Enumeration Groups a user is a memberof.

[yellowartist]

I am trying to pull out a some attributes from a user's Active Directory account that is a member of a specific group and place it into a spreadsheet.

I cannot get it to list the SMTP addresses and the groups. I also cannot get it to loop through all users.

Here is the script.


Option Explicit
on error resume next
Dim objGroup, objuser, objExcel, iRow, strUser, iCol
dim strExcelPath, objApp

strExcelPath = "\\Server\folder\Scripts\EMP_SEP\Work_Log.xls"

set objExcel = CreateObject("Excel.Application")

' Create a new workbook.
objExcel.Workbooks.Add
' Bind to worksheet.
Set objSheet = objExcel.ActiveWorkbook.Worksheets(1)
objSheet.Name = "Work_Log"
' Populate spreadsheet cells with user attributes.

Set objGroup = GetObject("LDAP://CN=GG_ES_ACCT_ADMIN,OU=Groups,OU=KBS,DC=kochind,DC=com")


Set objExcel = CreateObject("Excel.Application")
With objExcel
.SheetsInNewWorkbook = 1
.Workbooks.Add
.Visible = false
iRow=1

For Each strUser in objGroup.Member
Set objUser = GetObject("LDAP://" & strUser)
.Cells(irow,1) = ("User Name: " & objUser.CN)
.Cells(irow,2) = ("Role ID: " & objUser.sAMAccountName)
.Cells(irow,3) = ("Object(s): " & objUser.distinguishedName)
.Cells(irow,4) = ("Home Drive: " & objUser.homeDirectory)
.Cells(irow,6) = ("Mailbox Store: " & objUser.homeMDB)
.Cells(irow,7) = ("ALIAS: " & objuser.mailNickname)
.Cells(irow,8) = ("Email Address(es): " & objuser.Getex("proxyAddresses"))
.Cells(irow,9) = ("Groups: " & Objgroup.Getex("memberof"))
.Cells(irow,10) = " "
.cells(irow,11) = "Disabled the AD account (Do not perform this step for KST)"
.Cells(irow,12) = "Changed Password"
.cells(irow,13) = "Set Delivery Restrictions – Accept Messages: Only from: MAILTEAM (do not perform this step if email is being forwarded)"
.cells(irow,14) = "Hid from Exchange address list (Do not perform this step for FHR)"
.cells(irow,15) = "Added EXEMPT in Extension Attribute 5"
.cells(irow,16) = "Added to GG_KBS_ES"
.cells(irow,17) = "Inserted current date in MM/DD/YY format to AD account Full name and Display name: "
irow + 1
Next
End With

' Save the spreadsheet, close the workbook and exit.
objExcel.ActiveWorkbook.SaveAs strExcelPath
objExcel.ActiveWorkbook.Close
objExcel.Application.Quit
'WScript.Echo "Spreadsheet Created"



'Set objApp = CreateObject("WScript.Shell")

'objApp.Run "cmd /C net use n: \\Server\folder\Scripts\EMP_SEP [Password] & n: & EnumerateMembers"

 

[djtech2k]

First quick note is that the proxyaddresses attribute has to be addressed kinda like an array. Just as a quick thing to see the contents, you can use:

Join(objUser.proxyAddresses)

As for the computer logon, try lastLogonTimeStamp and lastLogon. There is a difference between the 2, but that will get you started.

 

[yellowartist]

Join(objUser.proxyAddresses)

That worked!! Now I just need some assistance getting it to cycle through all users in the group and list all the groups they are members of.

Thanks for the help so far!!

 

[djtech2k]

I have not tested this, but try something like:

strValues = objUser.proxyAddresses
For Each objItem in strValues
wscript.echo objItem 'If that doesnt work, try obItem.Name
Next

 

[djtech2k]

Just for kicks, try this out:

Option Explicit
on error resume next
Dim objGroup, objuser, objExcel, iRow, strUser, iCol
dim strExcelPath, objApp

strExcelPath = "\\Server\folder\Scripts\EMP_SEP\Work_Log.xls"

set objExcel = CreateObject("Excel.Application")

' Create a new workbook.
objExcel.Workbooks.Add
' Bind to worksheet.
Set objSheet = objExcel.ActiveWorkbook.Worksheets(1)
objSheet.Name = "Work_Log"
' Populate spreadsheet cells with user attributes.

