How can I enumerate WinNT domain user and/or group members in an LDAP group object?
The problem I have is that when I try the above, I loop through the members of an LDAP group, and when I get to a WinNT domain object (user or group), the name of the object is displaying as the SID instead of the actual (canonical) name of the object itself. If I view the group via ADUC, it shows up fine.
eg:
- there's two domains LDAPdomain1 (an Active Directory domain), and WinNTdomain2 (a WinNT domain)
- there's a group LDAPdomain1\group1 which has members:
- LDAPdomain1\user1
- WinNTdomain2\user2
- WinNTdomain2\group2
Usually I'd use the following code to enumerate NT4 domain users:
Set objUser = GetObject("WinNT://WinNTdomain2/user2,user")
and the following for dealing with LDAP groups:
Set objGroup = GetObject ("LDAP://cn=group1,ou=...,dc=LDAPdomain1,...")
For Each objMember In objGroup.members
WScript.Echo "MEMBER: " & objMember.name
WScript.Echo "Canonical name: " & objMember.canonicalName
Next
NOTE: the 'canonical name' used in the code above is always blank, regardless of whether the object is LDAP or WinNT. Am I using the wrong property name? It's not generating an error, so it appears to be valid, but not populated.
And this works fine for LDAP members (user and/or groups) but when a WinNT domain user or group comes along, the result is not the actual user or group name, but a SID, which seems to come from the foreign security principal. eg: instead of displaying the name 'user2' when it's processing WinNTdomain2\user2, it displays CN=S-1-2-34-5678901234-5678901234-5678901234-56789. However, note that when I view the group LDAPdomain1\group1 in ADUC, it displays fine (ie: I can see the member inside the group; the header bar when I double click the WinNT object iself still shows up as the SID, but the canonical name on the Object tab shows up correctly).
The problem I have is that when I try the above, I loop through the members of an LDAP group, and when I get to a WinNT domain object (user or group), the name of the object is displaying as the SID instead of the actual (canonical) name of the object itself. If I view the group via ADUC, it shows up fine.
eg:
- there's two domains LDAPdomain1 (an Active Directory domain), and WinNTdomain2 (a WinNT domain)
- there's a group LDAPdomain1\group1 which has members:
- LDAPdomain1\user1
- WinNTdomain2\user2
- WinNTdomain2\group2
Usually I'd use the following code to enumerate NT4 domain users:
Set objUser = GetObject("WinNT://WinNTdomain2/user2,user")
and the following for dealing with LDAP groups:
Set objGroup = GetObject ("LDAP://cn=group1,ou=...,dc=LDAPdomain1,...")
For Each objMember In objGroup.members
WScript.Echo "MEMBER: " & objMember.name
WScript.Echo "Canonical name: " & objMember.canonicalName
Next
NOTE: the 'canonical name' used in the code above is always blank, regardless of whether the object is LDAP or WinNT. Am I using the wrong property name? It's not generating an error, so it appears to be valid, but not populated.
And this works fine for LDAP members (user and/or groups) but when a WinNT domain user or group comes along, the result is not the actual user or group name, but a SID, which seems to come from the foreign security principal. eg: instead of displaying the name 'user2' when it's processing WinNTdomain2\user2, it displays CN=S-1-2-34-5678901234-5678901234-5678901234-56789. However, note that when I view the group LDAPdomain1\group1 in ADUC, it displays fine (ie: I can see the member inside the group; the header bar when I double click the WinNT object iself still shows up as the SID, but the canonical name on the Object tab shows up correctly).
