Guy's Scripting Ezine 73 - Get(Object) and primaryGroupID

How often do you feel, 'If only I had known that 6 months ago, it would have saved me no end of work'? Recently I have been looking back at old scripts and thinking, 'I could have done better than that'. In particular, what stunned me was my cavalier treatment of the 'Get' verb. What I am referring to is, 'get' as in 'GetObject', also as in 'GetEx' (get an extended list of properties).

GetObject reminds me of whistling for my dog, 'here boy fetch this ball'. However, in the Active Directory world, what I want to do is get a Group, get a User or get an OU object. My intention was honourable, namely to minimise the changes that you had to make to get my code to work, but some of my methods left a lot to be desired.

Here is where I took my eye off the ball. I started getting too clever, and instead of saying GetObject("LDAP://CN=myuser,OU=Newport,DC=topDom"), I constructed the GetObject("LDAP://"x & y & z), by joining x with y then with z. Joining the elements in itself was not the mistake, my error was spreading the joins over 20 lines of code.

So, my new resolution is to divide such tasks as GetObject into two elements: firstly, to construct the LDAP path clearly and concisely. Secondly, to say simply, GetObject(LDAP_path). You will see what I mean by studying this week's examples.

This Week's Mission - To Script a User's Primary Group

I have divided this week's mission into two parts. My first example is a basic model. The scripting aspect emphasises the GetObject command, while the practical point is to retrieve the Administrator's Primary Group. In the second example, the code checks a more extensive list Primary groups. As a bonus, the second script also lists all the groups held by the memberOf attribute. In both examples, the key attribute is primaryGroupID.

Values for primaryGroupID :
513 Domain Users 514 Domain Guests
515 Domain Computers 516 Domain Controllers

Example 1 - To Get a Users primaryGroupID

This simple example connects to Active Directory and Gets the distinguished name of the user as specified by strUser. It then checks the primaryGroupID to see if it equals 513, the value for Domain Users.

' PrimaryGroupID .vbs
' VBscript to add users to a group.
' Author Guy Thomas http://computerperformance.co.uk/
' Version 2.1 - May 2005
' ---------------------------------------------------------------'
Option Explicit
Dim objRootLDAP, objGroup, objUser, objOU, objMemberOf
Dim strOU, strUser, strDNSDomain, strLDAP, strList
Dim intCounter, arrGroup

' Commands to bind to AD and extract domain name
Set objRootLDAP = GetObject("LDAP://RootDSE")
strDNSDomain = objRootLDAP.Get("DefaultNamingContext")

' Build the LDAP DN from strUser, strOU and strDNSDomain
strUser ="cn=Administrator,"
strOU ="CN=Users,"
strLDAP ="LDAP://" & strUser & strOU & strDNSDomain

Set objUser = GetObject(strLDAP)

' primaryGroupID is an LDAP property of a user, default is 513
If objUser.primaryGroupID = 513 Then
Wscript.Echo "Primary Group = Domain Users"
End if

WScript.Quit

' End of User MemberOf VBScript

Learning Points for GetObject(strLDAP)

Note 1: The aim of the first half of the script is to construct the user object. Introducing variables for strUser and strOU makes it easier to amend the script. Observe how LDAP RootDSE cleverly extracts the StrDNSDomain name from Active Directory. My reasoning is to make the script work on any domain, without me having to know your domain name, and without you having to grapple with DC=Domainname.

Note 2: My goal is to get this command working: Set objUser = GetObject(strLDAP).

Note 3: Now that once I have full control over objUser, I can perform useful tasks such as to display the Primary Group.

Note 4: Now that we have the basic script working, I want to make it more realistic by adding If .. then. else to check other values for primaryGroupID.

I ran into one small issue with this script was that it did not take into consideration idiots like me that use comma's in group names (why Microsoft allowed this is beyond me).

I got around the problem by using the replace function to replace each instance of "\," with "!", and then replaced the "!" with "," after the parsing was completed (hoping that nobody would use ! In a name).

If you are looking for handy network utilities, try some of the free downloads at Tools4Ever

Example 2 - To list all the Groups that a User is a MemberOf

The aim of this script is to extract all the Groups held by attribute memberOf. As memberOf usually contains more than one group, we cannot employ the Get method, what we need is its sister command, GetEx. To me, GetEx means get extras or get extended list. The other feature of this script is a more sophisticated section to trap the user's primaryGroupID. In truth, I should have used my old favourite Select Case, but I settled for If ... then ... else.

Values for primaryGroupID :
513 Domain Users 514 Domain Guests
515 Domain Computers 516 Domain Controllers

' UserMemberOfAdv.vbs
' To list the groups to which the administrator is a memberOf
' Author Guy Thomas http://computerperformance.co.uk/
' Version 2.3 - May 2005
' ---------------------------------------------------------------'
Option Explicit
Dim objRootLDAP, objGroup, objUser, objOU, objMemberOf
Dim strOU, strUser, strDNSDomain, strLDAP, strList
Dim arrGroup

' Commands to bind to AD and extract domain name
Set objRootLDAP = GetObject("LDAP://RootDSE")
strDNSDomain = objRootLDAP.Get("DefaultNamingContext")

' Build the LDAP DN from strUser, strOU and strDNSDomain
strList ="-------------------------------" & vbCr
strUser ="cn=Administrator,"
strOU ="CN=Users,"
strLDAP ="LDAP://" & strUser & strOU & strDNSDomain
Set objUser = GetObject(strLDAP)

' Heart of the script, extract a list of Groups from MemberOf
objMemberOf = objUser.GetEx("MemberOf")
For Each objGroup in objMemberOf
   objGroup = Mid(objGroup, 4, 330)
   arrGroup = Split(objGroup, "," )
   strList = strList & arrGroup(0) & vbcr
Next

' Additional section to find the primary group.
If objUser.primaryGroupID = 513 Then
   strList = strList & vbCr & "Primary Group: " _
   & vbCr & "Domain Users" & vbCr
Else If objUser.primaryGroupID = 515 Then
   strList = strList & "Domain Computers"
Else strList = strList & "Maybe a Domain Controller"
End If
End If
WScript.Echo "Groups for " & Mid(strUser, 4, 99) & vbCr & strList

WScript.Quit

' End of User MemberOf and primaryGroupID VBScript

Learning Points

Note 1: At the heart of the script is a For Each... Next loop. Not only does the loop extract the groups with GetEx('MemberOf), but also it uses the Mid and Split function to slice the distinguished name into a more readable format.

Challenges 1: Change the value of strUser and strOU. With strOU note while CN=Users is correct, it would be OU=MyOU and not CN=MyOU.

Summary of Get and primaryGroupID

Get, is a tiny, but essential verb. Almost all VBScript employ Get or GetEx to fetch distinguished names from active directory. Once you have that object then you can peruse other scripting goals, in this case to display group membership. PrimaryGroupID can be an elusive attribute, but one that you need for tasks like mapping a network drive.

Computer Training Software - Recommended Training Videos

Guy Thomas recommends Computer Training Software.

Their topics and material are ideal for getting you started with VBScript. The videos are easy to follow and you can control the pace. Try their free demo material and then see if you want to buy the full package. See more about VB Script Training CD.

Guy's Scripting Ezine 73 primaryGroupID

Contents for Ezine 73 Get and primaryGroupID

This week’s secret