PowerShell Ezine, Logon Scripts

Guy's Scripting Ezine 58 More Groups 2

Contents for Guy's Scripting Ezine 58 More Groups 2

This week’s secret

This week I feel like one of those swans who appear to be gliding serenely on the surface, while all the time they are frantically paddling like mad under the surface.

No worries - your example script WILL work.  However, its development was far from smooth.  Problems with scripts make me frustrated but never angry, and there is no feeling as great as when your code finally works.

ˆ

This week's mission - to control the group Type and Scope

Firstly, a reminder that this is More Groups (2), so I recommend reviewing More Groups (1) - particularly if you need to add users to groups.

While I haven't forgotten my promise to deal with CONST, we will have to wait one more week for a dedicated ezine explaining Constants.  For this week's script, I suggest that you just accept that we have to use CONST declarations to control the Type and Scope of the group.

My project to script groups started well, here are the CONST values that my research uncovered:

  • ADS_GROUP_TYPE_GLOBAL_GROUP = 0x00000002
  • ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 0x00000004
  • ADS_GROUP_TYPE_LOCAL_GROUP = 0x00000004
  • ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 0x00000004
  • ADS_GROUP_TYPE_UNIVERSAL_GROUP = 0x00000008
  • ADS_GROUP_TYPE_SECURITY_ENABLED = 0x80000000
  • (To create a distribution group just omit the last item, there does not appear to be a = 0x8000000xx flag to reverse the security enabled flag.)

 

However when I entered these values exactly as above, the script failed.  So, back to the drawing board.  Next I found that VBScript wanted the CONST precisely in this format: &Hx.  Naturally H stands for Hex.

ADS_GROUP_TYPE_UNIVERSAL_GROUP  = &H8  (Not 0x00000008)

The CONST statement is really 'picky', for example, a space between ampersand and H results in another 0800 error.  = &H8 is correct but = &  H8 fails because of the space between & and H8.

Hooray! I had mastered the Scope of the group, but what about the Type?  Once you add one of these ADS_Group constants, the default type of group changes from security to distribution.  Another problem to overcome.

So, how do you create a Security group?  Firstly, seek out the ADS_GROUP_TYPE_SECURITY_ENABLED Constant.

Then, what should you do?  Change the value of ADS_GROUP_TYPE_SECURITY_ENABLED = 0x80000000 to: &H8? 
Wrong it should be: = &H80000000

To be crystal clear, here is the complete answer:
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000

Next how could I persuade the script to add the two properties, Security_Enabled and Type_Universal?  Here was my suggestion:

objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP

objGroup.Put "groupType", ADS_GROUP_TYPE_SECURITY_ENABLED

If you think that would work, you must be joking - no chance.  Undaunted, I researched the problem and found a suggestion to add the | (pipe symbol down near the control).  This was close - but no cigar. What you really needed was an OR statement.  Strange but true.  This was the final code:

objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP _

Or ADS_GROUP_TYPE_SECURITY_ENABLED

Incidentally, have you noticed with scripting that once thing goes wrong you get more and more errors?   Well you have probably guessed that this week I had a ' bad hair day'.  The good news is that the converse also applies, when you are on a run, all scripts working perfectly, then you believe that you can 'walk on water'.

If you are looking for handy network utilities, try some of the free downloads at Tools4Ever

Example - Creating a Security Universal Group

This script creates a new group.  It is designed to change the Scope from Global (default) to Universal.  With care, you could alter the CONST statement, for example, to create a Domain Local Group.

The trickiest part is controlling the Type.  If you remember when you create a group using script with the default values it turns out to be a Global Security group.  The minute you change the scope to Universal the default Type changes to Distribution.  Wacky?  However, all is not lost, just add 
Or ADS_GROUP_TYPE_SECURITY_ENABLED and force the group Type to be security.

Instructions

  1. Copy and paste the script below into notepad.
  2. Save the file with .vbs extension e.g. UniSecureGroup1.vbs
  3. Double click and then open Active Directory Users and Computers and search the OU specified in strOU.  Did you see a new group?  Was it Universal or Global?

 

 

' UniSecureGroup1.vbs
' VBscript to create a Universal Security Group
' Author Guy Thomas http://computerperformance.co.uk/
' Version 4.9 - January 9th 2005
' ----------------------------------------------------------'
Option Explicit
Dim strOU, strNewGroup, strNewGroupLong, strDNSDomain
Dim objOU, objGroup, objRootDSE
Dim strGuyGp, strGPType

Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000
' If you want a global group, here is the CONST
' Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2

' Challenge - Make sure you have an OU called strOU
' Option change the strNewGroup = "UniSec"
strOU = "OU=Cowbridge,"
strNewGroup = "GuyUniSec"
strNewGroupLong = "CN=" & strNewGroup

' Bind to Active Directory
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

' Create new Group
Set objOU = GetObject("LDAP://" & strOU & strDNSDomain )
Set objGroup = objOU.Create("Group",strNewGroupLong)
objGroup.Put "sAMAccountName", strNewGroup

' Here is where you set the group Type and Scope
objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP _
or ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.setInfo

Wscript.Echo "Created " &strNewGroup
Wscript.Quit

' End of example VBScript

Learning Points

Note 1:  Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8 is responsible for creating the Universal Group.  Consult the notes to change the scope to Global or Domain Local.

Note 2:  Pay close attention to these two lines, under:  ' Here is where you set group...  In this script the group Type is Security, should you want a distribution group, just remove the _ and the line:
or ADS_GROUP_TYPE_SECURITY_ENABLED

Note 3: To add users to your group See last week's Ezine online

Note 4:  See more Creating Groups here

Challenges - Add error correcting code

  1. Add: On Error Resume Next   before, repeat before, ' Create new Group section.
  2. Insert the error correcting code itself.
  3. Optionally, add a snippet to extract the Universal Group value and echo the result in a message box.

 

' Challenge 1 - Add before Create new Groups
On Error Resume Next
' Create new Group

 

 

 

'  Challenge 2 - Add after objGroup.SetInfo
If err.number = vbEmpty then
Wscript.Echo "Created " & strNewGroup & " type " & strGPType
ElseIf err.number = -2147019886 then
Wscript.Echo err.number & " Group Already Exists"
Else
Wscript.Echo err.number & " Must Research"
End If

 

 

 

' Challenge 3 - add near top
strGuyGp = ADS_GROUP_TYPE_UNIVERSAL_GROUP
If strGuyGp = 8 Then
strGPType = "Universal"
End if

 

Summary - Groups Type and Scope

It is fiendishly difficult for VBScript to manipulate the Type and the Scope of a new group.  Pay particular attention to the CONST = statements at the start of the script.

ˇ

Computer Training Software - Recommended Training VideosGuy Thomas recommends Computer Training Software

Their topics and material are ideal for getting you started with VBScript.  The videos are easy to follow and you can control the pace.  Try their free demo material and then see if you want to buy the full package. See more about VB Script Training CD.

 *

Google

Webcomputerperformance.co.uk

GFi Events Manager

Guy Recommends: GFi EventsManager

Here is a solution to monitor, manage and archive thousands of events that are generated by devices across your entire network.  Get your free evaluation copy of GFI EventsManager.

 

Home Copyright © 1999-2008 Computer Performance LTD All rights reserved

Please report a broken link, or an error.