Tuesday, September 29, 2009

Active Directory Scripting

I was looking for a script the other day and found this post very helpful

http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/usersgroups/groups/

Adding 1,000 Users to a Security Group

Demonstration script that creates a security group named Group1, and adds one thousand users (UserNo1 through UserNo10000) to that group. This script is not intended for use in a production environment.

Const ADS_PROPERTY_APPEND = 3
Set objRootDSE = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://cn=Users," & _
                             objRootDSE.Get("defaultNamingContext"))
Set objGroup = objContainer.Create("Group", "cn=Group1")
objGroup.Put "sAMAccountName","Group1"
objGroup.SetInfo
For i = 1 To 1000
strDN = ",cn=Users," & objRootDSE.defaultNamingContext
objGroup.PutEx ADS_PROPERTY_APPEND, "member", _
  Array("cn=UserNo" & i & strDN)
objGroup.SetInfo
Next
WScript.Echo "Group1 created and 1000 Users added to the group."

Adding New Members to a Group

Adds two groups (Executives and Scientists) and one user account (MyerKen) to the Sea-Users group in Active Directory.

Const ADS_PROPERTY_APPEND = 3

Set objGroup = GetObject _
("LDAP://cn=Sea-Users,cn=Users,dc=NA,dc=fabrikam,dc=com")

objGroup.PutEx ADS_PROPERTY_APPEND, "member", _
  Array("cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com", _
    "cn=Executives,ou=Management,dc=NA,dc=fabrikam,dc=com", _
    "cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")

objGroup.SetInfo

Assigning a Group Manager

Assigns user MyerKen as the manager of the Active Directory security group named Scientists.

Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")

objGroup.Put "managedBy", "cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com"
objGroup.SetInfo

Changing the Scope of a Group

Changes a global distribution group named Scientists to a universal security group.

Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000

Set objGroup = GetObject _
 ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")

objGroup.Put "groupType", _
ADS_GROUP_TYPE_GLOBAL_GROUP + ADS_GROUP_TYPE_SECURITY_ENABLED

objGroup.SetInfo

Creating a Domain Local Distribution Group

Creates a domain local Active Directory distribution group named Vendors.

Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4
Set objOU = GetObject("LDAP://ou=HR,dc=NA,dc=fabrikam,dc=com")
Set objGroup = objOU.Create("Group", "cn=Vendors")
objGroup.Put "sAMAccountName", "vendors"
objGroup.Put "groupType", ADS_GROUP_TYPE_LOCAL_GROUP
objGroup.SetInfo

Creating a Global Security Group

Creates a global Active Directory security group named HR-Employees.

Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000
Set objOU = GetObject("LDAP://ou=HR,dc=NA,dc=fabrikam,dc=com")
Set objGroup = objOU.Create("Group", "cn=HR-Employees")
objGroup.Put "sAMAccountName", "HRStaff"
objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP Or _
  ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.SetInfo

Creating a Universal Distribution Group

Creates a universal Active Directory distribution group named Customers.

Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Set objOU = GetObject("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
Set objGroup = objOU.Create("Group", "cn=Customers")
objGroup.Put "sAMAccountName", "customers"
objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP
objGroup.SetInfo

Creating a Universal Security Group

Creates a universal Active Directory security group named All-Employees.

Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000
Set objOU = GetObject("LDAP://cn=Users,dc=NA,dc=fabrikam,dc=com")
Set objGroup = objOU.Create("Group", "cn=All-Employees")
objGroup.Put "sAMAccountName", "AllEmployees"
objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP Or _
 ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.SetInfo

Deleting a Group from Active Directory

Deletes a group named atl-users from the HR organizational unit in the hypothetical domain fabrikam.com.

Set objOU = GetObject("LDAP://ou=hr, dc=fabrikam,dc=com")
objOU.Delete "group", "cn=atl-users"

Determining Other Groups a Group Belongs To

Returns a list of all the groups that the Active Directory security group Scientists is a member of.

On Error Resume Next

Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
objGroup.GetInfo

arrMembersOf = objGroup.GetEx("memberOf")

WScript.Echo "MembersOf:"
For Each strMemberOf in arrMembersOf
WScript.Echo strMemberOf
Next

Determining the Primary Group for a User Account

Reports the primary group for the MyerKen Active Directory user account.

