Checking if User is member of group including nested/sub groups!
Download: InsertComputerDescriptionIfInGroup1-2.zip (1.23 kB)
I had a challenge today.
Problem:
My Customer needs to insert a specific text in the Computer description field on the local PC, if the user is member of a specific group.
Challenges:
The problem is that most of the user are not directly members of the group.
but they are members of a nested group that if member of the group, or a nested group , that is member of a nested group , that is member of the group and so on.
This gave me a problem, since the usual way of checking the user membership is by using the “memberOf” property via ADSI.
This only shows the groups the users is directly connected to, and not the nested groups.
Ideas:
I found an example on Microsoft Scripting Guys:
http://technet.microsoft.com/en-us/magazine/cc161018.aspx
This example give you a complete list of the groups the user is member of.
This could be used for the checking, but the problem is that it is really slow! On our small AD it was 4-5 seconds before it was finished!
And I can only imagine how long it would take in a much larger forest!
Solution:
So I had to think it over, and I decided to go the other way around.
To check the group, and list the nested users.
and I came up with this solution:
' //***************************************************************************
' // ***** Script Header *****
' //
' // File: InsertComptuerDescriptionIfInGroup.vbs
' // Author: Jakob Gottlieb Svendsen, Coretech A/S. http://blog.coretech.dk
' // Purpose: Checks if current user if member of specific group,
' // or any nested groups.
' // If user is found, a computerdescription strDescription is
' // added to the local computer.
' //
' // Usage: .vbs
' //
' //
' // CORETECH A/S History:
' // 0.0.1 JGS 01/12/2008 Created initial version.
' // 0.0.2 JGS 02/12/2008 Fixed bug, when same user appears in more than one group
' //
' // Customer History:
' //
' // ***** End Header *****
' //***************************************************************************
'//----------------------------------------------------------------------------
'//
'// Global constant and variable declarations
'//
'//----------------------------------------------------------------------------
On Error Resume Next
strGroupDN = "CN=CT Konsulenter,OU=Security,OU=Groups,OU=Coretech,DC=coretech,DC=intra" ' e.g. cn=SalesGroup,ou=Grps,dc=rallencorp,dc=com
strDescription = "IT Department"
Set oADSystemInfo = CreateObject("ADSystemInfo")
Set dicSeenGroupMember = CreateObject("Scripting.Dictionary")
Set UserList = CreateObject("Scripting.Dictionary")
'//----------------------------------------------------------------------------
'// Main routines
'//----------------------------------------------------------------------------
'Build list of users
GetMembers "LDAP://" & strGroupDN, strSpaces, dicSeenGroupMember
If (UserList.Exists("LDAP://" & oADSystemInfo.UserName)) Then
'Run function. Change this to your own code, for other tasks.
InsertComputerDescription strDescription
End If
'//----------------------------------------------------------------------------
'// Procedures
'//----------------------------------------------------------------------------
Function GetMembers ( strGroupADsPath, strSpaces, dicSeenGroupMember)
Set objGroup = GetObject(strGroupADsPath)
for each objMember In objGroup.Members
If objMember.Class = "group" then
if dicSeenGroupMember.Exists(objMember.ADsPath) then
'Wscript.Echo strSpaces & " ^ already seen group member " & _
'"(stopping to avoid loop)"
else
dicSeenGroupMember.Add objMember.ADsPath, 1
GetMembers objMember.ADsPath, strSpaces & " ", dicSeenGroupMember
end If
Else
If Not UserList.Exists(objMember.ADsPath) Then
UserList.Add objMember.ADsPath, 1
End If
end if
Next
End Function
Function InsertComputerDescription (strDescription)
strComputer = "."
Set Obj = GetObject("winmgmts:\\" & strComputer).InstancesOf("Win32_OperatingSystem")
For Each x In Obj
x.Description = strDescription
x.Put_
Next
End Function
'//----------------------------------------------------------------------------
'// End Script
'//----------------------------------------------------------------------------
You can use the example for all kinds of jobs, but in this case it runs the “InsertComputerDescription” function to insert computer description.
Subscribe to Jakob's RSS Feed
Hi i im trying to use you script to add printers determined by groups areas, a similar problem with the subgroups, im having trouble with this part in specific ‘If (UserList.Exists(“LDAP://” & oADSystemInfo.UserName)) Then
the problem is that its alway think that the user doesnt esxist, i was chequed the userlist colection and when i use userlist.count it says that is zero, i dont know why this var is geting erased or something like that any idea? thanks in advance
Hello Jorge
i sound like your
GetMembers “LDAP://” & strGroupDN, strSpaces, dicSeenGroupMember
is failing. This usually happens when the LDAP:// & strGroupGN is not correct
Please check that the
strGroupDN = “CN=CT Konsulenter,OU=Security,OU=Groups,OU=Coretech,DC=coretech,DC=intra”
is correct for your system. otherwise the list will be empty.
but there could be other reasons too.
- Jakob
The script does’t work because the array is always empty.
Line 67 should be :
If NOT UserList.Exists(objMember.ADsPath) Then
Wity:
You are absolutely correct!
I do not know how this error have appeared, if you look in the downloable file, it is correct.
Thank you for the notice.
- Jakob
Hi,
I have created a script to enumerate the members of a nested group.
It can be found here:
http://deludi.nl/blog/vbscript/active-directory/groups/active-directory-vbscript-to-enumerate-the-members-of-nested-groups-v2/
best regards,
dirk adamsky
8RBswe http://wnbUj5n0mXqpcvm27Hms.biz
I am now not sure where you are getting your info, but great topic. I must spend a while studying more or understanding more. Thanks for wonderful info I was looking for this information for my mission.
How can i unlock iphone 4 4.3.1 baseband 4.10.01? can it work with indian networks?which one?it is worth it or troublesome in future?please anwers so i can fix it with a jailbreak
This may not be the ideal place to request this, but I’m searching for a pest control company inside the pittsburgh area and have no way to find out who’s the very best. I located this business that is actually close to me and wished to see if any person has any evaluations on them. Spectrum Pest Control, 3058 West Liberty Avenue, Dormont, PA 15216 – (412) 446-2802
This may not be the most beneficial place to request this, but I’m looking for a pest management business in the pittsburgh area and have no way to find out who’s the very best. I uncovered this business that is actually close to me and wished to see if any person has any testimonials on them. Spectrum Pest Control, 3058 West Liberty Avenue, Dormont, PA 15216 – (412) 446-2802