Contents for Ezine 70 – GetEx
- This Week’s Secret
- This Weeks Two Missions
- To Enumerate Group Membership with GetEx
- To Split an LDAP String
- Summary
This Week’s Secret
As far as scripting is concerned I am on the horns of a dilemma, do I give you the best script straight away, or do I build up in stages? In the end I decided to concentrate on one method in the first example, then tidy up with the second method in example two.
Recently, three readers reported that their VBscript failed mysteriously with a ‘Join’ Error error 800A00D. The common factors were:
a) Binding to Active Directory
b) Attempting to manipulate an attribute with multiple values.
c) Dealing with groups. The classic object properties that produces ‘Join’ errors is member or memberOf.
This week’s scripts not only show you how to overcome the ‘Join’ error, but also introduce a useful scripting method – split. As the name suggests, split is handy for breaking a long string into sections. When you output LDAP queries, you often get a long string of cn=, when all you want is one element. In this case, the comma would be the most suitable delimiter or splitter.
While mid, left and right are handy for truncating text strings, split allows you to chop up a string based on a delimiter such as a comma or space rather than on a fixed number of characters.
This Week’s Two Missions
1) To Enumerate Group Membership and 2) To Split LDAP Strings
Our first mission is to overcome a VBScript Join error 800A00D by employing the GetEx method. For example objUser.GetEx("memberOf"). As a by-product, the script also reviews how to display the groups a user is a member of.
Our second mission is fun but cosmetic, namely to improve the presentation of the script with split. For example, arrUser = Split(strUser, "," ). I am sure that you will find other opportunities to apply Split to LDAP Strings.
Guy Recommends: Tools4ever’s UMRA
Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.
It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.
Example 1 to Enumerate Group Membership with GetEx
Instructions
- Prerequisite you need active directory.
- Edit circa Line 11 = strUser to reflect the name of your user.
- I assume that the account you test is in the Users container. If your account is actually in an OU, then remember to use OU=myOrgUnit (not cn=myOrgUnit)
- Copy and paste the script below into notepad.
- Save the file with .vbs extension e.g. GetExGp.vbs
- Double click and then check the message box to see your group membership.
‘ GetExGp.vbs
‘ VBscript to enumerate Group members of a user
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 2.5 – April 17th 2005
‘ ———————————————————-‘
Option Explicit
Dim strUser, strMember, strDNSDomain, strTotal
Dim objUser, objRootDSE
Dim arrMemberOf, intGroup
‘ N.B. Get cn of user, not sAMAccountName
‘ If you user account is an OU then OU= not cn=
strUser = "cn=Guy Thomas,cn=users, "
‘ Bind to Active Directory’
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
Set objUser = GetObject ("LDAP://"& strUser & strDNSDomain)
objUser.getInfo
‘ Here is the heart of the mission, GetEx
‘ Note MemberOf not Member
arrMemberOf = objUser.GetEx("memberOf")
‘ Loop = For Each …. Next
‘ WScript.Echo "Groups " & strUser & " belongs to"
For Each strMember in arrMemberOf
intGroup = intGroup +1
Wscript.Echo strUser & " belongs to " & strMember
Next
Wscript.Echo strUser & " belongs to " & intGroup & " groups :" _
& vbCr & strTotal
Set strMember = Nothing
Wscript.Quit
‘ End of Script
Learning Points
Note 1: The key feature of this script is the .GetEx method. See how it employs memberOf rather than member,
Note 2: Observe the relative positions of the For Each loop and the WScript.echo.
Note 3: I particularly enjoyed adding the vbCr to display the groups in tabulated format.
Recommended: Solarwinds’ Permissions Analyzer – Free Active Directory Tool
I like thePermissions Analyzer because it enables me to see WHO has permissions to do WHAT at a glance. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, and takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free SolarWinds utility saves when you are troubleshooting authorization problems for user’s access to a resource. Give this permissions monitor a try – it’s free!
Download SolarWinds’ Free Permissions Analyser – Active Directory Tool
Example 2 to Split an LDAP String
Without the Split function, the script will echo the full dn of the user. With the Split command the out put is reduced to the plain cn or common name. For example split reduces cn=Guy Thomas, cn=users, dc=cp, dc= com, to plain: cn=Guy Thomas. To improve the script I use the mid function to eliminate cn= and so leave just Guy Thomas.
Short syntax, Split(Expression, delimiter) in this case the splitter is a comma.
Full syntax Split(Expression, delimiter, count, compare)
Count means how many substrings do you want -1 means all substrings.
Compare has two values 0 (zero) means binary, where as 1 means text.
Instructions
- Prerequisite you need active directory.
- Edit circa Line 11 = strUser to reflect the name of your user.
- I assume that the account you test is in the Users container. If your account is actually in an OU, then remember to use OU=myOrgUnit (not cn=myOrgUnit)
- Copy and paste the script below into notepad.
- Save the file with .vbs extension e.g. SplitGetEx.vbs
- Double click and then check the message box to see your group membership.
‘ SplitGetEx.vbs
‘ VBscript to Demonstrate Split (and GetEx)
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 3.2 – April 17th 2005
‘ ———————————————————-‘
Option Explicit
Dim strUser, strMember, strDNSDomain, strTotal
Dim objUser, objRootDSE
Dim arrMemberOf, arrUser, intGroup
‘ N.B. Get cn of user, not sAMAccountName
‘ If you user account is an OU then OU= not cn=
strUser = "cn=Guy Thomas,cn=users, "
On Error Resume next
‘ Bind to Active Directory’
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
Set objUser = GetObject ("LDAP://"& strUser & strDNSDomain)
objUser.getInfo
‘ MemberOf not Member
arrMemberOf = objUser.GetEx("memberOf")
‘ Loop through each group with, For Each …. Next
For Each strMember in arrMemberOf
strTotal = strTotal & strMember & vbCr
intGroup = intGroup +1
Next
‘ Here is the point of this script: Split(strUser
strUser = Mid(strUser, 4, 330)
arrUser = Split(strUser, "," )
Wscript.Echo arrUser(0) & " belongs to " & intGroup & " groups :" _
& vbCr & strTotal
Set strMember = Nothing
Wscript.Quit
‘ End of example VBScript
Learning Points
Note 1: I designed this script to illustrate the Split method. In this instance the delimiter is a comma.
Note 2: The fuller syntax would be arrUser = Split(strUser, "," -1, 1) Where the extra -1 and 1 mean, display all substrings and compare as text not binary.
Note 3: See how objUser.getInfo extracts the attributes.
Note 4: As we want the first section in the string, it is arrUser(0).
Challenges
Add a message box function to ask the user for a cn= names. See Msgbox() in Ezine 46
Include extra error correcting code. For example, If (Err.Number <> 0) Then
Summary – GetEx and Split
This week we have two separate VBScript commands; GetEx to enumerate group membership, and Split to separate LDAP fields into single elements.
See more about VBScript techniques
• VBScripts • WMI • Ezines • Logon Scripts • Tool Kit •SLA Monitor • Ezine 26 Msg Box
• Ezine 41 VBS Select case • Ezine 46 MsgBox • Free Response Time Tool
•Ezine 55 VBS Select case • Ezine 61 Objects methods •Ezine 70 GetEx Split
