| Witto |
| (MM club member) |
| 2009-08-31 03:13 PM |
|
Can InGroup() check whether a Computer Account is member of a group
|
Originally Posted By: KiXtart Manual
INGROUP
Action
Checks whether the current user is a member of one or more groups.
Can InGroup() be changed so that it checks whether the current account is member of one or more groups?
Account can be "User Account" or "Computer Account".
If a KiXtart script is run by a "User Account", membership is checked for this "user Account".
If a KiXtart script is run by the "System Account" on a computer, it would be nice to know whether the computer is member of a (Global Security) group.
| Mart |
| (KiX Supporter) |
| 2009-08-31 03:52 PM |
|
|
Re: Can InGroup() check whether a Computer Account is member of a group
|
Maybe a second optional parameter to specify a user or computer account would be an option. If not specified check the user account.
Code:
;Second parameter not given so use default and check the user account.
If InGroup("SomeUserGroup")
?"User is a member."
EndIf
;Second parameter is given so check the computer account.
If InGroup("SomeComputerGroup", 1)
?"Computer is a member."
EndIf
| Witto |
| (MM club member) |
| 2009-08-31 05:56 PM |
|
|
|
Re: Can InGroup() check whether a Computer Account is member of a group
|
Than you can use ComputerInGroup()
That is what I will try to use now. But it should not matter whether the account is a user or a computer. What matters is the account that runs the script.
| Witto |
| (MM club member) |
| 2009-09-10 04:48 PM |
|
|
|
Re: Can InGroup() check whether a Computer Account is member of a group
|
In Thread 84541 there is a quote from Ruud
Originally Posted By: Ruud
Regarding the AD Compuer Groups part:
Well, this is on the todo-list, but it's not as easy as you might think: KIX32 runs in the security context of the user, so it can't just use the computer token to retrieve group information. The only way to get at any information on the computer account is to query Active Directory, and this can become really expensive, considering the Universal and nested Global groups. I'm looking into the options, but I can't promise anything yet.
--Ruud
When kix32.exe or wkix32.exe is used in startup or shutdown scripts, it runs in the security context of the system account (the computer). So I would think the computer token can be used to retrieve group information.
| Luub |
| (Just in Town) |
| 2012-03-16 03:19 PM |
|
Re: Can InGroup() check whether a Computer Account is member of a group
|
I copied dsquery.exe and dsget.exe to our NETLOGON-share and use the following UDF:
Code:
function ComputerInGroup ($group) dim $false, $true $false = 0 $true = not $false shell '%comspec% /c %logonserver%\netlogon\dsquery /? >nul 2>nul' if @error $computeringroup = $false exit $true endif shell '%comspec% /c %logonserver%\netlogon\dsget /? >nul 2>nul' if @error $computeringroup = $false exit $true endif shell '%comspec% /c %logonserver\netlogon\squery computer -name @wksta |%logonserver%\netlogon\dsget computer -memberof -expand |find /i "$group" >nul 2>nul' if @error $computeringroup = $false else $computeringroup = $true endif return endfunction
Allen
|
| (KiX Supporter) |
| 2012-03-16 03:35 PM |
|
Re: Can InGroup() check whether a Computer Account is member of a group
|
In addition to Luub's UDF, there are three others that get the same info:
ComputerInGroup() - WinNT Provider
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=84539
ComputerInGroup() - LDAP Provider
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=195717
fnInGroupAD - Works with Users or Computers
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=144167
| srm11671 |
| (Fresh Scripter) |
| 2020-02-26 07:13 PM |
|
Re: Can InGroup() check whether a Computer Account is member of a group
|
how would the syntax look if trying to CALL something based on if the PC is a member of a group, as there is sometimes some nesting that doesn't show the PC object directly, if that make sense
thanks