Guy’s Scripting Ezine 57 – More Groups 1

Contents for Guy’s Scripting Ezine 57 – More Groups 1

This Week’s Secret

Groups have enough material to write an ebook of their own.  Groups are also a classic illustration of my spiral method of learning.  In order to master a subject like groups, you have to go around again and again.  Learning is like drawing a spiral, with each turn of the spiral the topic grows in breadth and rises in knowledge.

While I have been enjoying my winter break (last ezine 56 Dec 12), I have used the time to take stock.  Here are my resolutions for 2005.  Listen to my readers.  Explain both the purpose of the script and the reason for each step.  Include more Active Directory Scripts.  Set you a series of challenges.

If there is one area that you and I should work on, then that area is error correcting code.  Time is always short, but error correcting code pays back both in time saved in the long term, and true understanding of the script in the short term.

Guy Recommends:  SolarWinds’ Free Bulk Import ToolFree Download Solarwinds Bulk Import Tool

Import users from a spreadsheet.  Just provide a list of the users with their fields in the top row, and save as .csv file.  Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.

Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.

If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)

This Week’s Mission – Truly understanding groups

I ask you to open your mind to the possibility that there may be aspects of groups and Active Directory that you did not know or have forgotten.  When it comes to scripting groups, you either take a user perspective, in which case you want to add groups to your user.  Or you take the groups point of view and add users to that group.  The two key properties are firstly ‘ Member ‘: who is in my group?   Secondly ‘MemberOf’, to which groups do I belong?

Groups themselves have two properties you should know about.  Firstly the property called Type, which could be Security or Distribution.  Secondly, the property called Scope which could be Global, Domain Local or Universal.  Before you get down to scripting, I recommend a visit to Active Directory Users and Computers (ADUC), and I challenge you to create a new group just to check out all these properties.  Do you see the Type and Scope properties?  What would it mean if the Universal scope was greyed out?  Answer: your domain is in mixed mode. 

While you are in the ADUC, take the time to examine the Member and MemberOf tabs.  Another question, which object has both Member and MemberOf tabs?  Answer: groups.  Users have a Member tab, but no MemberOf tab.

Minor Shocks with groups

Starting in Windows 2000, computers can be members of groups, this useful for group policies.

When you create a new user they are automatically a member of the Domain Users global group.  However when you create a computer in ADUC which default group is the computer a member of?  Answer: Domain Computers

Major Shock with groups.

If you create a script to display ‘member’ (as apposed to using the ADUC), the default or primary group does not appear in the list.  Strangely, if you add a user to another group then both groups appear when you run the script.  Incidentally, this is why the second example script includes the ‘Property not found’ error correcting code.

Guy Recommends: Tools4ever’s UMRAUMRA The User Management Resource Administrator

Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.

It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.

Example 1 – To Enumerate Administrators membership.

Here is a straightforward script which will run unaltered on any domain controller.  The idea is to display who are members of the builtin administrators group.

Instructions

  1. Copy and paste the script below into notepad.
  2. Save the file with .vbs extension e.g. Administrators.vbs.
  3. Double click and examine the message boxes.
 

‘ VBscript to enumerate Group members of Administrators
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 1.5 – January 2nd 2005
‘ ———————————————————-‘
Option Explicit
Dim strUser, strMember, strDNSDomain, strContainer
Dim objGroup, objUser, objRootDSE
Dim arrMemberOf

‘ Bind to Active Directory’
strContainer = "cn=Administrators,cn=Builtin, "
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

‘  Get the Builtin Administrators group
Set objGroup = GetObject ("LDAP://"& strContainer & strDNSDomain)
objGroup.getInfo

arrMemberOf = objGroup.GetEx("member")

‘  Loop = For Each …. Next
WScript.Echo "Members of Group " & strContainer
   For Each strMember in arrMemberOf
      WScript.echo strMember
   Next

Wscript.Quit

‘ End of Script
 

Learning Points

Note 1: The whole point of this script is to demonstrate ‘member’, who is in the group.  I also want to make the point that there are two similar properties, members used here, and also a ‘memberOf’ which we will use later.

Note 2: Observe how many ‘Get’ instructions the script uses, GetObject, .getInfo and .GetEx.  GetEx is used when an object such as a group has multiple values for a property.  In this instance, multiple members.