On Error Resume Next
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D

Set objUser = GetObject _
  ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
intPrimaryGroupID = objUser.Get("primaryGroupID")

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
  ";(objectCategory=Group);" & _
      "distinguishedName,primaryGroupToken;subtree"
Set objRecordSet = objCommand.Execute

While Not objRecordset.EOF
  If objRecordset.Fields("primaryGroupToken") = intPrimaryGroupID Then
      WScript.Echo "Primary group:"
      WScript.Echo objRecordset.Fields("distinguishedName") & _
          " (primaryGroupID: " & intPrimaryGroupID & ")"
  End If
  objRecordset.MoveNext
Wend

objConnection.Close

Enumerating Group Members

Retrieves the memberOf and primaryGroupID attributes of a user account to display group membership. Note that the primaryGroupID attribute contains an integer that maps to the name of the primary group. The memberOf attribute does not contain the name of the primary group of which the user is a member.

On Error Resume Next
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
Set objOU = GetObject _
  ("LDAP://cn=Users,dc=NA,dc=fabrikam,dc=com")

ObjOU.Filter= Array("user")

For Each objUser in objOU
  WScript.Echo objUser.cn & " is a member of: "
  WScript.Echo vbTab & "Primary Group ID: " & _
  objUser.Get("primaryGroupID")

  arrMemberOf = objUser.GetEx("memberOf")

  If Err.Number <>  E_ADS_PROPERTY_NOT_FOUND Then
      For Each Group in arrMemberOf
      WScript.Echo vbTab & Group
      Next
  Else
      WScript.Echo vbTab & "memberOf attribute is not set"
      Err.Clear
    End If
  Wscript.Echo VbCrLf
Next

Identifying the Owner of a Group

Returns the owner of an Active Directory security group named Scientists.

Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")

Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")

WScript.Echo "Owner Tab"
WScript.Echo "Current owner of this item: " & objNtSecurityDescriptor.Owner

Modifying Group Properties

Modifies both single-value (samAccountName, mail, info) and multi-value (description) attributes for a group named Scientists.

Const ADS_PROPERTY_UPDATE = 2
Set objGroup = GetObject _
 ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")

objGroup.Put "sAMAccountName", "Scientist01"
objGroup.Put "mail", "YoungRob@fabrikam.com"
objGroup.Put "info", "Use this group for official communications " & _
"with scientists who are contracted to work with Contoso.com."

objGroup.PutEx ADS_PROPERTY_UPDATE, _
  "description", Array("Scientist Mailing List")

objGroup.SetInfo

Modifying Group Type

Changes a local group named Scientists to a global security group.

Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000

Set objGroup = GetObject _
 ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")

objGroup.Put "groupType", _
ADS_GROUP_TYPE_UNIVERSAL_GROUP + ADS_GROUP_TYPE_SECURITY_ENABLED

objGroup.SetInfo

Moving a Group Within a Domain

Moves a group account from the HR OU to the Users container.

Set objOU = GetObject("LDAP://cn=Users,dc=NA,dc=fabrikam,dc=com")
objOU.MoveHere "LDAP://cn=atl-users,ou=HR,dc=NA,dc=fabrikam,dc=com", _
  vbNullString

Reading the General Properties for a Group

Reads the values found on the General Properties page in Active Directory Users and Computers for a group named Scientists.

On Error Resume Next
Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000

Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
objGroup.GetInfo

strName = objGroup.Get("name")
strSAMAccountName = objGroup.Get("sAMAccountName")
strMail = objGroup.Get("mail")
intgroupType = objGroup.Get("groupType")
strInfo = objGroup.Get("info")

strDescription = objGroup.GetEx("description")

WScript.Echo "name: " & strName
WScript.Echo "sAMAccountName: " & strSAMAccountName
WScript.Echo "mail: " & strMail
WScript.Echo "info: " & strInfo

WScript.StdOut.Write "Group scope: "
If intGroupType AND ADS_GROUP_TYPE_LOCAL_GROUP Then
WScript.Echo "Domain local"
ElseIf intGroupType AND ADS_GROUP_TYPE_GLOBAL_GROUP Then
WScript.Echo "Global"
ElseIf intGroupType AND ADS_GROUP_TYPE_UNIVERSAL_GROUP Then
WScript.Echo "Universal"
Else
WScript.Echo "Unknown"
End If

WScript.StdOut.Write "Group type: "
If intGroupType AND ADS_GROUP_TYPE_SECURITY_ENABLED Then
WScript.Echo "Security group"
Else
WScript.Echo "Distribution group"
End If

For Each strValue in strDescription
WScript.Echo "description: " & strValue
Next

Reading the Security Descriptor for a Group

Returns information found on the security descriptor for the Active Directory group named Scientists. This script must be run under CScript.

