Guy’s Scripting Ezine 58 More Groups 2

Contents for Guy’s Scripting Ezine 58 More Groups 2

• This Week’s Secret
• This Week’s Mission – to control the group Type and Scope
• Example  – Creating a Security Universal Group
• Challenges
• Summary
• See more Creating Groups here

This Week’s Secret

This week I feel like one of those swans who appear to be gliding serenely on the surface, while all the time they are frantically paddling like mad under the surface.

No worries – your example script WILL work.  However, its development was far from smooth.  Problems with scripts make me frustrated but never angry, and there is no feeling as great as when your code finally works.

Guy Recommends: The Free IP Address Tracker (IPAT)

Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets.  IPAT cracks this problem of allocating IP addresses in networks in two ways:

For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges. 

For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker

This Week’s Mission – to control the group Type and Scope

Firstly, a reminder that this is More Groups (2), so I recommend reviewing More Groups (1) – particularly if you need to add users to groups.

While I haven’t forgotten my promise to deal with CONST, we will have to wait one more week for a dedicated ezine explaining Constants.  For this week’s script, I suggest that you just accept that we have to use CONST declarations to control the Type and Scope of the group.

My project to script groups started well, here are the CONST values that my research uncovered:

• ADS_GROUP_TYPE_GLOBAL_GROUP = 0x00000002
• ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 0x00000004
• ADS_GROUP_TYPE_LOCAL_GROUP = 0x00000004
• ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 0x00000004
• ADS_GROUP_TYPE_UNIVERSAL_GROUP = 0x00000008
• ADS_GROUP_TYPE_SECURITY_ENABLED = 0x80000000
• (To create a distribution group just omit the last item, there does not appear to be a = 0x8000000xx flag to reverse the security enabled flag.)

However when I entered these values exactly as above, the script failed.  So, back to the drawing board.  Next I found that VBScript wanted the CONST precisely in this format: &Hx.  Naturally H stands for Hex.

ADS_GROUP_TYPE_UNIVERSAL_GROUP  = &H8  (Not 0x00000008)

The CONST statement is really ‘picky’, for example, a space between ampersand and H results in another 0800 error.  = &H8 is correct but = &  H8 fails because of the space between & and H8.

Hooray! I had mastered the Scope of the group, but what about the Type?  Once you add one of these ADS_Group constants, the default type of group changes from security to distribution.  Another problem to overcome.

So, how do you create a Security group?  Firstly, seek out the ADS_GROUP_TYPE_SECURITY_ENABLED Constant.

Then, what should you do?  Change the value of ADS_GROUP_TYPE_SECURITY_ENABLED = 0x80000000 to: &H8? 
Wrong it should be: = &H80000000

To be crystal clear, here is the complete answer:
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000

Next how could I persuade the script to add the two properties, Security_Enabled and Type_Universal?  Here was my suggestion:

objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP

objGroup.Put "groupType", ADS_GROUP_TYPE_SECURITY_ENABLED

If you think that would work, you must be joking – no chance.  Undaunted, I researched the problem and found a suggestion to add the | (pipe symbol down near the control).  This was close – but no cigar. What you really needed was an OR statement.  Strange but true.  This was the final code:

objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP _

Or ADS_GROUP_TYPE_SECURITY_ENABLED

Incidentally, have you noticed with scripting that once thing goes wrong you get more and more errors?   Well you have probably guessed that this week I had a ‘ bad hair day’.  The good news is that the converse also applies, when you are on a run, all scripts working perfectly, then you believe that you can ‘walk on water’.

Guy Recommends: Tools4ever’s UMRA

Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.

It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.

Example – Creating a Security Universal Group

This script creates a new group.  It is designed to change the Scope from Global (default) to Universal.  With care, you could alter the CONST statement, for example, to create a Domain Local Group.

The trickiest part is controlling the Type.  If you remember when you create a group using script with the default values it turns out to be a Global Security group.  The minute you change the scope to Universal the default Type changes to Distribution.  Wacky?  However, all is not lost, just add 
Or ADS_GROUP_TYPE_SECURITY_ENABLED and force the group Type to be security.

Instructions

1. Copy and paste the script below into notepad.
2. Save the file with .vbs extension e.g. UniSecureGroup1.vbs
3. Double click and then open Active Directory Users and Computers and search the OU specified in strOU.  Did you see a new group?  Was it Universal or Global?

Learning Points

Note 1:  Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8 is responsible for creating the Universal Group.  Consult the notes to change the scope to Global or Domain Local.

Note 2:  Pay close attention to these two lines, under:  ‘ Here is where you set group…  In this script the group Type is Security, should you want a distribution group, just remove the _ and the line:
or ADS_GROUP_TYPE_SECURITY_ENABLED

Note 3: To add users to your group See last week’s Ezine online

Note 4:  See more Creating Groups here

Challenges – Add error correcting code

1. Add: On Error Resume Next   before, repeat before, ‘ Create new Group section.
2. Insert the error correcting code itself.
3. Optionally, add a snippet to extract the Universal Group value and echo the result in a message box.

Summary – Groups Type and Scope

It is fiendishly difficult for VBScript to manipulate the Type and the Scope of a new group.  Pay particular attention to the CONST = statements at the start of the script.

See More Active Directory Group VBScripts

• User Spreadsheet  • Add User to Group  • Create User  • Free Solarwinds Permissions Monitor

• Ezine 57 Groups  •Ezine 58 Groups  • Ezine 73 primaryID  • Ezine 112 Local Groups

• Ezine 113 Multiple Groups  • Ezine 115 Map Groups  •Ezine 138 Groups Join  • Ezines