Working with Groups

You'll want to do two primary things with groups: modify their membership and check their membership. The former can be useful in scripts that bulk-add new users to the domain; the latter is invaluable in logon scripts. Let's take checking group membership first. The basic trick is to get a reference to a group, and then scan through its members until you find a particular user (or not). This is best implemented as a function, which can be easily reused in different scripts. The function is in Listing 16.1.

Listing 16.1. CheckGroupMembership.vbs. This function checks to see if a specified user belongs to a specified group.

Function IsMember(sUser, sGroup)

 Dim oGroup, bIsMember, oMember

 bIsMember = False

 Set oGroup = GetObject("LDAP://" & sGroup)

 For Each oMember in oGroup.GetEx("member")

  If oMember.Name = sUser Then

   bIsMember = True

   Exit For

  End If

 Next

 IsMember = bIsMember

End Function

You need to pass FQDNs to this function. For example, to see if user DonJ, located in the MIS OU, is a member of the HelpDesk group, also located in the MIS OU, you'd do something like this.

If IsMember( _

 "cn=DonJ,ou=MIS,dc=domain,dc=com", _

 "cn=HelpDesk,ou=MIS,dc=domain,dc=com") Then

 WScript.Echo "He's a member!"

Else

 WScript.Echo "He's not a member!"

End If

Notice that the function uses the GetEx method to retrieve the group object's member attribute, which is a multivalued attribute. Each entry in the attribute is the FQDN of a user that belongs to the group. The benefit of a function like this is that it can check for users from different domains belonging to, for example, a Universal security group, because you're using the FQDN of the user, which includes his home domain.

Given this example on how to read the group's membership list, you probably have a good idea of how to modify that list. Suppose you have a group named HelpDesk in the MIS OU. You want to add a user named DonJ, also from the MIS OU, and delete a user named GregM from the Sales OU. Here's how.

Dim oGroup

Set oGroup = GetObject("LDAP://cn=HelpDesk,ou=MIS,dc=" & _

 "domain,dc=com")



'PutEx constants

Const MVP_CLEAR = 1

Const MVP_UPDATE = 2

Const MVP_APPEND = 3

Const MVP_DELETE = 4



'add user

oGroup.PutEx MVP_APPEND, "member", "cn=DonJ,ou=MIS,dc=" & _

 "domain,dc=com"

oGroup.SetInfo



'delete user

oGroup.PutEx MVP_DELETE, "member", "cn-GregM,ou=Sales,dc=" & _

 "domain,dc=com"

oGroup.SetInfo

What if you want to do this with an NT domain or a local SAM? Using the WinNT provider is slightly different. First, you need to connect to the user account to obtain its security identifier (SID), and then you can add that to the group.

Dim oUser, oGroup

Set oUser = GetObject("WinNT://DOMAIN/DonJ,user")

Set oGroup = GetObject("WinNT://DOMAIN/HelpDesk,group")



oGroup.Add oUser.ADsPath

Here again, you see how the WinNT provider can make things a tiny bit easier, because it's designed specifically for dealing with users, groups, and other stuff like that. The LDAP provider, on the other hand, provides more flexibility because it's designed as a generic LDAP provider. That means future changes to AD won't require a new LDAP provider.