FInd a Domain global group in a PCs Local Power User group.

[StumpedTechy]

Someone on our network made a HUGE mistake and I am trying to fix it. I have tried ADSI and WMI with bad results I don't know if its the query I am using I tried this with ADSI -

strLocalGroup = "Power Users"
strMachineName = "Remote PC"
strDomainGroup = "Domain Group"
strDomainName = "MyDomain"

Dim objLocalGroup, objDomainGroup

on error resume next

'Look up local group.
Set objLocalGroup = GetObject("WinNT://" & strComputerName & "/" & strLocalGroup & ",group")

If err.number <> 0 Then
Log stuff
Err.Clear
End If

' Look up Domain group to be checked against local group.
Set objDomainGroup = GetObject( "WinNT://" & strDomainName & "/" & strDomainGroup & ",group")

If err.number <> 0 Then
Log stuff
Err.Clear
End If

'Check if domain group a member of the local group.
If objLocalGroup.IsMember(objDomainGroup.AdsPath) Then
Log stuff


I even did a
If objLocalGroup.IsMember(objDomainGroup.AdsPath) Then
msg box "yes"
Else
msgbox "no"
but it always says yes. Even on machines I know don't have the domain group in the power users group.

With my WMI the query is so strange I won't go into what I tried because I know it has to be wrong. I was using Win32_UserAccounts.

Any ideas on how I can do this either through WMI or ADSI? I just need to find all PCs on the domain that have this Domain group applied to the Local Power Users group on each individual PC. I alrerady know how to parse a txt file to get the machine names so I just need to know the portion of the query NOT how to make it loop through a bunch of computers.

 

[dm4ever]

What if you tried?

Set objDomainGroup = GetObject( "WinNT://" & strDomainName & "/" & strDomainGroup)

If objLocalGroup.IsMember(objDomainGroup.AdsPath) Then
...code


--------------------------------------------------------------------------------
dm4ever
My philosophy: K.I.S.S - Keep It Simple Stupid

 

[dm4ever]

Actually, looks like you have..disregard...I'm tired. Is it Friday yet?

--------------------------------------------------------------------------------
dm4ever
My philosophy: K.I.S.S - Keep It Simple Stupid

 

[StumpedTechy]

I got it working but can you explain this?

I did find one mistake I understand -

Set objLocalGroup = GetObject("WinNT://" & strComputerName & "/" & strLocalGroup & ",group")


Had computername instad of machinename. Which was the strmachinename I listed earlier. This changed its reporting but now it said no to everything I ran it against instead of yes.

What did it was the Domain name variable. When I put in our domain X.Y.COM I got back all yes or all no but when I did X and left off the .y.com It ran flawlessly. Why would it not run right using the FQDN but just the shortened domain name? Is this an ADSI limitation?

 

[tsuji]

>but it always says yes. Even on machines I know don't have the domain group in the power users group.
>This changed its reporting but now it said no to everything I ran it against instead of yes.

You've to be careful in using "on error resume next" properly. Take the first post for instance. What if any of the object objLocalGroup or objDomainGroup is erroneous, your error handler log something, but it lets the script continue running... This shouldn't be.

Here's a demonstration. In the script like this, it always says "yes". And that's why.
[tt]
on error resume next
set x=nothing
if x.ismember("abc") then
wscript.echo "yes"
else
wscript.echo "no"
end if
[/tt]

 

[StumpedTechy]

so if you have an if/then that isn't part of a what something is set as then the on error resume next will change how the if/then functions? I didn't think On error resume next could influence an if/then statement because you have both paths clearly defined as if or then and there can't be an "error"?

 

[tsuji]

It's up to you.