Guy's Scripting Ezine 37 - Groups Part 1
Contents for Guy's Scripting Ezine 37 - Groups Part 1
Firstly, many thanks to those of you who filled in my online survey. However, I groaned when I saw how many of you wanted more on Group Membership. I winced because scripting group membership is so complex. That said, I knuckled down to produce the longest ezine yet.
To begin with, here is my dilemma, whether to give you the entire script and then dissect it, or whether to build in stages to form the whole script. In the end I favoured the 'best practice' technique of breaking the task into bite sized chunks, getting each section working, then bringing it all together to produce the finished script. This method reminded me of building a jigsaw from 100 pieces.
Guy Recommends: The Free IP Address Tracker (IPAT)
Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets. IPAT cracks this problem of allocating IP addresses in networks in two ways:
For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges.
For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker
Scripting groups is a multi-faceted job. The tasks are:
a) Binding to Active Directory
b) Creating a group
c) Adding user accounts to a group.
The aim of this week's script is to add users to an existing Global Security group in a Windows 2003 domain. As a bonus, and just in case you do not have a suitable group, the script will also create a group for you. As ever, my goal is to get you started. Then I pass the task over to you to expand the scope to include creating different types of group, for example: security, distribution and also their various scopes, Global, Domain Local or Universal. Ultimately, you could have a series of .VBS files each to populate different groups in a variety of OUs.
Section 1 - Binding to Active Directory
Learning Points for Section 1
Note 1: Dim is where we prepare or 'Dimension' variables. This is essential if you use the 'Option Explicit' command.
Note 2: strOU =. Here on line 17 is where you set the name of your test OU (Organizational Unit). Check in Active Directory Users and Computers for the name of your new OU. (Press F5 to refresh if necessary)
Note 3: All you need is one name, that of the OU on line 17. Admire the way GetObject on line 13 and "DefaultNamingContext" on line 14, automatically bind to YOUR Active Directory domain.
Note 4: Observe on line 20 how strPath is built by concatenating 3 sub parts, LDAP, OU and Domain. Keep your eye on the speech marks and commas.
SolarWinds' Orion performance monitor will help you discover what's happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
What I like best is the way NPM suggests solutions to network problems. Its also has the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.
Remember that the objective here is just to create the Global group to house the users. My choice of Global group name is 'Doctors', but feel free to amend.
Learning Points for Section 2
Note 0: This section begins at line 20.
Note 1: strNewGroup on line 21 is the key variable. This is the name of the new group that we use later to hold the users. My choice for a new group is Doctor, what name will be your choice?
Note 2: On Error Resume Next. You may notice that I do not use this command very often. I regard 'On Error Resume Next' as last resort fix. In truth I should have used clever error correcting code. I could say that error catching code would clutter the code, the truth is I did not have time to develop error traps!
Note 3: Those paying attention to detail will spot the "cn=" & prefixing the strNewGroup, this to generate the correct LDAP path. See what happens if you omit "cn=" &. The answer is error 80072032. More seriously, without CN=, no group is created. If you wanted to generate this error message rem out ' On Error Resume Next.
Here is the complete script to make all users in strOU members of strNewGroup.
Important: Check your OU. I have not created any users in the OU, this is deliberate (as opposed to my idleness!) The script is long and complex enough without extending it to create users. Moreover creating users is easy. Either just rustle up half a dozen user accounts manually, or else graft in another scripts which is purpose built to add users.
Learning Points for Section 3
Note 1: The first job is to connect to the LDAP path GetObject(strPath)
Note 2: Spot how we filter out just "user" accounts. You do have some users in the OU?
Note 3: One of the key features is the For Each... Next loop, take the time to understand its structure.
Note 4: The script uses a three stage process for building group membership, Set objGroup, Set objUser and then add them together with: objGroup.Add objUser.AdsPath
Note 5: The WScript.Echo "strUser" is optional. Many people would remove this line in a production script.
This week we are creating a beautiful script which will add users to a Global group in Active Directory. For clarity, the main script is broken down into 3 sections. Take the time to study each section and browse through its associated notes.
See More Active Directory Group VBScripts