Const SE_DACL_PROTECTED = &H1000

Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")

Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")

intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control

WScript.Echo "Permissions Tab"
WScript.StdOut.WriteLine "Allow inheritable permissions from the parent to"
WScript.StdOut.Write "propogate to this object and all child objects "
If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then
Wscript.Echo "is disabled."
Else
WScript.Echo "is enabled."
End If
WScript.Echo VbCr

Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl
DisplayAceInformation objDiscretionaryAcl, "DACL"

Sub DisplayAceInformation(SecurityStructure, strType)
Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
intAceCount = 0
For Each objAce In SecurityStructure
  strTrustee = Mid(objAce.Trustee,1,12)
  If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then
    intAceCount = intAceCount + 1
    WScript.Echo strType & " permission entry: " & intAceCount
    WScript.Echo "Name: " & objAce.Trustee

    intAceType = objAce.AceType
    If (intAceType = ADS_ACETYPE_ACCESS_ALLOWED Or _
      intAceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then
      WScript.Echo "Type: Allow Access"
    ElseIf (intAceType = ADS_ACETYPE_ACCESS_DENIED Or _
      intAceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) Then
      WScript.StdOut.Write "Type: Deny Acess"
    Else
      WScript.Echo "Acess Type Unknown."
    End If
    ReadBitsInAccessMask(objAce.AccessMask)
    WScript.Echo VbCr
  End If
Next
End Sub

Sub ReadBitsInAccessMask(AccessMask)
Const ADS_RIGHT_DELETE = &H10000
Const ADS_RIGHT_READ_CONTROL = &H20000
Const ADS_RIGHT_WRITE_DAC = &H40000
Const ADS_RIGHT_WRITE_OWNER = &H80000
Const ADS_RIGHT_DS_CREATE_CHILD = &H1
Const ADS_RIGHT_DS_DELETE_CHILD = &H2
Const ADS_RIGHT_ACTRL_DS_LIST = &H4
Const ADS_RIGHT_DS_SELF = &H8
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_RIGHT_DS_DELETE_TREE = &H40
Const ADS_RIGHT_DS_LIST_OBJECT = &H80
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100

WScript.Echo VbCrLf & "Standard Access Rights"
If (AccessMask And ADS_RIGHT_DELETE) Then _
  WScript.Echo vbTab & "-Delete an object."
If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _
  WScript.Echo vbTab & "-Read permissions."
If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _
  WScript.Echo vbTab & "-Write permissions."
If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _
  WScript.Echo vbTab & "-Modify owner."

WScript.Echo VbCrLf & "Directory Service Specific Access Rights"
If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _
  WScript.Echo vbTab & "-Create child objects."
If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _
  WScript.Echo vbTab & "-Delete child objects."
If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _
  WScript.Echo vbTab & "-Enumerate an object."
If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _
  WScript.Echo vbTab & "-Read the properties of an object."
If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _
  WScript.Echo vbTab & "-Write the properties of an object."
If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _
  WScript.Echo vbTab & "-Delete a tree of objects"
If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _
  WScript.Echo vbTab & "-List a tree of objects."

WScript.Echo VbCrLf & "Control Access Rights"
If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _
  (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then
  WScript.Echo "-None"
Else
  If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _
    WScript.Echo vbTab & "-Extended access rights."
  If (AccessMask And ADS_RIGHT_DS_SELF) Then
    WScript.Echo vbTab & "-Active Directory must validate a property "
    WScript.Echo vbTab & " write operation beyond the schema definition "
    WScript.Echo vbTab & " for the attribute."
  End If
End If
End Sub

Reading the System Access Control List for a Group

Returns information found on the System Access Control List (SACL) for an Active Directory security group named Scientists.