Note 3: See more on Enumerating Groups here

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v11.5 v11.5

SolarWinds’ Orion performance monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

Example 2 – To create global groups and users.

Purpose of the script.  What this script does is create a security group, then add the user defined in strJoinUser to that group.

My first challenge to you is pay attention to detail.  Investigate where you need to change the strOU and strJoinUser.

Instructions

  1. Important: Which OU will use?  My script uses strOU=cowbridge.  Either create such an OU, or change the script to reflect YOUR ou=.
  2. Make sure the OU has 2 or 3 users.  Check the value of strJoinUser, if necessary, lauch ADSI edit to double check cn=
  3. Copy and paste the script below into notepad.
  4. Save the file with .vbs extension e.g. GlobalGp.vbs.
  5. Double click and examine the message boxes.
  6. Finally, visit Active Directory Users and Computers.
 

‘ VBscript to create a Group, then add a user.
‘ Note two steps to set domain
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 2.4 – January 2nd 2005
‘ ———————————————————-‘

Dim strOU, strGroup, strUser, strUserMid, strDNSDomain
Dim objOU, objGroup, objUser
Dim arrMemberOf

Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
Const ADS_PROPERTY_APPEND = 3

‘ Challenge – Make sure you have an OU called strOU
‘ Challenge – Make sure you have a user called strJoinUser
‘ Option change the strNewGp = "Giants"
strOU = "OU=Cowbridge,"
strJoinUser = "cn=Gary," & strOU
strNewGp = "Giants NYPD"
strNewGpLong = "CN=" & strNewGp

Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

Wscript.Echo "OU = " & strOU & vbCr & "User = " & strJoinUser
Set objUser = GetObject ("LDAP://"& strJoinUser & strDNSDomain)

On Error Resume Next
‘ Create new Group
Set objOU = GetObject("LDAP://" & strOU & strDNSDomain )
Set objGroup = objOU.Create("Group",strNewGpLong)
objGroup.Put "sAMAccountName", strNewGp
objGroup.setInfo

‘  Error correcting code if the group is already in AD
If err.number <> vbEmpty Then
Wscript.Echo err.number & " Group " & strNewGp & " exists"
End if

‘ Add user to group
Set objGroup = GetObject("LDAP://"& strNewGp & strDNSDomain)
objGroup.PutEx ADS_PROPERTY_APPEND, _
"member", Array(strJoinUser & strDNSDomain)
objGroup.SetInfo

‘ GetEx gets multiple values
arrMemberOf = objUser.GetEx("memberOf")

If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
WScript.Echo "The memberOf attribute is not set."
Else
strUserMid = Mid(strJoinUser,4,8)
WScript.Echo strUserMid & " is Member of: "
For each Group in arrMemberOf
WScript.Echo Group
Next
End If
Wscript.Quit
 

Learning Points

Note 1: When Active Directory creates objects, observe the role of .put and .setInfo.

Note 2: As with so many objects, sAMAccountName is a key property for your group.

Note 3: I added the WScript.echo strOU and strJoinUser to remind you check these variables.  My hidden agenda was to show you something was happening because there is rather a long delay while the group is created.

Note 4: If err.number <> vbEmpty Then…  Is my attempt to add error correcting code.

Note 5: Const = ADS_PROPERTY_APPEND.  This week I ask you just to accept that some scripts require Const = ADS_xyz to work, next week all will be revealed about Const. 

The situation with groups is that if you want to create a security group, there is no need to add the Const = ADS, however if you wish to create a Distribution group then you do need Const = ADS_GROUP_TYPE_GLOBAL_GROUP = &h2

Summary Groups

Scripting groups is complex.  Firstly, check the two important properties of groups, Type and Scope.  Secondly when it comes to enumerating groups be sure to understand the difference between ‘Member’  and  ‘MemberOf’.  When you script groups, be aware of the CONST = statements.

See More Active Directory Group VBScripts

• PowerShell Tasks  • Add Users to Groups  • Create Users  • Free CSV Importer

Ezine 24 Groups  • Ezine 37 Groups  • Ezine 38 Groups  • VM to Cloud  • Ezines

Ezine 57 Groups  •Ezine 58 Groups  • Ezine 73 primaryID  • Ezine 112 Local Groups