Checking if User is member of group including nested/sub groups!

Download: [download#4#size#nohits]

I had a challenge today.

Problem:

My Customer needs to insert a specific text in the Computer description field on the local PC, if the user is member of a specific group.

Challenges:

The problem is that most of the user are not directly members of the group.

but they are members of a nested group that if member of the group, or a nested group , that is member of a nested group , that is member of the group and so on.

This gave me a problem, since the usual way of checking the user membership is by using the “memberOf” property via ADSI.

This only shows the groups the users is directly connected to, and not the nested groups.

Ideas:

I found an example on Microsoft Scripting Guys:

http://technet.microsoft.com/en-us/magazine/cc161018.aspx

This example give you a complete list of the groups the user is member of.

This could be used for the checking, but the problem is that it is really slow! On our small AD it was 4-5 seconds before it was finished!

And I can only imagine how long it would take in a much larger forest!

Solution:

So I had to think it over, and I decided to go the other way around.

To check the group, and list the nested users.

and I came up with this solution:

' //***************************************************************************
' // ***** Script Header *****
' //
' // File:      InsertComptuerDescriptionIfInGroup.vbs
' // Author:	Jakob Gottlieb Svendsen, Coretech A/S. https://blog.ctglobalservices.com
' // Purpose:   Checks if current user if member of specific group,
' //			or any nested groups.
' //			If user is found, a computerdescription strDescription is
' //			added to the local computer.
' //
' // Usage:     .vbs
' //
' //
' // CORETECH A/S History:
' // 0.0.1     JGS 01/12/2008  Created initial version.
' // 0.0.2     JGS 02/12/2008  Fixed bug, when same user appears in more than one group
' //
' // Customer History:
' //
' // ***** End Header *****
' //***************************************************************************
'//----------------------------------------------------------------------------
'//
'//  Global constant and variable declarations
'//
'//----------------------------------------------------------------------------
On Error Resume Next

strGroupDN = "CN=CT Konsulenter,OU=Security,OU=Groups,OU=Coretech,DC=coretech,DC=intra" ' e.g. cn=SalesGroup,ou=Grps,dc=rallencorp,dc=com

strDescription = "IT Department" 

Set oADSystemInfo = CreateObject("ADSystemInfo")
Set dicSeenGroupMember = CreateObject("Scripting.Dictionary")
Set UserList = CreateObject("Scripting.Dictionary")

'//----------------------------------------------------------------------------
'//  Main routines
'//----------------------------------------------------------------------------

'Build list of users
GetMembers "LDAP://" & strGroupDN, strSpaces, dicSeenGroupMember

If (UserList.Exists("LDAP://" & oADSystemInfo.UserName)) Then
	'Run function. Change this to your own code, for other tasks.
	InsertComputerDescription strDescription
End If

'//----------------------------------------------------------------------------
'//  Procedures
'//----------------------------------------------------------------------------

Function GetMembers ( strGroupADsPath, strSpaces, dicSeenGroupMember)
	Set objGroup = GetObject(strGroupADsPath)
	 for each objMember In objGroup.Members
	    If objMember.Class = "group" then
	     if dicSeenGroupMember.Exists(objMember.ADsPath) then
	       'Wscript.Echo strSpaces & " ^ already seen group member " & _
	       '"(stopping to avoid loop)"
	     else
	      	dicSeenGroupMember.Add objMember.ADsPath, 1
	      	GetMembers objMember.ADsPath, strSpaces & " ", dicSeenGroupMember
	     end If
	   Else
			If Not UserList.Exists(objMember.ADsPath) Then
				UserList.Add objMember.ADsPath, 1
			End If
	   end if
	 Next
End Function

Function InsertComputerDescription (strDescription)
                      strComputer = "."
                      Set Obj = GetObject("winmgmts:\\" & strComputer).InstancesOf("Win32_OperatingSystem")

                      For Each x In Obj
	                      x.Description = strDescription
    	                  x.Put_
                      Next
End Function

'//----------------------------------------------------------------------------
'//  End Script
'//----------------------------------------------------------------------------

You can use the example for all kinds of jobs, but in this case it runs the “InsertComputerDescription” function to insert computer description.