Const SE_SACL_PROTECTED = &H2000
Const ADS_SECURITY_INFO_OWNER = &H1
Const ADS_SECURITY_INFO_GROUP = &H2
Const ADS_OPTION_SECURITY_MASK =&H3
Const ADS_SECURITY_INFO_DACL = &H4
Const ADS_SECURITY_INFO_SACL = &H8

Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")

objGroup.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER _
Or ADS_SECURITY_INFO_GROUP Or ADS_SECURITY_INFO_DACL _
Or ADS_SECURITY_INFO_SACL

Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")

intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control

WScript.Echo "Auditing Tab"
WScript.StdOut.WriteLine "Allow inheritable auditing entries from" & _
"the parent to "
WScript.StdOut.Write "propogate to this object and all child objects "
If (intNtSecurityDescriptorControl And SE_SACL_PROTECTED) Then
Wscript.Echo "is disabled."
Else
WScript.Echo "is enabled."
End If
WScript.Echo VbCr

Set objSacl = objNtSecurityDescriptor.SystemAcl
DisplayAceInformation objSacl, "SACL"

Sub DisplayAceInformation(SecurityStructure, strType)
Const ADS_ACETYPE_SYSTEM_AUDIT = &H2
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7

intAceCount = 0
For Each objAce In SecurityStructure
  strTrustee = Mid(objAce.Trustee,1,12)
  If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then
    intAceCount = intAceCount + 1
    WScript.Echo strType & " permission entry: " & intAceCount
    WScript.Echo "Name: " & objAce.Trustee

    intAceType = objAce.AceType
    WScript.Echo "ACETYPE IS: " & intAceType
    If (intAceType = ADS_ACETYPE_SYSTEM_AUDIT or _
     intAceType = ADS_ACETYPE_SYSTEM_AUDIT_OBJECT) Then
      WScript.StdOut.Write "Type: Success or Failure Audit"
    Else
      WScript.StdOut.Write "Audit Type Unknown."
    End If
    ReadBitsInAccessMask(objAce.AccessMask)
    WScript.Echo VbCr
  End If
Next
End Sub

Sub ReadBitsInAccessMask(AccessMask)
Const ADS_RIGHT_DELETE = &H10000
Const ADS_RIGHT_READ_CONTROL = &H20000
Const ADS_RIGHT_WRITE_DAC = &H40000
Const ADS_RIGHT_WRITE_OWNER = &H80000
Const ADS_RIGHT_DS_CREATE_CHILD = &H1
Const ADS_RIGHT_DS_DELETE_CHILD = &H2
Const ADS_RIGHT_ACTRL_DS_LIST = &H4
Const ADS_RIGHT_DS_SELF = &H8
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_RIGHT_DS_DELETE_TREE = &H40
Const ADS_RIGHT_DS_LIST_OBJECT = &H80
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100

WScript.Echo VbCrLf & "Standard Access Rights"
If (AccessMask And ADS_RIGHT_DELETE) Then _
  WScript.Echo vbTab & "-Delete an object."
If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _
  WScript.Echo vbTab & "-Read permissions."
If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _
  WScript.Echo vbTab & "-Write permissions."
If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _
  WScript.Echo vbTab & "-Modify owner."

WScript.Echo VbCrLf & "Directory Service Specific Access Rights"
If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _
  WScript.Echo vbTab & "-Create child objects."
If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _
  WScript.Echo vbTab & "-Delete child objects."
If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _
  WScript.Echo vbTab & "-Enumerate an object."
If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _
  WScript.Echo vbTab & "-Read the properties of an object."
If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _
  WScript.Echo vbTab & "-Write the properties of an object."
If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _
  WScript.Echo vbTab & "-Delete a tree of objects"
If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _
  WScript.Echo vbTab & "-List a tree of objects."

WScript.Echo VbCrLf & "Control Access Rights"
If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _
  (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then
  WScript.Echo "-None"
Else
  If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _
    WScript.Echo vbTab & "-Extended access rights."
  If (AccessMask And ADS_RIGHT_DS_SELF) Then
    WScript.Echo vbTab & "-Active Directory must validate a property "
    WScript.Echo vbTab & " write operation beyond the schema definition "
    WScript.Echo vbTab & " for the attribute."
  End If
End If
End Sub

Removing All the Members of a Group

Removes all the members of an Active Directory group named Sea-Users.

Const ADS_PROPERTY_CLEAR = 1

Set objGroup = GetObject _
("LDAP://cn=Sea-Users,cn=Users,dc=NA,dc=fabrikam,dc=com")

objGroup.PutEx ADS_PROPERTY_CLEAR, "member", 0

objGroup.SetInfo

Removing a Group Manager

Removes the manager entry for the Active Directory security group named Scientists. When this script is run, the group will no longer have an assigned manager.

Const ADS_PROPERTY_CLEAR = 1

Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
objGroup.PutEx ADS_PROPERTY_CLEAR, "managedBy", 0
objGroup.SetInfo

Removing a User from All Active Directory Security Groups

Removes the MyerKen user account from all Active Directory security groups.

