Nesting groups from different domains 2

[golfboy1971]

I am having trouble writing a VBScript to help me nest some Active Directory groups and would appreciate any help you could give me.

I have a need to nest some groups from an Active Directory parent domain to groups in a child domain. However every time I run the script below I get the message "There is no such object on the server" for the ObjGroup.Add line.

Set objGroup = GetObject ("LDAP://cn=ContosoManagers,ou=DSS,ou=Application-Access,dc=contoso,dc=com")
Set objGroupToAdd = GetObject ("LDAP://cn=ContosoCorpManagers,ou=Groups,dc=contosocorp,dc=com")

objGroup.Add(objGroupToAdd.ADsPath)
wscript.echo "Complete"

Whilst messing around the other day I found a way to get it working using the SID of the group from the parent domain, but have since lost my work and can't remember what I did! :-( ... I've got a looooooooot of groups to nest, so need a VBScript to do it.
Could you help me please.

Regards

Golfboy

 

[tsuji]

But, the nesting of groups is not unconditional even in native mode. Furthermore, the adspaths are not evident that they are from parent and child domain. Or I miss something.

 

[golfboy1971]

tsuji,

Thanks for your reply. I'm afraid I don't understand what you mean by being "unconditional" in this respect, could you please explain a bit more. I believe you are correct that the ADSPaths don't necessarily explain that the object is from another domain, but with the addition of the "dc=" in the LDAP object I am indicating that it's from another domain.
Obviously it's really easy to nest a group from a parent domain into a child domain using the Microsoft Active Directory MMC, but doing it by a script seems really hard! The annoying this was that I managed it once, using the SID of the parent domains group, but forgot what I did and can't seem to replicate it again!
Help please! :-D

Thanks
Golfboy1971

 

[tsuji]

[1] By "unconditional" I meant at least these. When one contemplate nesting groups, there are different things to consider.
[1.1] Type of the groups.
[1.2] Functional level of the domain (native or mixed).
[1.3] Scope of each groups (security or distribution).
[1.4] Cross-domain or Cross-forest.
They all have an impact on the operation.

[2]
>...that the ADSPaths don't necessarily explain that the object is from another domain, but with the addition of the "dc=" in the LDAP object I am indicating that it's from another domain.
I only meant that I failed to see the parent-child relationship between the domains containing the respective groups. It more seems like they are not in the same forest. I may be wrong.

 

[golfboy1971]

I've just realised that I've been a right plonker! My domains aren't a parent/child arrangement, but there is a trust relationship between them.
I have put a post on a few forums and seem to have stumpted everyone with this.
My domains are both Active Directory 2003 running in Windows 2003 domain functional level, but not sure of the forest functional level.
The group that I am trying to nest is a Global Security group in the contosocorp.com domain and the group that I am trying to nest it into is a Domain Local Security group in the contoso.com doamin.
Hope this helps! I'd rather not have to nest 228 group manually!

 

[tsuji]

In that case you do need the retrieve the sid of the group objGroupToAdd and add it to objGroup in the form of "LDAP://<SID=[blue]hex_string_sid[/blue]>", where hex_string_sid is what you have to work upon. And I think that's the only possible route to take to this moment.

 

[golfboy1971]

Unfortunately time constraints meant I just had to get on with sorting out my groups, so I have had to nest all the groups manually. However, in case this thread helps someone else make a step further, here is some code that I pulled together off various scripts on the internet that helped me to find the SID of the groups I was interested in. However, it's failing is that the SID is the SID on the remote domain, not the SID that the local domain refers to the remote group as.... i.e. on Contosocorp.com the group might have a SID (shorten here for example) of S-1-5-23000 but if you were to add this respective group to a local domain group in Contoso.com, and then view the SID of the members of that group, it might be something like S-1-5-23456.
Unfortunately I can't see how the correlation between these SIDs work.
If can find out how to get the 2nd SID, I know I can use my script to nest it into my local group, using the LDAP in the format of "LDAP://S-1-5-23456,OU=ForeignSecurityPrincipals,dc=Contosocorp,dc=com"

Anyway, enough waffling, here is the script to find the SID as it is on the remote domain (i.e. contosocorp.com)

On Error Resume Next
strInputFile="P:\Grouplist.txt"
strOutputFile="P:\GroupListSID.txt"

Const ForReading = 1
Const ForWriting = 2
Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000

'Setup the files, one for reading the group names and the other for the result output
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objInputFile = objFSO.OpenTextFile(strInputFile, ForReading)
Set objOutputFile = objFSO.OpenTextFile(strOutputFile, ForWriting,True)

'Setup a loop to read the contents of the input file and use the information to query AD
Do While objInputFile.AtEndOfStream <> True
strGroupToCheck = objInputFile.ReadLine

Set objGroup = GetObject _
("LDAP://cn=" &Chr(34) & strGroupToCheck & Chr(34) & ",ou=Groups,dc=contosocorp,dc=com")

intUserSID = fnGet_HexString(objGroup.ObjectSID)

objOutputFile.WriteLine strGroupToCheck & ": " & intUserSID
wscript.echo intUserSID
Loop

Function fnGet_HexString(intSID)
Dim strRet, i, b
strRet = ""
For i = 0 to Ubound(intSID)
b = hex(ascb(midb(intSID,i+1,1)))
If( len(b) = 1 ) then b = "0" & b
strRet = strRet & b
Next

fnGet_HexString = fnHexStrToDecStr(strRet)

End Function

Function fnHexStrToDecStr(strSid)

Dim arrbytSid, lngTemp, j

ReDim arrbytSid(Len(strSid)/2 - 1)
For j = 0 To UBound(arrbytSid)
arrbytSid(j) = CInt("&H" & Mid(strSid, 2*j + 1, 2))
Next

fnHexStrToDecStr = "S-" & arrbytSid(0) & "-" _
& arrbytSid(1) & "-" & arrbytSid(8)

lngTemp = arrbytSid(15)
lngTemp = lngTemp * 256 + arrbytSid(14)
lngTemp = lngTemp * 256 + arrbytSid(13)
lngTemp = lngTemp * 256 + arrbytSid(12)

fnHexStrToDecStr = fnHexStrToDecStr & "-" & CStr(lngTemp)

lngTemp = arrbytSid(19)
lngTemp = lngTemp * 256 + arrbytSid(18)
lngTemp = lngTemp * 256 + arrbytSid(17)
lngTemp = lngTemp * 256 + arrbytSid(16)

fnHexStrToDecStr = fnHexStrToDecStr & "-" & CStr(lngTemp)

lngTemp = arrbytSid(23)
lngTemp = lngTemp * 256 + arrbytSid(22)
lngTemp = lngTemp * 256 + arrbytSid(21)
lngTemp = lngTemp * 256 + arrbytSid(20)

fnHexStrToDecStr = fnHexStrToDecStr & "-" & CStr(lngTemp)

lngTemp = arrbytSid(25)
lngTemp = lngTemp * 256 + arrbytSid(24)

fnHexStrToDecStr = fnHexStrToDecStr & "-" & CStr(lngTemp)

End Function

 

[kmcferrin]

Did anybody get any further with this? I am having pretty much the exact same issue. We just can't figure out how to get the SID that the local domain is using for the Foreign Security Principal. Or more to the point, the FSP doesn't exist in the local domain yet for us to get the SID.

 

[kmcferrin]

OK, I got my answer from this thread, and posted the solution in the thread I had created for my similar issue:

http://www.tek-tips.com/viewthread.cfm?qid=1355072&page=1

Thanks guys!