Trying to adapt VBScript to search if machine is in an AD group 6

[bdwilcox]

I had what I thought was a simple VBscript to search AD for a user and see if they were part of an AD group. But. so far, I have been unsuccessfully trying to adapt it to see if a computer is part of an AD group. Our AD structure is pretty flat so I'm not worried about nested groups but I am concerned about finding the machine as its account can be in one of two very different places off the root of AD. The current script I have to search for a user and see if they're in a group (and which works very well) is:

Option Explicit
Dim domainName,userName,groupName,ADSPath,grouplistD,objRecordSet,objConnection,objCommand
Dim objUser,objGroup,scriptTitle

scriptTitle = "Check if User has Lab Access Enabled v.1"
domainName = "win.global.production.com"
groupName = "Legacy_Access_NA"

userName = InputBox ("== Check if User has Lab Access Enabled ==" & vbCrLf & vbCrLf & "Enter username to see if user has Lab access enabled, then press the OK button:" & vbCrLf,scriptTitle)

userName=trim(userName)

If userName = "" then Wscript.Quit


If IsMember(domainName,userName,groupName) Then
MsgBox "User '" & userName & "' DOES have Lab Access enabled.",,scriptTitle
Else
MsgBox "User '" & userName & "' DOES NOT have Lab Access enabled.",, scriptTitle
End If
WScript.quit

' *****************************************************
'This function checks if the given AD user is member of the given group.
Function IsMember(domainName,userName,groupName)
Set groupListD = CreateObject("Scripting.Dictionary")
groupListD.CompareMode = 1
ADSPath = domainName & "/" & userName
Set objUser = GetObject("WinNT://" & ADSPath & ",user")
For Each objGroup in objUser.Groups
groupListD.Add objGroup.Name, "-"
Next
IsMember = CBool(groupListD.Exists(groupName))
End Function
' *****************************************************

Is there any tweak I'm missing to make this search for a computer and see if it's in a group rather than doing the same for a user account like it's doing now?

Thanks for any insight you can provide. I've been going in circles for weeks now, trying every script I can find on the internet to do this and having little luck.

 

[SoftwareRT]

Let's change your code to include a computerName variable, a GetObject call (change "WinNT://" & ADSPath & ",user" to "WinNT://" & ADSPath & ",computer)" so that you're querying a computer object in AD instead of a user with updated prompt to reflect that you're checking for a computer, not a user.

Option Explicit
Dim domainName, computerName, groupName, ADSPath, grouplistD, objRecordSet, objConnection, objCommand
Dim objComputer, objGroup, scriptTitle

scriptTitle = "Check if Computer has Lab Access Enabled v.1"
domainName = "win.global.production.com"
groupName = "Legacy_Access_NA"

' Prompt for computer name instead of username
computerName = InputBox ("== Check if Computer has Lab Access Enabled ==" & vbCrLf & vbCrLf & "Enter computer name to see if it has Lab access enabled, then press the OK button:" & vbCrLf, scriptTitle)

computerName = Trim(computerName)

' Exit if no computer name is entered
If computerName = "" Then Wscript.Quit

' Call the IsMember function to check if the computer is a member of the group
If IsMember(domainName, computerName, groupName) Then
    MsgBox "Computer '" & computerName & "' DOES have Lab Access enabled.",, scriptTitle
Else
    MsgBox "Computer '" & computerName & "' DOES NOT have Lab Access enabled.",, scriptTitle
End If

WScript.Quit

' *****************************************************
' This function checks if the given AD computer is a member of the given group.
Function IsMember(domainName, computerName, groupName)
    Set groupListD = CreateObject("Scripting.Dictionary")
    groupListD.CompareMode = 1
    ' Use "computer" instead of "user" in the GetObject call
    ADSPath = domainName & "/" & computerName
    Set objComputer = GetObject("WinNT://" & ADSPath & ",computer") ' Change 'user' to 'computer'
    
    ' Loop through the groups the computer is a member of
    For Each objGroup In objComputer.Groups
        groupListD.Add objGroup.Name, "-"
    Next
    
    ' Check if the specified group exists in the group dictionary
    IsMember = CBool(groupListD.Exists(groupName))
End Function
' *****************************************************

 

[bdwilcox]

HI SoftwareRT, thanks for the reply. Unfortunately, I tried replacing all the user tags with computer tags as well but the script throws me the below error. Not sure if I'm missing something that will make it work or if this script method simply won't work with computer AD elements like it does with user AD elements.

 

[SoftwareRT]

Hmmm... Apparently that the WinNT:// provider does not support querying groups for computer objects. Let's switch to LDAP. Try the code below...