On Error Resume Next
Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D

Set objUser = GetObject _
  ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
arrMemberOf = objUser.GetEx("memberOf")

If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
  WScript.Echo "This account is not a member of any security groups."
  WScript.Quit
End If

For Each Group in arrMemberOf
  Set objGroup = GetObject("LDAP://" & Group)
  objGroup.PutEx ADS_PROPERTY_DELETE, _
      "member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
  objGroup.SetInfo
Next

Removing a User from a Group

Removes user MyerKen from the group Sea-Users.

Const ADS_PROPERTY_DELETE = 4

Set objGroup = GetObject _
("LDAP://cn=Sea-Users,cn=Users,dc=NA,dc=fabrikam,dc=com")

objGroup.PutEx ADS_PROPERTY_DELETE, _
"member", _
  Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")

objGroup.SetInfo

Replacing Group Membership

Replaces the existing membership of a group named Scientists with two new group members: YoungRob and ShenAlan.

Const ADS_PROPERTY_UPDATE = 2

Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")

objGroup.PutEx ADS_PROPERTY_UPDATE, "member", _
  Array("cn=YoungRob,ou=R&D,dc=NA,dc=fabrikam,dc=com", _
    "cn=ShenAlan,ou=R&D,dc=NA,dc=fabrikam,dc=com")

objGroup.SetInfo

Retrieving the Active Directory Groups a User Belongs To

Returns a list of all the Active Directory security groups (including the primary group) that include the MyerKen user account as a member.

On Error Resume Next
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D

Set objUser = GetObject _
  ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")

intPrimaryGroupID = objUser.Get("primaryGroupID")
arrMemberOf = objUser.GetEx("memberOf")

If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
  WScript.Echo "The memberOf attribute is not set."
Else
  WScript.Echo "Member of: "
  For each Group in arrMemberOf
      WScript.Echo Group
  Next
End If

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
";(objectCategory=Group);" & _
"distinguishedName,primaryGroupToken;subtree"
Set objRecordSet = objCommand.Execute

While Not objRecordset.EOF
  If objRecordset.Fields("primaryGroupToken") = intPrimaryGroupID Then
      WScript.Echo "Primary group:"
      WScript.Echo objRecordset.Fields("distinguishedName") & _
          " (primaryGroupID: " & intPrimaryGroupID & ")"
  End If
  objRecordset.MoveNext
Wend

objConnection.Close

Returns a list of mandatory and optional attributes of the group class (as stored in the Active Directory schema).

Returning the Attributes of the Group Class

Set objGroupClass = GetObject("LDAP://schema/group")
Set objSchemaClass = GetObject(objGroupClass.Parent)

i = 0
WScript.Echo "Mandatory attributes:"
For Each strAttribute in objGroupClass.MandatoryProperties
i= i + 1
WScript.StdOut.Write i & vbTab & strAttribute
Set objAttribute = objSchemaClass.GetObject("Property",  strAttribute)
WScript.StdOut.Write " (Syntax: " & objAttribute.Syntax & ")"
If objAttribute.MultiValued Then
  WScript.Echo " Multivalued"
Else
  WScript.Echo " Single-valued"
End If
Next

WScript.Echo VbCrLf & "Optional attributes:"
For Each strAttribute in objGroupClass.OptionalProperties
i= i + 1
WScript.StdOut.Write i & vbTab & strAttribute
Set objAttribute = objSchemaClass.GetObject("Property",  strAttribute)
WScript.StdOut.Write " [Syntax: " & objAttribute.Syntax & "]"
If objAttribute.MultiValued Then
  WScript.Echo " Multivalued"
Else
  WScript.Echo " Single-valued"
End If
Next

Returning Group Object Information

Retrieves the information found on the Object page in Active Directory Users and Computers for a security group named Scientists.

