#204229 - 2012-02-07 08:29 PM
GetADGroups UDF doesn't list the primary group?
|
jadewith
Fresh Scripter
Registered: 2003-06-13
Posts: 45
Loc: Good ole U S of A
|
Hi all,
I was wondering if anyone has every seen something like this. I am using the script below to get a visual on what users are in incorrect groups. While I was looking for a way to denote the primary group, I noticed in the generated list however that the user's primary group is not in the list of groups generated.
Any Ideas? I am running this against a Windows 2003 AD from on of the DC's of the domain in question.
Break on
$rc=SetOption('wrapateol','on')
$oDomain = GetObject("WinNT://" + 'MyDomain')
$oDomain.filter = "User", ""
$iniPath='c:\logon\groupslist.ini'
For Each $user In $oDomain
$name='MyDomain\'+$user.name
$userhome = TranslateName(3, "", 3, $name, 1)
$c=1
For Each $group In Getadusergroups($name)
$rc=WriteProfileString($iniPath,$userhome[0],'Group #'+$c,$group)
$c=$c+1
Next
Next
Function TranslateName($InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType)
DIM $InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType
DIM $NameTranslate, $ReturnName, $Error, $ErrorText
$Error = 0
$ErrorText = ""
$ReturnName = ""
$NameTranslate = CreateObject("NameTranslate")
$Error = @ERROR
$ErrorText = @SERROR
If $Error = 0
$NameTranslate.Init($InitType, $BindName)
$Error = @ERROR
$ErrorText = @SERROR
If $Error = 0
$NameTranslate.Set($LookupNameType, $LookupName)
$Error = @ERROR
$ErrorText = @SERROR
If $Error = 0
$ReturnName = $NameTranslate.Get($ReturnNameType)
$Error = @ERROR
$ErrorText = @SERROR
EndIf
EndIf
EndIf
$TranslateName = $ReturnName, $Error, $ErrorText
EndFunction
Function getADUserGroups(optional $username, optional $mode)
DIM $objTrans, $objUser, $group, $array[0], $i
If $username=""
$username=@LDOMAIN + "\"+ @USERID
EndIf
If not InSTR($username,"\")
$username=@LDOMAIN + "\" + $username
EndIf
$objTrans = CreateObject("NameTranslate")
If @ERROR
Exit @ERROR
Else
$objTrans.Init(3, "")
$objTrans.Set(3,$username)
$username = $objTrans.Get(1)
If @ERROR
Exit @ERROR
Else
For Each $group In GetObject("LDAP://" + $username).GetEx("memberof")
ReDIM preserve $array[$i]
If $mode=0
$array[$i]=GetObject("LDAP://" + $Group).cn
Else
$array[$i]=$group
EndIf
$i=$i+1
Next
$getADUserGroups=$array
EndIf
EndIf
EndFunction
|
|
Top
|
|
|
|
|
#204230 - 2012-02-07 09:19 PM
Re: GetADGroups UDF doesn't list the primary group?
[Re: jadewith]
|
Allen
KiX Supporter
Registered: 2003-04-19
Posts: 4557
Loc: USA
|
It appears that this is by MS design. See some of these articles...
http://www.google.com/search?hl=&q=ldap+..._US434&ie=UTF-8
I think I read one article that says, MS does not recommend changing the default primary group.
I have seen a script to get the primary group, but so far I could not get it to work. I'll try again and let you know.
|
|
Top
|
|
|
|
|
#204231 - 2012-02-07 10:25 PM
Re: GetADGroups UDF doesn't list the primary group?
[Re: Allen]
|
Allen
KiX Supporter
Registered: 2003-04-19
Posts: 4557
Loc: USA
|
Okay try this modified version... It will always return the primary group as the first member of the array. This still needs some work and there may be a better way to do this, but I think it is a start.
for each $group in GetADUsergroups(,1)
? $group
next
function getADUserGroups(optional $username, optional $mode)
Dim $objTrans, $objUser, $group, $array[0], $i
if $username=""
$username=@ldomain + "\"+ @userid
endif
if not instr($username,"\")
$username=@ldomain + "\" + $username
endif
$user=join(split($username,"\"),"/")
$objUserWinNT = GetObject("WinNT://" + $user + ",user")
If @error=0
$intGroupID = $objUserWinNT.primaryGroupID
$strFilter = "(|"
For Each $objGroup in $objUserWinNT.Groups
$strFilter = $strFilter + "(sAMAccountName=" + $objGroup.name + ")"
Next
$strFilter = $strFilter + ")"
$strAttributes = "sAMAccountName,primaryGroupToken,distinguishedName"
$objRootDSE = GetObject("LDAP://RootDSE")
$strDNSDomain = $objRootDSE.Get("defaultNamingContext")
$adoConnection = CreateObject("ADODB.Connection")
$adoCommand = CreateObject("ADODB.Command")
$adoConnection.Provider = "ADsDSOObject"
$adoConnection.Open("Active Directory Provider")
$adoCommand.ActiveConnection = $adoConnection
$strQuery = "<LDAP://" + $strDNSDomain + ">;" + $strFilter + ";" + $strAttributes + ";subtree"
$adoCommand.CommandText = $strQuery
$adoCommand.Properties("Page Size").value=100
$adoCommand.Properties("Timeout").value=30
$adoCommand.Properties("Cache Results").value= not 1
$adoRecordset = $adoCommand.Execute
If $adoRecordset.EOF = 0
Do
$intGroupToken = $adoRecordset.Fields("primaryGroupToken").Value
If $intGroupToken = $intGroupID
if $mode=0
$array[$i] = $adoRecordset.Fields("sAMAccountName").Value
else
$array[$i] = $adoRecordset.Fields("distinguishedName").value
endif
$i=$i+1
$found=1
EndIf
$adoRecordset.MoveNext
Until $adoRecordset.EOF or $found=1
endif
$adoRecordset.Close
$adoConnection.Close
endif
$objTrans = CreateObject("NameTranslate")
if @error
exit @error
else
$objTrans.Init(3, "")
$objTrans.Set(3,$username)
$username = $objTrans.Get(1)
if @error
exit @error
else
for each $group in getobject("LDAP://" + $username).GetEx("memberof")
redim preserve $array[$i]
if $mode=0
$array[$i]=GetObject("LDAP://" + $Group).cn
else
$array[$i]=$group
endif
$i=$i+1
next
$getADUserGroups=$array
endif
endif
endfunction
Props to Richard Mueller for the basis of this modification... http://www.rlmueller.net/Programs/GetPrimaryGroup.txt
|
|
Top
|
|
|
|
|
#204245 - 2012-02-08 04:17 PM
Re: GetADGroups UDF doesn't list the primary group?
[Re: Allen]
|
jadewith
Fresh Scripter
Registered: 2003-06-13
Posts: 45
Loc: Good ole U S of A
|
That works perfectly Allen. Thanks for the help!
|
|
Top
|
|
|
|
Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 323 anonymous users online.
|
|
|