Option Explicit
Dim domainName, computerName, groupName, ADSPath, objComputer, objGroup, objConnection, objCommand, objRecordSet, scriptTitle

scriptTitle = "Check if Computer has Lab Access Enabled v.2"
domainName = "win.global.production.com"
groupName = "Legacy_Access_NA"

' Prompt for computer name instead of username
computerName = InputBox ("== Check if Computer has Lab Access Enabled ==" & vbCrLf & vbCrLf & "Enter computer name to see if it has Lab access enabled, then press the OK button:" & vbCrLf, scriptTitle)

computerName = Trim(computerName)

' Exit if no computer name is entered
If computerName = "" Then Wscript.Quit

' Call the IsMember function to check if the computer is a member of the group
If IsMember(domainName, computerName, groupName) Then
    MsgBox "Computer '" & computerName & "' DOES have Lab Access enabled.",, scriptTitle
Else
    MsgBox "Computer '" & computerName & "' DOES NOT have Lab Access enabled.",, scriptTitle
End If

WScript.Quit

' *****************************************************
' This function checks if the given AD computer is a member of the given group.
Function IsMember(domainName, computerName, groupName)
    Dim objConnection, objCommand, objRecordSet, ldapFilter, baseDN, filter, attributes
    Dim groupDN, computerDN, isMember
    
    ' Set up ADODB connection
    Set objConnection = CreateObject("ADODB.Connection")
    objConnection.Provider = "ADSDSOObject"
    objConnection.Open "Active Directory Provider"
    
    Set objCommand = CreateObject("ADODB.Command")
    objCommand.ActiveConnection = objConnection
    
    ' Search for the computer in Active Directory
    baseDN = "'LDAP://" & domainName & "'"
    filter = "(&(objectCategory=computer)(name=" & computerName & "))"
    attributes = "distinguishedName"
    ldapFilter = baseDN & "; " & filter & "; " & attributes & ";subtree"
    
    objCommand.CommandText = ldapFilter
    Set objRecordSet = objCommand.Execute
    
    If Not objRecordSet.EOF Then
        computerDN = objRecordSet.Fields("distinguishedName").Value
    Else
        MsgBox "Computer '" & computerName & "' not found in Active Directory.",, scriptTitle
        IsMember = False
        Exit Function
    End If
    objRecordSet.Close
    
    ' Search for the group in Active Directory
    filter = "(&(objectCategory=group)(cn=" & groupName & "))"
    attributes = "distinguishedName"
    ldapFilter = baseDN & "; " & filter & "; " & attributes & ";subtree"
    
    objCommand.CommandText = ldapFilter
    Set objRecordSet = objCommand.Execute
    
    If Not objRecordSet.EOF Then
        groupDN = objRecordSet.Fields("distinguishedName").Value
    Else
        MsgBox "Group '" & groupName & "' not found in Active Directory.",, scriptTitle
        IsMember = False
        Exit Function
    End If
    objRecordSet.Close
    
    ' Now check if the computer is a member of the group
    filter = "(&(objectCategory=group)(distinguishedName=" & groupDN & ")(member=" & computerDN & "))"
    ldapFilter = baseDN & "; " & filter & "; " & attributes & ";subtree"
    
    objCommand.CommandText = ldapFilter
    Set objRecordSet = objCommand.Execute
    
    isMember = Not objRecordSet.EOF
    objRecordSet.Close
    
    ' Return true if computer is a member of the group
    IsMember = CBool(isMember)
End Function
' *****************************************************

 

[bdwilcox]

Hmm, if i run that, I get this error:



If i remove 'isMember' from the DIM statement, it will run the interface but when I put in a computer name, it then throws this error:



This error is one I was getting with some scripts I found on the internet and I could never figure out exactly what the culprit was since the error was so non-descript and I'm not familiar with the minutiae of VBScripting for AD objects.

One thing I got bit on before was not the method but the execution where the command syntax was wrong... but many of these commands are so foreign to me that I admit I wouldn't even know if the syntax was bad..

 

[strongm]

Function IsMember(domainName, computerName, groupName)
Dim objConnection, objCommand, objRecordSet, ldapFilter, baseDN, filter, attributes
Dim groupDN, computerDN, isMember


Ah, actually I see you already addressed this ...

 

[strongm]

Try changing

baseDN = "'LDAP://" & domainName & "'"

to

baseDN = "<LDAP://" & domainName & ">"

 

[bdwilcox]

Holy potatoes, strongm, you found the proverbial needle in a haystack. How many times have I been bitten by those tiny little syntax errors. Script works great now with that one change. Hopefully, someone can reference this script in the future if they need one that works since every other one I could find online had an error here or there that gave no hint of what was wrong.

Thank you to SoftwareRT and strongm for taking the time and effort to both come up with and troubleshoot a working solution! I appreciate all of your hard work! I spent months trying to find and troubleshoot a working script and nearly gave up, but you both nailed it!

 

[SoftwareRT]

Glad strongm saw that and the code is working.