Set objGroup = GetObject _
("GC://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")

strWhenCreated = objGroup.Get("whenCreated")
strWhenChanged = objGroup.Get("whenChanged")

Set objUSNChanged = objGroup.Get("uSNChanged")
dblUSNChanged = _
Abs(objUSNChanged.HighPart * 2^32 + objUSNChanged.LowPart)

Set objUSNCreated = objGroup.Get("uSNCreated")
dblUSNCreated = _
Abs(objUSNCreated.HighPart * 2^32 + objUSNCreated.LowPart)

objGroup.GetInfoEx Array("canonicalName"), 0
arrCanonicalName = objGroup.GetEx("canonicalName")

WScript.echo "CanonicalName of object:"
For Each strValue in arrCanonicalName
WScript.echo vbTab & strValue
Next
WScript.Echo vbCr

WScript.Echo "Object class: " & objGroup.Class & vbCrLf
WScript.echo "whenCreated: " & strWhenCreated & " (Created - GMT)"
WScript.echo "whenChanged: " & strWhenChanged & " (Modified - GMT)"
WScript.Echo VbCrLf
WScript.Echo "uSNChanged: " & dblUSNChanged & " (USN Current)"
WScript.Echo "uSNCreated: " & dblUSNCreated & " (USN Original)"

Returning a List of Group Members

Returns the members of an Active Directory group named Scientists.

On Error Resume Next

Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
objGroup.GetInfo

arrMemberOf = objGroup.GetEx("member")

WScript.Echo "Members:"
For Each strMember in arrMemberOf
WScript.echo strMember
Next

Returning Managed By Information for a Group

Returns information about the manager assigned to an Active Directory security group named Scientists.

On Error Resume Next

Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")

strManagedBy = objGroup.Get("managedBy")

If IsEmpty(strManagedBy) = TRUE Then
WScript.Echo "No user account is assigned to manage " & _
  "this group."
Else
Set objUser = GetObject("LDAP://" & strManagedBy)
strPhysicalDeliveryOfficeName = _
  objUser.Get("physicalDeliveryOfficeName")
strStreetAddress = objUser.Get("streetAddress")
strLocalityName = objUser.Get("l")
strStateProvince = objUser.Get("st")
strCountryName = objUser.Get("c")
strTelephoneNumber = objUser.Get("telephoneNumber")
strFacsimileTelephoneNumber = _
  objUser.Get("facsimileTelephoneNumber")

Call GetUpdateMemberList

WScript.echo "physicalDeliveryOfficeName: " & _
  strPhysicalDeliveryOfficeName
WScript.echo "streetAddress: " & strStreetAddress
WScript.echo "l: " & strLocalityName
WScript.echo "state/province: " & strStateProvince
WScript.echo "c: " & strCountryName
WScript.echo "telephoneNumber: " & strTelephoneNumber
WScript.echo "facsimileTelephoneNumber: " & _
  strFacsimileTelephoneNumber
End If

Sub GetUpdateMemberList
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const Member_SchemaIDGuid = "{BF9679C0-0DE6-11D0-A285-00AA003049E2}"
Const ADS_RIGHT_DS_WRITE_PROP = &H20
objUser.GetInfoEx Array("canonicalName"),0
strCanonicalName = objUser.Get("canonicalName")
strDomain = Mid(strCanonicalName,1,InStr(1,strCanonicalName,".")-1)
strSAMAccountName = objUser.Get("sAMAccountName")

Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")
Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl

blnMatch = False
For Each objAce In objDiscretionaryAcl
  If LCase(objAce.Trustee) = _
    LCase(strDomain & "\" & strSAMAccountName) AND _
    objAce.ObjectType =  Member_SchemaIDGuid AND _
    objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT AND _
    objAce.AccessMask And ADS_RIGHT_DS_WRITE_PROP Then
    blnMatch = True
  End If
Next
If blnMatch Then
  WScript.Echo "Manager can update the member list"
Else
  WScript.Echo "Manager cannot update the member list."
End If
End Sub

Monday, September 21, 2009

Thanks to Arron Parker for his writeup on the changes

Profile Changes in Windows Vista/Longhorn Server

by Aaron Parker on Friday, August 25, 2006

in Windows

Windows Vista and Longhorn Server introduce a number of new user profile paths and environment variables that differ from earlier versions of Windows and these changes may have an impact on scripts such as logon scripts and application install scripts. Most scripts should work correctly – VBScript scripts that use system functions to find folder paths should work as expected, however batch scripts that use environment variables or hard codes scripts will require modifications. Here’s a short run down of the changes.

