Guy’s Scripting Ezine 73 primaryGroupID

Contents for Ezine 73 Get and primaryGroupID

• This Week’s Secret
• This Week’s Mission – To create Script a User’s Primary Group
• Example 1 – To Get a Users primaryGroupID
• Example 2 – To list all the Groups that a User is a MemberOf
• Summary of Get and primaryGroupID

 ♣

This Week’s Secret

How often do you feel, ‘If only I had known that 6 months ago, it would have saved me no end of work’?  Recently I have been looking back at old scripts and thinking, ‘I could have done better than that’.  In particular, what stunned me was my cavalier treatment of the ‘Get’ verb.  What I am referring to is, ‘get’ as in ‘GetObject’, also as in ‘GetEx’ (get an extended list of properties). 

GetObject reminds me of whistling for my dog, ‘here boy fetch this ball’.  However, in the Active Directory world, what I want to do is get a Group, get a User or get an OU object.  My intention was honourable, namely to minimise the changes that you had to make to get my code to work, but some of my methods left a lot to be desired. 

Here is where I took my eye off the ball.  I started getting too clever, and instead of saying GetObject("LDAP://CN=myuser,OU=Newport,DC=topDom"), I constructed the GetObject("LDAP://"x & y & z), by joining x with y then with z.  Joining the elements in itself was not the mistake, my error was spreading the joins over 20 lines of code.

So, my new resolution is to divide such tasks as GetObject into two elements: firstly, to construct the LDAP path clearly and concisely.  Secondly, to say simply, GetObject(LDAP_path).  You will see what I mean by studying this week’s examples.

Guy Recommends:  SolarWinds’ Free Bulk Import Tool

Import users from a spreadsheet.  Just provide a list of the users with their fields in the top row, and save as .csv file.  Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.

Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.

If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)

This Week’s Mission – To Script a User’s Primary Group

I have divided This Week’s Mission into two parts.  My first example is a basic model.  The scripting aspect emphasises the GetObject command, while the practical point is to retrieve the Administrator’s Primary Group.   In the second example, the code checks a more extensive list Primary groups.  As a bonus, the second script also lists all the groups held by the memberOf attribute.  In both examples, the key attribute is primaryGroupID.

Values for primaryGroupID :
513 Domain Users         514 Domain Guests
515 Domain Computers  516 Domain Controllers

Example 1 – To Get a Users primaryGroupID

This simple example connects to Active Directory and Gets the distinguished name of the user as specified by strUser.  It then checks the primaryGroupID to see if it equals 513, the value for Domain Users.

Instructions for displaying a User’s Primary Group.

1. Copy and paste the script below into notepad.
2. Check strUser and strOU.  If necessary, then change strUser and strOU to your name and OU.
3. Save the file with a .vbs extension e.g. PrimaryGroupID .vbs.
4. Double click the script and read the message box.

Learning Points for GetObject(strLDAP)

Note 1: The aim of the first half of the script is to construct the user object.  Introducing variables for strUser and strOU makes it easier to amend the script.  Observe how LDAP RootDSE cleverly extracts the StrDNSDomain name from Active Directory.  My reasoning is to make the script work on any domain, without me having to know your domain name, and without you having to grapple with DC=Domainname.

Note 2: My goal is to get this command working: Set objUser = GetObject(strLDAP).

Note 3: Now that once I have full control over objUser, I can perform useful tasks such as to display the Primary Group.

Note 4:  Now that we have the basic script working, I want to make it more realistic by adding If .. then.  else to check other values for primaryGroupID.

Note 5: Reader’s suggestion from A.H.

I ran into one small issue with this script was that it did not take into consideration idiots like me that use comma’s in group names (why Microsoft allowed this is beyond me).

I got around the problem by using the replace function to replace each instance of "\," with "!", and then replaced the "!" with "," after the parsing was completed (hoping that nobody would use ! In a name).

Guy Recommends: Tools4ever’s UMRA

Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.

It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.

Example 2 – To list all the Groups that a User is a MemberOf

The aim of this script is to extract all the Groups held by attribute memberOf.  As memberOf usually contains more than one group, we cannot employ the Get method, what we need is its sister command, GetEx.  To me, GetEx means get extras or get extended list.  The other feature of this script is a more sophisticated section to trap the user’s primaryGroupID.  In truth, I should have used my old favourite Select Case, but I settled for If … then … else.

Values for primaryGroupID :
513 Domain Users         514 Domain Guests
515 Domain Computers  516 Domain Controllers

Learning Points

Note 1: At the heart of the script is a For Each… Next loop.  Not only does the loop extract the groups with GetEx(‘MemberOf), but also it uses the Mid and Split function to slice the distinguished name into a more readable format.

Challenges 1: Change the value of strUser and strOU.  With strOU note while CN=Users is correct, it would be OU=MyOU and not CN=MyOU.

Challenges 2: Substitute Select Case for the If.. Then Else construction.

Summary of Get and primaryGroupID

Get, is a tiny, but essential verb.  Almost all VBScript employ Get or GetEx to fetch distinguished names from active directory.  Once you have that object then you can peruse other scripting goals, in this case to display group membership.  PrimaryGroupID can be an elusive attribute, but one that you need for tasks like mapping a network drive.

See More Active Directory Group VBScripts

• User Spreadsheet  • Add User to Group  • Create User  • Free Solarwinds Permissions Monitor

• Ezine 57 Groups  •Ezine 58 Groups  • Ezine 73 primaryID  • Ezine 112 Local Groups

• Ezine 113 Multiple Groups  • Ezine 115 Map Groups  •Ezine 138 Groups Join  • Ezines