Contents for Guy’s Scripting Ezine 38 – Groups Part 2
This Week’s Secret
This week’s scripting secret is – keep it short and simple. However, I do like to add extras for those who wish to dissect the scripts rather than merely copy and paste.
In this ezine I have two scripts for you, the first script will create the actual global group. The second will display the groups or MemberOf, that the Administrator belongs.
Guy Recommends: The Free IP Address Tracker (IPAT)
Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets. IPAT cracks this problem of allocating IP addresses in networks in two ways:
For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges.
For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker
Scripting MemberOf
MemberOf (not MemberSof) is one of the key LDAP attributes for controlling groups via VBScript. Here is a script that will check to which groups your administrator belongs.
Instructions
- Pre-requisites. You need either a Windows 2000 or Server 2003 domain controller for this script to work.
- Optional : Edit the CN=Administrator. Remember that in this scenario, you want the script to enumerate the groups to which the administrator is a ‘member of’.
- Copy and paste the script below into notepad. For once, the script should run without alterations, that is because I choose the administrator’s account, and unless you have renamed that account, it should work. If you have altered the Administrator’s account then do edit the script.
- Save the file with .vbs extension e.g. AdminMember.vbs
- Double click and observe the message box
‘ AdminMember.vbs
‘ Version 1.3
‘ Guy Thomas 25th July 2004
Option Explicit
Dim objGroup, objUser, objRootDSE
Dim objDomain, objOU, objMemberOf ‘ Objects
Dim strGroup, strPath, strUser, strOU, strDNSDomain
‘ Commands to bind to AD and extract domain name
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
WScript.Echo "Active Directory Path: " & strDNSDomain
‘ Edit the next line to reflect your OU
‘ N.B. OU=Managers is correct not CN=Managers
strOU ="CN=Users,"
‘ I choose CN=Users and strUser = Administrator
‘ Because they will exist. Feel free to amend
strUser ="cn=Administrator,"
‘ Building the LDAP path
strPath ="LDAP://" & strUser & strOU & strDNSDomain
Set objUser = GetObject(strPath)
Wscript.Echo "DN "& objUser.get("distinguishedName")
objMemberOf = objUser.GetEx("MemberOf")
‘ Here is the heart of the script, extract MemberOf
For Each objGroup in objMemberOf
WScript.Echo strUser & " is a member of: " & objGroup
‘ Wscript.echo Group
Next
WSCript.Quit
‘ End of example VBScript
Learning Points
Note 1: The script enumerates all groups that the CN=Administrator is a member of, even if these groups are in a different containers, for example the Local Group Administrators in in the Builtin container whereas the Administrator account is in the Users container.
Note 2: Feel free to remove, or adjust the WScript.Echo lines
Note 3: Spot the: For Each… Next. This is your loop which cycles through all the groups that the cn=administrator is a memberOf.
Note 4:See more on MemberOf here
Guy’s Challenges to you.
1) Adjust (or remove) the WScript.Echo lines. I employ the message boxes for troubleshooting and for confirming that something has actually happened.
2) Choose a new user in a different OU. For example, if you have an OU called MANAGERS and a user called boss, then alter these two lines.
strOU ="CN=Users," …………….. strOU = "OU=MANAGERS" (n.b. OU not cn)
strUser="CN=Administrator" …….. strUser = "CN=Boss"
Guy Recommends: A Free Trial of the Network Performance Monitor (NPM) v11.5
SolarWinds’ Orion performance monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
What I like best is the way NPM suggests solutions to network problems. Its also has the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.
Download a free trial of Solarwinds’ Network Performance Monitor
Script 2 Creating a Global Group
Scenario: You wish to create a global group in the default Users container.
Instructions
- Pre-requisites. You need either a Windows 2000 or Server 2003 domain controller for this script to work.
- Optional : edit this strGroupShort ="Managers" to reflect the name of a group you want to create.
- Copy and paste the script below into notepad. For once, the script should run without alterations, that is because I choose the CN=Users to hold the new group.
- Save the file with .vbs extension e.g. Managers.vbs.
- Double click and observe the group name in the message box.
‘ Managers.vbs
‘ Version 1.2
‘ Guy Thomas 25th July 2004
Option Explicit
Dim objGroup, objRootDSE, objDomain, objOU ‘ Objects
Dim strGroup, strGroupShort, strOU, strDNSDomain ‘ Strings
‘ Commands to bind to AD and extract domain name
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
WScript.Echo "Active Directory Path: " & strDNSDomain
‘ Edit the next line to reflect your OU for the group
strOU = "CN=Users,"
‘ N.B. here is the name of your Global Group
strGroupShort ="Managers"
strGroup ="CN="& strGroupShort
‘ This is the actiion part of the script
Set objOU = GetObject("LDAP://"& strOU & strDNSDomain)
Set objGroup = objOU.Create("Group", strGroup)
objGroup.Put "sAMAccountName", strGroupShort
objGroup.SetInfo
WScript.Echo strGroupShort &" added to " & strOU
WSCript.Quit
‘ End of example VBScript
Learning Points
Note 1: Case sensitivity, VBScript is not case sensitive so either cn or CN would be correct. However, when you are referring to the USERS container that object is CN=USERS, OU=Users would be wrong. Check the little book symbol on OUs, note that symbol is absent from the Users and Built-in containers.
Note 2: A reminder how we get the domain name by using
GetObject("LDAP://RootDSE"), instead of GetObject("LDAP://dc=ab,dc=xy")
Note 3: The trickiest part of the script turned out to be
objOU.Create("Group", strGroup), specifically
objOU.Create("Group", "Managers") does not work, it would have to be:
objOU.Create("Group", "CN=Managers")
This is why I like to use string variables to control the names of OUs, Users and Groups. The benefit is that you can then easily amend the scripts to suit your situation.
Guy’s Challenges to you.
1) Change strOU = "Users," to strOU = "YourOU," (note the comma)
2) Change strGroupShort = "something else" (note commaless!)
Summary
With VBScript you can create new global groups. Another handy scripting job is to use MemberOf so that you can enumerate the membership of any group no matter which OU holds that groups.
See More Active Directory Group VBScripts
• PowerShell Tasks • Add Users to Groups • Create Users • Free CSV Importer
• Ezine 24 Groups • Ezine 37 Groups • Ezine 38 Groups • VM to Cloud • Ezines
• Ezine 57 Groups •Ezine 58 Groups • Ezine 73 primaryID • Ezine 112 Local Groups