Set objGroup = GetObject("LDAP://CN=GG_ES_ACCT_ADMIN,OU=Groups,OU=KBS,DC=kochind,DC=com")


Set objExcel = CreateObject("Excel.Application")
With objExcel
  .SheetsInNewWorkbook = 1
  .Workbooks.Add
  .Visible = false
   iRow=1

 For Each strUser in objGroup.Member
    Set objUser =  GetObject("LDAP://" & strUser)
    .Cells(irow,1) = ("User Name: " & objUser.CN)
    .Cells(irow,2) = ("Role ID: " & objUser.sAMAccountName)
    .Cells(irow,3) = ("Object(s): " & objUser.distinguishedName)
    .Cells(irow,4) = ("Home Drive: " & objUser.homeDirectory)
    .Cells(irow,6) = ("Mailbox Store: " & objUser.homeMDB)
    .Cells(irow,7) = ("ALIAS: " & objuser.mailNickname)
strValues = objUser.proxyAddresses
For Each objItem in strValues
If Instr(objItem,"smtp") > 0 Then
    .Cells(irow,8) = ("Email Address(es): " & objItem)
End If
Next
    .Cells(irow,9) = ("Groups: " & Objgroup.Getex("memberof"))
    .Cells(irow,10) = " "
    .cells(irow,11) = "Disabled the AD account (Do not perform this step for KST)"
    .Cells(irow,12) = "Changed Password"
    .cells(irow,13) = "Set Delivery Restrictions – Accept Messages: Only from: MAILTEAM (do not perform this step if email is being forwarded)"
    .cells(irow,14) = "Hid from Exchange address list (Do not perform this step for FHR)"
    .cells(irow,15) = "Added EXEMPT in Extension Attribute 5"
    .cells(irow,16) = "Added to GG_KBS_ES"
    .cells(irow,17) = "Inserted current date in  MM/DD/YY format to AD account Full name and Display name: "
    irow + 1
Next
End With
 
' Save the spreadsheet, close the workbook and exit.
objExcel.ActiveWorkbook.SaveAs strExcelPath
objExcel.ActiveWorkbook.Close
objExcel.Application.Quit
'WScript.Echo "Spreadsheet Created"



'Set objApp = CreateObject("WScript.Shell")

'objApp.Run "cmd /C net use n: \\Server\folder\Scripts\EMP_SEP [Password] & n: & EnumerateMembers"

Give that a try. I did not test it, but I think it will work.

 

[yellowartist]

Ok I got that script to work.

Here is what I did...

Enumeration Groups a user is a memberof

Option Explicit
on error resume next
Dim objGroup, objuser, objExcel, iRow, strUser, iCol
dim strExcelPath, objApp, strGroupName

strExcelPath = "\\Server\share\EmpSepScript\Work_Log.xls"

set objExcel = CreateObject("Excel.Application")

' Create a new workbook.
objExcel.Workbooks.Add
' Bind to worksheet.
Set objSheet = objExcel.ActiveWorkbook.Worksheets(1)
objSheet.Name = "Work_Log"
' Populate spreadsheet cells with user attributes.

Set objGroup = GetObject("LDAP://CN=GG,OU=Groups,DC=domain,DC=com")


Set objExcel = CreateObject("Excel.Application")
With objExcel
.SheetsInNewWorkbook = 1
.Workbooks.Add
.Visible = false
iRow=1