The following table lists the old profile path and the corresponding new path under Windows Vista/Longhorn Server:

Old Path	New Path
\Documents and Settings	\Users
\Documents and Settings\Default User or %LOGONSERVER%\NETLOGON\Default User	\Users\Default or %LOGONSERVER%\NETLOGON\Default User.v2
\Documents and Settings\\My Documents	\Users\\Documents
\Documents and Settings\\My Documents\My Pictures	\Users\\Pictures
\Documents and Settings\\My Documents\My Music	\Users\\Music
\Documents and Settings\\Favorites	\Users\\Favorites
N/A	\Users\\Contacts
N/A	\Users\\Downloads
N/A	\Users\\SavedGames
\Documents and Settings\\Application Data	\Users\\AppData\Roaming
\Documents and Settings\\Local Settings\Application Data	\Users\\AppData\Local
\Documents and Settings\\Start Menu	\Users\\AppData\Roaming\Microsoft\Windows\Start Menu
\Documents and Settings\All Users	\Users\Public
\Documents and Settings\All Users\Start Menu	\ProgramData\Microsoft\Windows\Start Menu
\Documents and Settings\All Users\Desktop	\Users\Public\Desktop

Folders to take note of here are the folders in the All Users path. Many older applications that use out of date methods to resolve system folders, will resolve paths under \ProgramData when looking for common locations. For example the common desktop may be resolved as \ProgramData\Desktop, however this is actually a junction point for \Users\Public\Desktop. A DIR /A:H listing in \ProgramData folder reveals the following junction points:

Path	Points To
\ProgramData\Application Data	\ProgramData
\ProgramData\Desktop	\Users\Public\Desktop
\ProgramData\Documents	\Users\Public\Documents
\ProgramData\Favorites	\Users\Public\Favorites
\ProgramData\Start Menu	\ProgramData\Microsoft\Windows\Start Menu
\ProgramData\Templates	\ProgramData\Microsoft\Windows\Templates

These junction points should offer backward compatibility for older applications, however I have found that some of my installation scripts are not cleaning up shortcuts from the public desktop as expected.

There are also differences in environment variables between the new version of Windows and the older versions. Windows Server 2003 and below define the following variables relating to profiles:

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\aaron\Application Data
HOMEPATH=\Documents and Settings\aaron
TEMP=C:\DOCUME~1\aaron\LOCALS~1\Temp
TMP=C:\DOCUME~1\aaron\LOCALS~1\Temp
USERPROFILE=C:\Documents and Settings\aaron

Windows Vista and Longhorn Server define the same variables while adding a couple more.

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\aaronp\AppData\Roaming
HOMEPATH=\Users\aaronp
LOCALAPPDATA=C:\Users\aaronp\AppData\Local
ProgramData=C:\ProgramData
PUBLIC=C:\Users\Public
TEMP=C:\Users\aaronp\AppData\Local\Temp
TMP=C:\Users\aaronp\AppData\Local\Temp
USERPROFILE=C:\Users\aaronp

In practice, I’ve found that scripts that reference locations such as %ALLUSERSPROFILE%\Desktop, are not performing actions as intended and will have to be updated to use %PUBLIC% instead. Certainly something that requires more investigation.

Thursday, September 10, 2009

2008 R2 Remote Desktop Services, Web Access, Connection Broker, and Gateway Service.

So when i was tasked with allowing our top level execs to access specific resources in the event of a H1N1 out break, i figured it would be a big pain in the A**. However with the release of R2, the process was so simple i was confused as to how easy it was (easy is something im not used to).
I will post the setup process soon................

Monday, June 22, 2009

Datatel UI 2.3 Install Script

Yes this turd-tastic software is back with a new version 2.3! Same old poorly desighned datatel client that leaves a bad taste in your mouth. well if your looking for help geting this installed look no further as i have taken som of my previous scripts and fixed them for the new client. Enjoy!

On Error Resume Next
' First we Uninstall Datatel UI 2.2
Dim WshShell, oExec
Set WshShell = CreateObject("WScript.Shell")
Set oExec = WshShell.Exec("MsiExec.exe /uninstall {726A85FE-D304-4C4A-8167-D8A24A7C86F9} /quiet")
Do While oExec.Status = 0
WScript.Sleep 100
Loop

'Next we do some cleanup of the All User's Folder

Set IBMFolder = CreateObject("Scripting.FilesystemObject")
Set DatatelFolder = CreateObject("Scripting.FilesystemObject")
DatatelFolder.DeleteFolder("C:\Documents and Settings\All Users\Application Data\Datatel")
IBMFolder.DeleteFolder("C:\Documents and Settings\All Users\Application Data\IBM")

'Begin Install of Datatel2.3

'Sleep script to finish deltion process
Wscript.Sleep 100

'Set objshell1 = CreateObject("WScript.Shell")
Set objshell2 = CreateObject("WScript.Shell")