By Jakob Gottlieb Svendsen|2008-12-01T12:41:43+01:00december 1st, 2008|Scripting & Development|8 Comments

Om forfatteren: Jakob Gottlieb Svendsen

Twitter: @JakobGSvendsen

Jakob Gottlieb Svendsen is a Microsoft Cloud and Data Center Management MVP (http://mvp.microsoft.com/en-us/default.aspx), Working as Global Lead Developer, Senior Consultant and Trainer at CTGlobal, where he is one of the driving forces in keeping CTGlobal a System Center Gold Partner and member of the System Center Alliance.

Since he started at Coretech in 2007, he has focused on Scripting and Development, primarily developing tools, extensions and scripts for the System Center Suite. His main area is Automation (including OMS/Azure Automation, Service Management Automation, PowerShell and Orchestrator). Another area is Windows Azure Pack / Azure Stack, where he does implementation, development, workshops and presentations. He is a world-wide renowned voice in the Automation field.

He is passionately devoted to the community, to which he contributes by being a moderator at TechNet and sharing his knowledge at https://blog.ctglobalservices.com/jgs

Co-founder: PowerShell User Group Denmark
Speaker at MMS 2016, Minneapolis (www.mmsmoa.com)
SCU Europe 2014, 2015, 2016 (www.systemcenteruniverse.ch)
Microsoft TechEd North America 2014, Houston
NIC 2012,2013,2014,2015, Oslo (www.nic.com)
Microsoft CampusDays 2011, 2013, Copenhagen
Microsoft TechDays 2015, Sweden (www.techdays.se)
Microsoft Partner Event: New in SC2012 SP1
User group meetings (PSUG.DK , SCUG.DK/BE/NO, AZMUG + more)
Microsoft Certified Trainer.
Microsoft Scripting Guys Forum Moderator

Main working areas:

Automation (Azure Automation, SMA, SCO)
Windows Azure Pack / Azure Stack
System CenterVisual Studio Team Services / Team Foundation Server
Development:C#.Net, VB.NET, VBScript, PowerShell, Service Manager, OpsMgr, ConfigMgr
Orchestrator
Windows Azure Pack / Azure Stack

Training:

Azure Automation
Service Management Automation
System Center Orchestrator
PowerShell, VBScript, C#.Net, VB.Net
Windows Azure Pack / Azure Stack Development Workshops

8 kommentarer

Jorge Cortez februar 11, 2009 af 22:56

Hi i im trying to use you script to add printers determined by groups areas, a similar problem with the subgroups, im having trouble with this part in specific ‘If (UserList.Exists(“LDAP://” & oADSystemInfo.UserName)) Then
the problem is that its alway think that the user doesnt esxist, i was chequed the userlist colection and when i use userlist.count it says that is zero, i dont know why this var is geting erased or something like that any idea? thanks in advance
Jakob Gottlieb Svendsen februar 12, 2009 af 10:35

Hello Jorge

i sound like your

GetMembers “LDAP://” & strGroupDN, strSpaces, dicSeenGroupMember

is failing. This usually happens when the LDAP:// & strGroupGN is not correct

Please check that the
strGroupDN = “CN=CT Konsulenter,OU=Security,OU=Groups,OU=Coretech,DC=coretech,DC=intra”

is correct for your system. otherwise the list will be empty.

but there could be other reasons too.

– Jakob
Wity juli 10, 2009 af 6:01

The script does’t work because the array is always empty.
Line 67 should be :
If NOT UserList.Exists(objMember.ADsPath) Then
Jakob august 3, 2009 af 9:36

Wity:

You are absolutely correct!
I do not know how this error have appeared, if you look in the downloable file, it is correct.

Thank you for the notice.

– Jakob
dirk adamsky marts 17, 2010 af 19:02

Hi,

I have created a script to enumerate the members of a nested group.
It can be found here:

http://deludi.nl/blog/vbscript/active-directory/groups/active-directory-vbscript-to-enumerate-the-members-of-nested-groups-v2/

best regards,

dirk adamsky
joseph august 24, 2011 af 10:57

8RBswe http://wnbUj5n0mXqpcvm27Hms.biz
jak grać na giełdzie oktober 17, 2011 af 3:18

I am now not sure where you are getting your info, but great topic. I must spend a while studying more or understanding more. Thanks for wonderful info I was looking for this information for my mission.
Raja december 29, 2014 af 14:14

Hi,

i need to modify the above script such that, i want to verify if all users are member of a particular groups and need the output in a excel.(list of users not part of those groups)

Can anyone suggest.

thanks