VideosGuy Thomas recommends Computer Training Software

Their topics and material are ideal for getting you started with VBScript.  The videos are easy to follow and you can control the pace.  Try their free demo material and then see if you want to buy the full package. See more about VB Script Training CD.

 *

Google

Webcomputerperformance.co.uk

GFi Events Manager

Guy Recommends: GFi EventsManager

Here is a solution to monitor, manage and archive thousands of events that are generated by devices across your entire network.  Get your free evaluation copy of GFI EventsManager.

 

Home Copyright © 1999-2008 Computer Performance LTD All rights reserved

Please report a broken link, or an error.