For Each strUser in objGroup.Member
Set objUser = GetObject("LDAP://" & strUser)
.Cells(irow,1) = ("User Name: " & objUser.CN)
.Cells(irow,3) = ("Role ID: " & objUser.sAMAccountName)
.Cells(irow,5) = ("Object(s): " & objUser.distinguishedName)
.Cells(irow,7) = ("Home Drive: " & objUser.homeDirectory)
.Cells(irow,9) = ("Mailbox Store: " & objUser.homeMDB)
.Cells(irow,11) = ("ALIAS: " & objuser.mailNickname)
.Cells(irow,13) = ("Email Address(es): " & Join(objUser.proxyAddresses))
.Cells(irow,15) = ("Groups: " & Join(objUser.memberof))
.Cells(irow,17) = " "
.cells(irow,19) = "Disabled the AD account (Do not perform this step for KST)"
.Cells(irow,21) = "Changed Password"
.cells(irow,23) = "Set Delivery Restrictions – Accept Messages: Only from: MAILTEAM (do not perform this step if email is being forwarded)"
.cells(irow,25) = "Hid from Exchange address list (Do not perform this step for FHR)"
.cells(irow,27) = "Added EXEMPT in Extension Attribute 5"
.cells(irow,29) = "Added to GG_KBS_ES"
.cells(irow,31) = "Inserted current date in MM/DD/YY format to AD account Full name and Display name: "
irow=irow + 1
Next
End With

' Save the spreadsheet, close the workbook and exit.
objExcel.ActiveWorkbook.SaveAs strExcelPath
objExcel.ActiveWorkbook.Close
objExcel.Application.Quit
'WScript.Echo "Spreadsheet Created"



Set objApp = CreateObject("WScript.Shell")

objApp.Run "cmd /C net use n: \\Server\share\EmpSepScript & n: & EnumerateMembers"

END Enumeration Groups a user is a memberof

No I am trying to remove someone from a group if it is present... here is what I have. Any idea's to get it to work?

Thanks

SCRIPT:

'Add to Group
If strougroup = False Then
Set objgroup = GetObject("LDAP://" & Strougroup)
objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array(strdn)
objGroup.SetInfo
End If

'Remove from Groups
If StrouProxy = True Then
Set objgroup = GetObject("LDAP://" & StrouProxy)
objGroup.PutEx ADS_PROPERTY_DELETE, "member", Array(strdn)
objGroup.SetInfo
End If

 

[PHV]

Some discrepancy with strougroup:
If strougroup = False Then
Set objgroup = GetObject("LDAP://" & Strougroup)

Is it a Boolean or a String containing a group name ?

Hope This Helps, PH.
FAQ219-2884
FAQ181-2886

 

[djtech2k]

I do not understand your objective. Your original desire was to enumerate a specific group and see who was a member, correct?

Now do you want to add or remove a member of that group or what? I do not understand your request here.

 

[yellowartist]

Strougroup and StrOUProxy are referenced to two groups.

What I am trying to accomplish now is from that list of users in group 1 if the script finds they are in Strougroup do nothing, if not add them to strougroup. If the script finds them in StrOUProxy remove them from that group, if its not there nothing.

This section works...
'Add to Group
If strougroup = False Then
Set objgroup = GetObject("LDAP://" & Strougroup)
objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array(strdn)
objGroup.SetInfo
End If

This section does not work...
'Remove from Groups
If StrouProxy = True Then
Set objgroup = GetObject("LDAP://" & StrouProxy)
objGroup.PutEx ADS_PROPERTY_DELETE, "member", Array(strdn)
objGroup.SetInfo
End If

The two strou... are reference above with the distinguished name of the actual groups.
The script is way to long to post the whole thing.

 

[PHV]

So, how do you expect a "reference above with the distinguished name of the actual groups" may be True of False ????

 

[djtech2k]

Your description kinda lost me again BUT, I would remind you that group membership is kept on user AND group objects, so if you are checking membership for a user for multiple groups, then it would be easier to enumerate the membership on that user's "memberOf" rather than the "member" attribute on a group.

 

[yellowartist]

Let me see if I can explain it a little better...

There are three scripts I have wrote to occomplish what I am trying to acheive. Over all I am trying to list information about the members of a specific group (We'll call it XYZ) and then modify some attributes of each user account that is tied to a specific group.

So for the first script I am pulling out all the information for the users tied to the group xyz. That is this script.

Script 1 Just pulls out information.

