Creating a Local Group: To create a local group, we are going to use two IADs methods: "Create" and "SetInfo." When we call the Create method, it is actually the method of the group parent object-in this case, the object representing the computer. The syntax is shown in the following example: Set objGroup = objComputer.Create("group", "GroupName")
The Create GroupName script :As you can see, the Create method takes two arguments: the type of object to create ("group"), and the name for the new object ("GroupName").
The SetInfo method, on the other hand, is the method of the newly created group. It must be called to commit the change.
objGroup.SetInfo The script used to SetInfo.
We are going to take a working piece of code-a Windows Script command line utility-to illustrate how a local group can be created on a machine named "TRPublicComputer". This code requires two arguments at runtime: the name of the group to create, and the new group description.
The presumption is made in this sample that TRPublicComputer is the only computer on which local groups are being created. With a little modification, a third argument could be passed using the declared variable strADspath, a binding string (such as WinNT://computername) of the object to which you want to add the group.
We will call the script "CreateLocalGroup.vbs". In this case, we are going to create a group called "Visitors" with a description of "Area 51." To call the script, at the command line, the following syntax would be used: wscript CreateLocalGroup.vbs "Visitors" "Area 51"
Script : Creating a local group called Visitors with a description of Area 51.
Note that while quotes are not necessary for the first parameter, Visitors, they are for the second parameter, Area 51, because of the space. It is always good practice to use quotation marks, even when not necessary.
Prior to running the script, the Groups on the machine appeared as in the following illustration:
Pre-existing local groups on TRPublicComputer.
To start declare the variables that will be needed in the script. The first three variables are string variables.
a. strADsPath" is a set variable pointing to the computer "TRPublicComputer".
b. The other two string variables "strGroupName" and "strDescription" are set to the arguments stated at runtime.
c. The second set of variables are object variables. The first "objTarget" will contain the object to which you wish to add the group (TRPublicComputer) and the second "objNewGroup" will contain the new group with the description property set.
The script will look as the one does in Script
Dim strADsPath
Dim strGroupName
Dim strDescription Dim objTarget
Dim objNewGroup
Script : The script used to declare string variables.
On Error Resume Next has been used to trap expected errors in the input arguments. As we will be passing two arguments, the group name and group description, error trapping has been coded to ensure that both arguments, and no more, have been passed. If the correct information has not been passed at runtime, messages will be passed to the administrator.
The error resume script is shown in Script:
On Error Resume Next
If WScript.Arguments.Count <> 2 Then
WScript.Echo "Wrong number of arguments."
WScript.Echo "Syntax: CreateLocalGroup.vbs "
WScript.Echo "name Name for the new group."
WScript.Echo "description Description of the new Group."
WScript.Quit(1)
End If
Script The script to resume to the next script On Error.
Values are then assigned to the string variables previously declared as shown in Script
strADsPath = "WinNT://TRPublicComputer"
strGroupName = WScript.Arguments(0)
strDescription = WScript.Arguments(1)
Script : Assigned Values to the string values previously declared.
We then bind to the computer object. The error subroutine "AdsiErr()" is outlined later in the code Script 2.8 shows this.
Set objTarget = GetObject(strADsPath)
If Err Then AdsiErr()
Script : The error subroutine "AdsiErr".
The user object is now created and SetInfo is used to commit the change, the new group, to the directory shown in Script .
Set objNewGroup = objTarget.Create("group", strGroupName)
objNewGroup.SetInfo
If Err Then AdsiErr()
The SetInfo command commits the change for the user object.
The description property is set for the new group, and once again SetInfo is called to commit the description to the directory shown below in Script.
objNewGroup.Description = strDescription
objNewGroup.SetInfo
If Err Then AdsiErr()
Setting the Description Property for the new group:
This code will notify the user that the group has been successfully created, and display the name and description of the new group.
Script shows the GetInfo command that is called to ensure that the actual values of Name and Description exist.
objNewGroup.GetInfo
strGroupName = objNewGroup.Name
strDescription = objNewGroup.Description
WScript.Echo "New group " & strGroupName & " created."
