Guy's Scripting Ezine 37 - Group Membership

Custom Search

Get more ideas for your PowerShell scripts with SolarWinds’ WMI Monitor.

1) Belarc Advisor
2) Network Perf Mon
3) Freeping
4) PuTTY
5) Bandwidth Analyzer
6) Secunia
7) Net-SNMP
8) Permission Analyzer
9) DNS Stuff
10) WinDiff's Compare

Short computer jokes

Contents for Guy’s Scripting Ezine 37 – Groups Part 1

This Week’s Secret
Scripting for Groups
Section 1 – Bind to Active Directory
Section 2 – Create a Global Group
Section 3 – Add strUsers to strNewGroup
See more on Scripting Groups here
Summary

This Week’s Secret

Firstly, many thanks to those of you who filled in my online survey. However, I groaned when I saw how many of you wanted more on Group Membership. I winced because scripting group membership is so complex. That said, I knuckled down to produce the longest ezine yet.

To begin with, here is my dilemma, whether to give you the entire script and then dissect it, or whether to build in stages to form the whole script. In the end I favoured the ‘best practice’ technique of breaking the task into bite sized chunks, getting each section working, then bringing it all together to produce the finished script. This method reminded me of building a jigsaw from 100 pieces.

Guy Recommends: The Free IP Address Tracker (IPAT)

Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets. IPAT cracks this problem of allocating IP addresses in networks in two ways:

For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges.

For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker

Scripting for Groups

Scripting groups is a multi-faceted job. The tasks are:

a) Binding to Active Directory

b) Creating a group

c) Adding user accounts to a group.

The aim of this week’s script is to add users to an existing Global Security group in a Windows 2003 domain. As a bonus, and just in case you do not have a suitable group, the script will also create a group for you. As ever, my goal is to get you started. Then I pass the task over to you to expand the scope to include creating different types of group, for example: security, distribution and also their various scopes, Global, Domain Local or Universal. Ultimately, you could have a series of .VBS files each to populate different groups in a variety of OUs.

Three Sections

Bind to Active Directory.
Creating (or setting) the Global group
The main event – adding users to the Global group

Section 1 – Binding to Active Directory

Instructions

Pre-requisites. You need either a Windows 2000 or Server 2003 domain controller for this script to work.
Important: edit line 17: strOU ="OU=Droitwich," My point is do you have an OU called Droitwich? If not then amend this line. Note the comma at the end of the name.
Copy and paste the script below into notepad.
Save the file with .vbs extension e.g. AddToGroup.vbs
Double click and observe the message box. Is this what you expected? If so carry on to Section 2.

‘ Bind.vbs
‘ Stage 1) Binds to Active Directory
‘ Version 1.2
‘ Guy Thomas 18th July 2004

Option Explicit

Dim objAD, objGroup, objNewGroup, objUser, objRootDSE
Dim objDomain, objOU ‘ Objects
Dim strGroup, strNewGroup, strPath, strUser
Dim strOU, strDNSDomain ‘ Strings

‘ Commands to bind to AD and extract domain name
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

‘ Edit the next line to reflect your OU
strOU ="OU=Droitwich,"

‘ Building the LDAP path
strPath ="LDAP://" & strOU & strDNSDomain
WScript.Echo "Active Directory Path: " & strPath
Set objOU = GetObject(strPath)

WSCript.Quit

‘ End of example VBScript

Learning Points for Section 1

Note 1: Dim is where we prepare or ‘Dimension’ variables. This is essential if you use the ‘Option Explicit’ command.

Note 2: strOU =. Here on line 17 is where you set the name of your test OU (Organizational Unit). Check in Active Directory Users and Computers for the name of your new OU. (Press F5 to refresh if necessary)

Note 3: All you need is one name, that of the OU on line 17. Admire the way GetObject on line 13 and "DefaultNamingContext" on line 14, automatically bind to YOUR Active Directory domain.

Note 4: Observe on line 20 how strPath is built by concatenating 3 sub parts, LDAP, OU and Domain. Keep your eye on the speech marks and commas.

Guy Recommends: A Free Trial of the Network Performance Monitor (NPM) v11.5

SolarWinds’ Orion performance monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems. Its also has the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

Section 2 – Create the Global group.

Remember that the objective here is just to create the Global group to house the users. My choice of Global group name is ‘Doctors’, but feel free to amend.

