Creating a Local Group: To create a local group, we are going to use two IADs methods: "Create" and "SetInfo." When we call the Create method, it is actually the method of the group parent object-in this case, the object representing the computer. The syntax is shown in the following example: Set objGroup = objComputer.Create("group", "GroupName") The Create GroupName script.
As you can see, the Create method takes two arguments: the type of object to create ("group"), and the name for the new object ("GroupName").
The SetInfo method, on the other hand, is the method of the newly created group. It must be called to commit the change.
objGroup.SetInfo
The script used to SetInfo:
We are going to take a working piece of code-a Windows Script command line utility-to illustrate how a local group can be created on a machine named "TRPublicComputer". This code requires two arguments at runtime: the name of the group to create, and the new group description. The presumption is made in this sample that TRPublicComputer is the only computer on which local groups are being created. With a little modification, a third argument could be passed using the declared variable strADspath, a binding string (such as WinNT://computername) of the object to which you want to add the group.
We will call the script "CreateLocalGroup.vbs". In this case, we are going to create a group called "Visitors" with a description of "Area 51."
To call the script, at the command line, the following syntax would be used:
wscript CreateLocalGroup.vbs "Visitors" "Area 51"
Creating a local group called Visitors with a description of Area 51.
Note that while quotes are not necessary for the first parameter, Visitors, they are for the second parameter, Area 51, because of the space. It is always good practice to use quotation marks, even when not necessary.
Prior to running the script, the Groups on the machine appeared as in the following illustration:
Pre-existing local groups on TRPublicComputer.
To start declare the variables that will be needed in the script. The first three variables are string variables.
a. "strADsPath" is a set variable pointing to the computer "TRPublicComputer".
b. The other two string variables "strGroupName" and "strDescription" are set to the arguments stated at runtime.
c. The second set of variables is object variables. The first "objTarget" will contain the object to which you wish to add the group (TRPublicComputer) and the second "objNewGroup" will contain the new group with the description property set.
The script will look as the one does in Script:
Dim strADsPath
Dim strGroupName
Dim strDescription
Dim objTarget
Dim objNewGroup
Script : The script used to declare string variables.
On Error Resume Next has been used to trap expected errors in the input arguments. As we will be passing two arguments, the group name and group description, error trapping has been coded to ensure that both arguments, and no more, have been passed. If the correct information has not been passed at runtime, messages will be passed to the administrator.
The error resume script is shown in Script.
On Error Resume Next
If WScript.Arguments.Count <> 2 Then
WScript.Echo "Wrong number of arguments."
WScript.Echo "Syntax: CreateLocalGroup.vbs "
WScript.Echo "name Name for the new group."
WScript.Echo "description Description of the new Group."
WScript.Quit(1)
End If
The script to resume to the next script On Error.
Values are then assigned to the string variables previously declared as shown in Script
strADsPath = "WinNT://TRPublicComputer"
strGroupName = WScript.Arguments(0)
strDescription = WScript.Arguments(1)
Assigned Values to the string values previously declared.
We then bind to the computer object. The error subroutine "AdsiErr()" is outlined later in the code Script shows this.
Set objTarget = GetObject(strADsPath)
If Err Then AdsiErr()
The error subroutine "AdsiErr".
The user object is now created and SetInfo is used to commit the change, the new group, to the directory shown in Script 1.9.
Set objNewGroup = objTarget.Create("group", strGroupName)
objNewGroup.SetInfo
If Err Then AdsiErr()
The SetInfo command commits the change for the user object.
The description property is set for the new group, and once again SetInfo is called to commit the description to the directory shown below in Script 1.10.
objNewGroup.Description = strDescription
objNewGroup.SetInfo
If Err Then AdsiErr()
Setting the Description Property for the new group:
This code will notify the user that the group has been successfully created, and display the name and description of the new group.
Script: shows the GetInfo command that is called to ensure that the actual values of Name and Description exist.
objNewGroup.GetInfo
strGroupName = objNewGroup.Name
strDescription = objNewGroup.Description
WScript.Echo "New group " & strGroupName & " created."
WScript.Echo "Description: " & strDescription
Script: The GetInfo command.
The administrator would then be displayed the following message boxes.
The last part of the script is the AdsiErr() subroutine. It handles two errors that might occur while creating the new group-if a group of the specified name already exists or if the specified group name is invalid.
Any other error is reported as an unexpected error then exits the AdsiErr() subroutine is shown in Script .
Sub AdsiErr()
Dim scriptoutput
Dim errornumber
‘if the group name exists
If Err.Number = &H80070563 Then
scriptoutput = "The group " & strGroupName & " already exists."
‘if the group name is invalid
ElseIf Err.Number = &H800A0408 Then
scriptoutput = "The name '" & strGroupName & "' is invalid as a group Name."
‘other error
Else
errornumber = Hex(Err.Number)
scriptoutput = "Unexpected Error " & errornumber & "(" & Err.Number & ")"
End If
WScript.Echo scriptoutput WScript.Quit(1)
End Sub
The Subroutine AdsiErr.
what appears after running this script-the Groups on the computer TRPublicComputer:
The output in the console after running the script.
Most of the samples below are specific to the task at hand; however, each could be modified to hold arguments that are passed at runtime, rather than the identified group or ADsPath.
