I'm writing a quick VBScript using the ADSI scripting stuff that is designed to loop through the members of "Domain Users", adding each one to a second group (long story).
I'm running into some trouble with it though, and I think it may have to do with the security permissions/ACLs on the Domain Users group itself...
Here's a quick snippet of my VB code:
=== BEGIN CODE SNIPPET ===
Const ADS_PROPERTY_APPEND = 3
Set objRootDSE = GetObject("LDAP://rootDSE")
Set objGroup = GetObject("LDAP://cn=Domain Users,cn=Users," & objRootDSE.Get("defaultNamingContext"))
objGroup.GetInfo
arrMemberOf = objGroup.GetEx("member")
=== END CODE SNIPPET ===
It gets to the last line in the snippet and throws "Error: The directory property cannot be found in the cache, Code: 8000500D".
At first I thought that it may have been a typo or something, but when I change "Domain Users" in the GetObject line to another group in the "Users" CN, it gets past the "GetEx" line without a problem and works perfectly (yes, there's more code past the snippet that I didn't include).
So, I'm suspecting that there is a security issue with the Domain Users group. I'm running the script as the domain Administrator, and opening ADUC as that user enables me to play with Domain Users with no problem.
Any ideas how to continue troubleshooting this?
Regards,
Jon Heese
I'm running into some trouble with it though, and I think it may have to do with the security permissions/ACLs on the Domain Users group itself...
Here's a quick snippet of my VB code:
=== BEGIN CODE SNIPPET ===
Const ADS_PROPERTY_APPEND = 3
Set objRootDSE = GetObject("LDAP://rootDSE")
Set objGroup = GetObject("LDAP://cn=Domain Users,cn=Users," & objRootDSE.Get("defaultNamingContext"))
objGroup.GetInfo
arrMemberOf = objGroup.GetEx("member")
=== END CODE SNIPPET ===
It gets to the last line in the snippet and throws "Error: The directory property cannot be found in the cache, Code: 8000500D".
At first I thought that it may have been a typo or something, but when I change "Domain Users" in the GetObject line to another group in the "Users" CN, it gets past the "GetEx" line without a problem and works perfectly (yes, there's more code past the snippet that I didn't include).
So, I'm suspecting that there is a security issue with the Domain Users group. I'm running the script as the domain Administrator, and opening ADUC as that user enables me to play with Domain Users with no problem.
Any ideas how to continue troubleshooting this?
Regards,
Jon Heese