Option Explicit
on error resume next
Dim objGroup, objuser, objExcel, iRow, strUser, iCol
dim strExcelPath, objApp, strGroupName

strExcelPath = "\\Server\share\EmpSepScript\Work_Log.xls"

set objExcel = CreateObject("Excel.Application")

' Create a new workbook.
objExcel.Workbooks.Add
' Bind to worksheet.
Set objSheet = objExcel.ActiveWorkbook.Worksheets(1)
objSheet.Name = "Work_Log"
' Populate spreadsheet cells with user attributes.

Set objGroup = GetObject("LDAP://CN=XYZ,OU=Groups,DC=domain,DC=com")


Set objExcel = CreateObject("Excel.Application")
With objExcel
.SheetsInNewWorkbook = 1
.Workbooks.Add
.Visible = false
iRow=1

For Each strUser in objGroup.Member
Set objUser = GetObject("LDAP://" & strUser)
.Cells(irow,1) = ("User Name: " & objUser.CN)
.Cells(irow,3) = ("Role ID: " & objUser.sAMAccountName)
.Cells(irow,5) = ("Object(s): " & objUser.distinguishedName)
.Cells(irow,7) = ("Home Drive: " & objUser.homeDirectory)
.Cells(irow,9) = ("Mailbox Store: " & objUser.homeMDB)
.Cells(irow,11) = ("ALIAS: " & objuser.mailNickname)
.Cells(irow,13) = ("Email Address(es): " & Join(objUser.proxyAddresses))
.Cells(irow,15) = ("Groups: " & Join(objUser.memberof))
.Cells(irow,17) = " "
.cells(irow,19) = "Disabled the AD account (Do not perform this step for KST)"
.Cells(irow,21) = "Changed Password"
.cells(irow,23) = "Set Delivery Restrictions – Accept Messages: Only from: MAILTEAM (do not perform this step if email is being forwarded)"
.cells(irow,25) = "Hid from Exchange address list (Do not perform this step for FHR)"
.cells(irow,27) = "Added EXEMPT in Extension Attribute 5"
.cells(irow,29) = "Added to GG_KBS_ES"
.cells(irow,31) = "Inserted current date in MM/DD/YY format to AD account Full name and Display name: "
irow=irow + 1
Next
End With

' Save the spreadsheet, close the workbook and exit.
objExcel.ActiveWorkbook.SaveAs strExcelPath
objExcel.ActiveWorkbook.Close
objExcel.Application.Quit
'WScript.Echo "Spreadsheet Created"



Set objApp = CreateObject("WScript.Shell")

objApp.Run "cmd /C net use n: \\Server\share\EmpSepScript & n: & EnumerateMembers"

Script 2 Pulls out information for script 3 to run.

Option Explicit
on error resume next
Dim objGroup, objuser, objExcel, iRow, strUser
dim strExcelPath, objApp

strExcelPath = "\\server\share\EmpSepScript\emp_separations.xls"

set objExcel = CreateObject("Excel.Application")

' Create a new workbook.
objExcel.Workbooks.Add
' Bind to worksheet.
Set objSheet = objExcel.ActiveWorkbook.Worksheets(1)
objSheet.Name = "Separations"
' Populate spreadsheet cells with user attributes.


'active directory attributes
strCN = Inputbox(Inputprompt1, wscript.echo("Date")) & strlast & "\, " & strfirst
strfirst = "givenName"
Strlast = "sn"


Set objGroup = GetObject("LDAP://CN=XYZ,OU=Groups,OU=KBS,DC=domain,DC=com")


Set objExcel = CreateObject("Excel.Application")
With objExcel
.SheetsInNewWorkbook = 1
.Workbooks.Add
.Visible = false
irow=1

For Each strUser in objGroup.Member
Set objUser = GetObject("LDAP://" & strUser)
.Cells(iRow,1) = objUser.CN
.Cells(iRow,2) = objUser.sAMAccountName
.Cells(iRow,3) = objUser.displayName
.Cells(iRow,4) = objUser.Name
.Cells(iRow,5) = objUser.distinguishedName
.Cells(iRow,6) = objUser.mail
.Cells(iRow,7) = objUser.extensionAttribute5
.cells(iRow,8) = objuser.userPrincipalName
.Cells(iRow,9) = objUser.GivenName
.cells(iRow,10) = objuser.sn
.cells(iRow,11) = objuser.Getex("proxyAddresses")
irow=irow + 1
Next
End With