Creating a Global Group: The following simple script segment demonstrates how you could modify the script previously described to create a global, rather than a local, groups.
We are working with two variables:
• objOU, which is the OU in which the group will be contained; and
• objGroup, which is the new group.
We are also using Name Properties to specify the path in the binding string for Active Directory. A few of the name properties with which you should be familiar are:
• CN - common name
• DC - domain component
• OU - organizational unit.
For example, in the ADsPath in the script sample below, we are using OU to specify that the organizational unit is named "management", and that the domain components are "TotalRecallPress" and "com". The common name for the group is "visitors".
Script shows the Set objOU script.
Set objOU = _
GetObject("LDAP://OU=management,dc=totalrecallpublications,dc=com")
Set objGroup = objOU.Create("Group", "cn=visitors")
objGroup.Put "sAMAccountName", "visitors"
objGroup.SetInfo
The Set objOU script.
Listing Group Members
Let's say that you need to modify the access permissions of a particular group. One of the things that must be considered is the effect this will have on each of the members, based on membership in other groups in the domain.
Listing the members of a particular group can be easily automated, using the ADsPath and a simple "for" loop as shown in Script.
Set objGroup = GetObject _
("LDAP://cn=visitors,ou=public,dc=totalrecallpublications,dc=com")
For each objMember in objGroup.Members
Wscript.Echo objMember.Name
Next
Script to list Group Members: Enumerating Groups and their Membership
It is almost as simple to enumerate all the groups on a specific computer as well as their membership. The script below demonstrates the way to enumerate the local groups and their membership on a specific computer, TRPublicComputer. The filter property of the IADsContainer interface was used to specify the Class of group shown in Script 1.15.
strComputer = "TRPublicComputer"
Set colGroups = GetObject("WinNT://" & strComputer & "")
colGroups.Filter = Array("group")
For Each objGroup In colGroups
Wscript.Echo objGroup.Name
For Each objUser in objGroup.Members
Wscript.Echo vbTab & objUser.Name
Next
Next
Script : Enumerating Groups and their Memberships.
Moving a Group within a Domain
Script shows an example of the "MoveHere" method in action is below. In this code sample, the group account is being moved from the IT OU to the Visitors container. You should note that the namespace remains the same.
Set objOU = _
GetObject("LDAP://cn=Visitors,dc=totalrecallpublications,dc=com")
objOU.MoveHere _
"LDAP://cn=Visitors,ou=IT,dc=totalrecallpublications,dc=com", _
vbNullString
Script The MoveHere method script.
When dealing with MoveHere, it is important to remember the information given in the Microsoft Knowledge Base Article 326978 Error When Executing the MoveHere Method of an IADSContainer Object. A portion of this article is replicated below.
SYMPTOMS
When you run the MoveHere method of the IADsContainer object, you may receive the following
Error Message:
The server is unwilling to process the request. 0x80072035
CAUSE
You receive this error when you try to move a user object that is a member of a global group from a parent domain to a child domain. Global groups can only contain members from the domain where the global group was made.
RESOLUTION
Remove the user from all global groups except the user's primary group. In this way, you can move the user from the child domain to the parent domain.
The user's old security identifier (SID) is added to the new user object's SidHistory attribute, and the user is given a new SID. Additionally, by default, the user's primary group is set to the parent domain's Domain Users group, and the password of the object is preserved.
STATUS
This behavior is by design.
MORE INFORMATION
You may also receive this error message if you try to add a global group with security group type in the same kind of global group in Pre-Windows 2000 mode of your domain. You can successfully add a global group in native mode domain of this group.
This is by design.
Pop Quiz Questions
1. What are the three group scopes in Active Directory
2. What are the two types of groups
3. What does AGGUDLP stand for
4. On what platforms can ADSI client applications run
5. What are the four different types of providers with ADSI
Pop Quiz Answers:
1. The three group scopes in Active Directory are Universal, Global and Domain.
2. The two group types are distribution and security.
3. This acronym stands for: Accounts, are members of
Global groups, which in native mode can be members of other
Global groups, which in native mode can be members of
Universal groups, which are in turn members of Domain Local groups, which are the group scope that is granted resource access called Permissions.
4. ADSI client applications can run not only on Windows 2000 and Windows XP clients, but also on Windows 95, Windows 98 and Windows NT4.0 (SP6a), if you have the Active Directory Client Extensions installed.
5. With ADSI, there are four different types of providers:
WinNT - Windows NT 4.0 PDCs and BDCs, Windows XP and Windows 2000/2003 not running Active Directory
LDAP - LDAP servers, including Exchange 5.x, Windows 2000/2003 Active Directory
NDS - Novell Directory Services servers
NWCOMPAT - Novell Netware servers
Jada Brock-Soldavini is author of book InsideScoop to Windows Server 2003 Certification Examination 70-290 Managing and Maintaining a Microsoft Windows ServerTM 2003 Environment. Jada works for the State of Georgia as a Network Services Administrator. She has co-authored or contributed to other numerous works pertaining to Microsoft Windows technologies. In her spare time she enjoys cooking, writing and reading anything that pertains to Network and Security technology. To buy my book, please visit www.totalrecallpress.com.
- Article Word Count: 1881
- |
- Total Views: 403
- |
- permalink