‘ CreateGroup.vbs
‘ Creates Group to add members.
‘ Version 2.3
‘ Guy Thomas 18th July 2004

Option Explicit

Dim objAD, objGroup, objNewGroup, objUser, objRootDSE
Dim objDomain, objOU ‘ Objects
Dim strGroup, strNewGroup, strPath, strUser
Dim strOU, strDNSDomain ‘ Strings

Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strOU ="OU=Droitwich,"

strPath ="LDAP://" & strOU & strDNSDomain
Set objOU = GetObject(strPath)

‘ 2) Create Global group. Edit the next line to your group name
strNewGroup ="Doctor"
WScript.Echo "Is this the group you intended? " & strNewGroup

‘ Remember to check strNewGroup
‘ We need On error… in case already exists
On Error Resume Next
Set objNewGroup = objOU.Create("Group", "cn="& strNewGroup)
objNewGroup.Put "sAMAccountName", strNewGroup
objNewGroup.SetInfo
Wscript.Echo "Check ADUC " & strOU & " for " & strNewGroup

WSCript.Quit

‘ End of example VBScript

Learning Points for Section 2

Note 0: This section begins at line 20.

Note 1: strNewGroup on line 21 is the key variable. This is the name of the new group that we use later to hold the users. My choice for a new group is Doctor, what name will be your choice?

Note 2: On Error Resume Next. You may notice that I do not use this command very often. I regard ‘On Error Resume Next’ as last resort fix. In truth I should have used clever error correcting code. I could say that error catching code would clutter the code, the truth is I did not have time to develop error traps!

Note 3: Those paying attention to detail will spot the "cn=" & prefixing the strNewGroup, this to generate the correct LDAP path. See what happens if you omit "cn=" &. The answer is error 80072032. More seriously, without CN=, no group is created. If you wanted to generate this error message rem out ‘ On Error Resume Next.

Section 3 – Add users to Global group strNewGroup

Here is the complete script to make all users in strOU members of strNewGroup.

Important: Check your OU. I have not created any users in the OU, this is deliberate (as opposed to my idleness!) The script is long and complex enough without extending it to create users. Moreover creating users is easy. Either just rustle up half a dozen user accounts manually, or else graft in another scripts which is purpose built to add users.

‘ AddToGroup.vbs
‘ Adds all members of an OU to a group strNewGroup
‘ Assumes you have users in the OU = strOU
‘ Version 4.4
‘ Guy Thomas 18th July 2004

Option Explicit

Dim objAD, objGroup, objNewGroup, objUser, objRootDSE
Dim objDomain, objOU ‘ Objects
Dim strGroup, strNewGroup, strPath, strUser
Dim strOU, strDNSDomain ‘ Strings

‘ Commands to bind to AD and extract domain name
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

‘ Preamble – edit the next line to reflect your OU
strOU ="OU=Droitwich,"
‘ Edit this line to choose your group name
strNewGroup ="Doctor"
WScript.Echo "Is this the group you want? " & strNewGroup

‘ 1) Building the LDAP path
strPath ="LDAP://" & strOU & strDNSDomain
Set objOU = GetObject(strPath)
WScript.Echo "Active Directory Path " & strPath

‘ 2) Create a Global Group
‘ Remember to check strNewGroup
‘ We need On error… in case already exists
On Error Resume Next
Set objNewGroup = objOU.Create("Group", "cn="&strNewGroup)
objNewGroup.Put "sAMAccountName", strNewGroup
objNewGroup.SetInfo

‘ 3) Section which adds users to group (strNewGroup)
Set objAd = GetObject(strPath)
objAD.Filter = Array("user")

‘ Start For Each … Next Loop
For Each objGroup in objAD
strUser = objGroup.name

     ‘ Section which adds User to Group = strGroup.
     Wscript.Echo "strUser " & strUser
     Set objGroup = objAD.GetObject("group", "cn=" & strNewGroup)
     Set objUser = objAD.GetObject("user", strUser)
     objGroup.Add objUser.AdsPath
Next

WSCript.Quit

‘ End of example VBScript

Learning Points for Section 3

Note 1: The first job is to connect to the LDAP path GetObject(strPath)

Note 2: Spot how we filter out just "user" accounts. You do have some users in the OU?

Note 3: One of the key features is the For Each… Next loop, take the time to understand its structure.

Note 4: The script uses a three stage process for building group membership, Set objGroup, Set objUser and then add them together with: objGroup.Add objUser.AdsPath

Note 5: The WScript.Echo "strUser" is optional. Many people would remove this line in a production script.

Summary

This week we are creating a beautiful script which will add users to a Global group in Active Directory. For clarity, the main script is broken down into 3 sections. Take the time to study each section and browse through its associated notes.