' Save the spreadsheet, close the workbook and exit.
objExcel.ActiveWorkbook.SaveAs strExcelPath
objExcel.ActiveWorkbook.Close
objExcel.Application.Quit
'WScript.Echo "Spreadsheet Created"


Set objApp = CreateObject("WScript.Shell")

objApp.Run "cmd /C net use n: \\server\share\EmpSepScript & n: & Separations"

Script 3 Does the actual work to change attributes on the accounts tied to group XYZ

Option Explicit
'on error resume next

Dim objUser, objShell
Dim objExcel, objSpread, intRow, intCol
Dim strUser, strSheet, strDate
Dim strCN, strSam, strDisplay, strName, strDN
Dim strmail, strUPN, strextA5
Dim objFSO, objFolder, objFileShare, strDest, strougroup, objgroup
Dim Inputprompt, strsn, objou, objApp, strouProxy
DIM StrOUSeam1, StrOUSeam2, StrOUSeam3, StrOUSeam4, StrOUSeam5
DIM StrOUSeam6, StrOUSeam7, StrOUSeam8, StrOUSeam9, StrOUSeam10
DIM StrOUSeam11, StrOUSeam12, StrOUSeam13, StrOUSeam14, StrOUSeam15
DIM StrOUSeam16, StrOUSeam17, StrOUSeam18, StrOUSeam19, StrOUSeam20
DIM StrOUSeam21, StrOUSeam22, StrOUSeam23, StrOUSeam24, StrOUSeam25
DIM StrOUSeam26, StrOUSeam27, StrOUSeam28, StrOUSeam29, StrOUSeam30
DIM StrOUSeam31, StrOUSeam32, StrOUSeam33, StrOUSeam34, StrOUSeam35
DIM StrOUSeam36, StrOUSeam37, StrOUSeam38, StrOUSeam39, StrOUSeam40
DIM StrOUSeam41, StrOUSeam42, StrOUSeam43, StrOUSeam44, StrOUSeam45
DIM StrOUSeam46, StrOUSeam47, StrOUSeam48, StrOUSeam49
DIM Strvpn1, Strvpn2, Strvpn3, Strvpn4, Strvpn5
DIM Strvpn6, Strvpn7, Strvpn8, Strvpn9, Strvpn10
DIM Strvpn11, Strvpn12, Strvpn13


strSheet = "\\server\Share\EmpSepScript\emp_separations.xls"


' Open the Excel spreadsheet
Set objExcel = CreateObject("Excel.Application")
Set objSpread = objExcel.Workbooks.Open(strSheet)
intRow = 1

' Here is the 'DO...Loop' that cycles through the cells

' Note intRow, x must correspond to the column in strSheet

Do Until objExcel.Cells(intRow,1).Value = ""
strCN = Trim(objExcel.Cells(intRow, 1).Value)
strSam = Trim(objExcel.Cells(intRow, 2).Value)
strDisplay = Trim(objExcel.Cells(intRow, 3).Value)
' strName = Trim(objExcel.Cells(intRow, 4).Value)
strDN = Trim(objExcel.Cells(intRow, 5).Value)
strmail = Trim(objExcel.Cells(intRow, 6).Value)
strextA5 = Trim(objExcel.Cells(intRow, 7).Value)
strUPN = Trim(objExcel.Cells(intRow, 8).Value)
strsn = Trim(objExcel.Cells(intRow, 10).Value)
strDate = Date()
strougroup = "CN=GG_KBS_ES,OU=Groups,OU=KBS,DC=Domain,DC=com"
strouProxy = "CN=PROXY_USERS,OU=Groups,OU=KBS,DC=Domain,DC=com"

'Build the actual User from data in strSheet.