'Define Variables for isntaller
varDTSetuptype = " SETUPTYPE=""Standard"""
varDTDatabasDIR = " DATABASEDIR=""\\server\datatel23\"""
varDTHostname = " HOSTNAME=""host.name.int"""
varDTPlatformgroup = " PlatformGroup=""1"""
varDTDbname = " DBNAME=""Live18"""
varDTDbpath = " DBPATH=""/dbpath/apphome"""
VarDTloggopt = " /lv C:\datatel2.3.log"

'Run the installer

objShell2.Run("msiexec /i ""\\server\UIDesktop230msi.msi"" /qn " _
& varDTSetuptype _
& varDTDatabasDIR _
& varDTHostname _
& varDTPlatformgroup _
& varDTDbname _
& varDTDbpath _
& VarDTloggopt )

'Finish script
Wscript.Quit

' End of Script

Friday, June 12, 2009

WDS converting legacy images to WIM

here is what i had to do on moving from a 2003 WDS server running in legacy mode to a 2008 WDS server running in native (only option is native) with a bunch of XP images.

first setup your 2008 WDS server, for the most part the wizzard is self explanitory, install, point images to a diffrent drive other then the %system% drive and begin. However some issues i had to over come are multiprocessors and single processors for XP (vista\7 does not care about HAL's)

for the base install of an XP image i took parts that pertained to me from Lucius Craig's Guide
Mainly

Step 6 and Step 7 (uploading image to WDS worked just fine for me)

I left the PE image on there for trouble shooting later on down the line, however i have not had to use it yet

For XP i had to create 2 XP SP3 Captures because some PC's have dual core and some single core and the HAL for xp will not let you do DC on a SC.

This Guide from Windows-Noob.com helped me setup the capture portion (works great)

now the issues i had
an issue i had runinto on several images with the 0X80360051 error
this guide fixed the problem

my next problem took a couple of days to figure out.
Our server was designed with a 10GB C: drive and D: drive for images. while the D: drive had plenty of space on it for the images and the final WIM images, the C: drive whould run out of space when creating a WIM even if you specified the D: drive. This is because WDS creats a local copy of the image (from where ever it is stored) to the C: drive and then converts it on the fly to the specified drive.
The solution was found using FileMon and noticing that the temporary image was being copied to the %TEMP% directory. after figuring this out, to fix the problem, simply change the environment settings for the user doing the conversion, and change %TEMP% to D:\somefoldername. Now the copy of the image will be copied to some where other then the local C: drive. happy converting.

Tuesday, April 7, 2009

Vista Activation issue after adding SATA card

so here is something new, I just added a VIA SATA card rebooted, and then i get a message saying due to a hardware change vista needs to be activated. seems like i minor inconvience however when i try to activate, i get a message saying my serial is in use. Yeah it is, by me. so wtf now i have to call MS and re-activate it? what a crock.

Friday, March 6, 2009

Changing the local admin password

'Name: pass.vbs
'Author: Jeramy Thompson
'Date Created 03/05/2009
'Description : Three step process, first gets the local computers name, then changes 'the local Administrators password, write completion file
'Other Notes: I like beer, I get bored with standard variables so i set some wacky 'ones in this script
'
'
'
'''''''''''''''''''''''''''''''
Set sasquatch = CreateObject("Wscript.Network")
Yeti = sasquatch.ComputerName
Set BigFoot = GetObject("WinNT://"& Yeti & "/Administrator")
BigFoot.SetPassword("SecretPassword")
Dim objFileSystem, objOutputFile
Dim strOutputFile
strOutputFile = "C:\result.txt"
Set objFileSystem = CreateObject("Scripting.fileSystemObject")
Set objOutputFile = objFileSystem.CreateTextFile(strOutputFile, TRUE)
objOutputFile.WriteLine("Password Changed (" & Now & ")")
objOutputFile.Close

Change the "SecretPassword" to the password you want. If you are deploying through some SMS type system use VBStoEXE to convert to an executable, to help protect the file from prying eyes. This has to be run as some one with admin rights. If your users have administrative rights, you could put it in your logon script, however it really dosent matter since they can change the password on their own and you probably dont care about the admin password so this would be completly useless to you. Enjoy.
*Word wrpaing does not seem to work well with this site, so if you copy and past make sure to adjust script

Jeramy Thompson