WScript.Echo "Description: " & strDescription
Script : The GetInfo command.
The administrator would then be displayed the following message boxes. and Dialog boxes displayed for administrators.
The last part of the script is the AdsiErr() subroutine. It handles two errors that might occur while creating the new group-if a group of the specified name already exists or if the specified group name is invalid.
Any other error is reported as an unexpected error then exits the AdsiErr() subroutine is shown in Script .
Sub AdsiErr()
Dim scriptoutput
Dim errornumber
‘if the group name exists
If Err.Number = &H80070563 Then
scriptoutput = "The group " & strGroupName & " already exists."
‘if the group name is invalid
ElseIf Err.Number = &H800A0408 Then
scriptoutput = "The name '" & strGroupName & "' is invalid as a group Name."‘other error
Else
errornumber = Hex(Err.Number)
scriptoutput = "Unexpected Error " & errornumber & "(" & Err.Number & ")"
End If
WScript.Echo scriptoutput
WScript.Quit(1)
End Sub
The Subroutine AdsiErr.
shows what appears after running this script-the Groups on the computer TRPublicComputer:
The output in the console after running the script:
Most of the samples below are specific to the task at hand; however, each could be modified to hold arguments that are passed at runtime, rather than the identified group or ADsPath.
Creating a Global Group
The following simple script segment demonstrates how you could modify the script previously described to create a global, rather than a local, groups.
We are working with two variables:
? objOU, which is the OU in which the group will be contained; and
? objGroup, which is the new group.
We are also using Name Properties to specify the path in the binding string for Active Directory. A few of the name properties with which you should be familiar are:
? CN - common name
? DC - domain component
? OU - organizational unit.
For example, in the ADsPath in the script sample below, we are using OU to specify that the organizational unit is named "management", and that the domain components are "TotalRecallPress" and "com". The common name for the group is "visitors".
Script shows the Set objOU script.
Set objOU = _
GetObject("LDAP://OU=management,dc=totalrecallpublications,dc=com")
Set objGroup = objOU.Create("Group", "cn=visitors")
objGroup.Put "sAMAccountName", "visitors"
objGroup.SetInfo
Script The Set objOU script.
Listing Group Members
Let's say that you need to modify the access permissions of a particular group. One of the things that must be considered is the effect this will have on each of the members, based on membership in other groups in the domain.
Listing the members of a particular group can be easily automated, using the ADsPath and a simple "for" loop as shown in Script .
Set objGroup = GetObject _
("LDAP://cn=visitors,ou=public,dc=totalrecallpublications,dc=com")
For each objMember in objGroup.Members
Wscript.Echo objMember.Name
Next
Script to list Group Members.
Enumerating Groups and their Membership
It is almost as simple to enumerate all the groups on a specific computer as well as their membership. The script below demonstrates the way to enumerate the local groups and their membership on a specific computer, TRPublicComputer. The filter property of the IADsContainer interface was used to specify the Class of group shown in Script .
strComputer = "TRPublicComputer"
Set colGroups = GetObject("WinNT://" & strComputer & "")
colGroups.Filter = Array("group")
For Each objGroup In colGroups
Wscript.Echo objGroup.Name
For Each objUser in objGroup.Members
Wscript.Echo vbTab & objUser.Name
Next
NextScript : Enumerating Groups and their Memberships.
Jada Brock-Soldavini is author of book InsideScoop to Windows Server 2003 Certification Examination 70-290 Managing and Maintaining a Microsoft Windows ServerTM 2003 Environment. Jada works for the State of Georgia as a Network Services Administrator. She has co-authored or contributed to other numerous works pertaining to Microsoft Windows technologies. In her spare time she enjoys cooking, writing and reading anything that pertains to Network and Security technology. To buy my book, please visit www.totalrecallpress.com.
- Article Word Count: 1363
- |
- Total Views: 83
- |
- permalink