'Const ADS_PROPERTY_APPEND = 3

Set objUser = GetObject("LDAP://" & strdn)
'Wscript.echo "LDAP://" & strdn
objUser.Put "sAMAccountName", ("1" & strSam)
objUser.Put "DisplayName", (strDate & " " & strdisplay)
objUser.Put "userPrincipalName", ("1" & strUPN)
objUser.Put "extensionAttribute5", "EXEMPT"
' objUser.Put "Name", (strDate & strname)
objUser.SetPassword "i5A2sj*!"
'Hide From GAL
objuser.put "msExchHideFromAddressLists", TRUE
objuser.setInfo

'add new Primary Address
' objuser.PutEx 3, "proxyAddresses", Array("smtp:" & "del" & strmail)
' objuser.setInfo
'Delete Old Primary
' objuser.PutEx 4, "ProxyAddresses", Array("SMTP:" & strmail)
' objuser.Put "mail", ("del" & strmail)
' objuser.Put "mailNickname", ("1" & strSam)
' objuser.setInfo

'Mailbox restrictions
Objuser. put "authOrig", "CN=*DL EMail Team,OU=Distribution Lists,OU=wichita,OU=_ADC,DC=Domain,DC=com"
objuser.SetInfo

' Add to Group
If strougroup = False Then
Set objgroup = GetObject("LDAP://" & Strougroup)
objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array(strdn)
objGroup.SetInfo
End If

'Remove from Groups
If StrouProxy = True Then
Set objgroup = GetObject("LDAP://" & StrouProxy)
objGroup.PutEx ADS_PROPERTY_DELETE, "member", Array(strdn)
objGroup.SetInfo
End If

' Increment to next user.
intRow = intRow + 1
Loop

Wscript.Echo "Done"
objExcel.Quit
WScript.Quit

End of Scripts

Everything is working except removing the user from a few groups... Not XYZ group.

 

[djtech2k]

Your problem is your "IF" statement. From what I see, strOUProxy is NOT a boolean value, so checking if it is true or false should NOT work.

If you are using it to check for membership, then you will need to either check on the fly or do it earlier and set a variable as a boolean.

What is this supposed to mean/do?

If StrouProxy = True Then

In english, it looks like you are saying something like:

If GroupX ????  Then
1) Bind to the Group
2) Remove UserX from group
End If

The #1 problem I see is your "IF" statement. It does not make sense to me what you are checking for.

 

[djtech2k]

For more description, your "IF" says:

If "CN=PROXY_USERS,OU=Groups,OU=KBS,DC=Domain,DC=com" = True

Thats the biggest glaring thing I see wrong.

 

[PHV]

Everything is working
No ghosts excel.exe in the process list ?
In Script1 and Script2 you instantiate 2 times an Excel.Application object and create a workbook in each.

Again I don't understand the logic here:
strougroup = "CN=GG_KBS_ES,OU=Groups,OU=KBS,DC=Domain,DC=com"
...
If strougroup = False Then

Hope This Helps, PH.
FAQ219-2884
FAQ181-2886

 

[yellowartist]

Ok I'm pretty new at this, I do not see the problem?

If "CN=PROXY_USERS,OU=Groups,OU=KBS,DC=Domain,DC=com" = True Then
1) Bind to the Group
2) Remove UserX from group
End If

Thats exactly what I'm wanting it to do.

 

[PHV]

I do not see the problem
Do you the difference between a String and a Boolean ?

 

[yellowartist]

Umm... no not really. Sorry.

 

[PHV]

Have a look here:

http://msdn2.microsoft.com/en-us/library/9e7a57cf.aspx

Hope This Helps, PH.
FAQ219-2884
FAQ181-2886

 

[djtech2k]

OK, here is a correct "IF":

If a = b Then
wscript.echo "A = B"
End If


What you are doing is:

If "some string here" = True Then
blah
End If

A string of characters can NEVER = True.

The ONLY time you can do an "IF" and check if it is equal to "TRUE" is if its a true or false value.

You are asking:

Is "CN=PROXY_USERS,OU=Groups,OU=KBS,DC=Domain,DC=com" True? Thats a distinguished name, there is no true/false answer. If you want to know if a certain user is in that group, then you going about it all wrong.

string = just characters inside of doube-quotes...example: "This is a string"

boolean = only choices are true or false...example: True