Checking group membership

TheMSsForum.com: The Microsoft Software Forum

I would like to check if a group is member of another group in Active
Directory. I am using the following lines of code, but they don't work
(the program doesn't recognize that GG_I_CA is member of GG_I.

Set oSysInfo = CreateObject("WinNTSystemInfo")
sDomain = oSysInfo.DomainName
Set oGroup = GetObject("WinNT://" & sDomain & "/" & "GG_I")
IsMember = oGroup.IsMember("WinNT://" & sDomain & "/" & "GG_I_CA")
IF isMember Then wscript.echo "Group is member"

If I try to check if a user is member of a group, everything works fine.
Is there another method to check group membership (I wouldn't like to
have the list of members and recursively check it)?
Thanks,
Marta

--
Posted via http://dbforums.com
Top

Re: Checking group membership by Richard

Richard
Mon Jul 07 13:38:36 CDT 2003

Marta wrote:

>
> I would like to check if a group is member of another group in Active
> Directory. I am using the following lines of code, but they don't work
> (the program doesn't recognize that GG_I_CA is member of GG_I.
>
> Set oSysInfo = CreateObject("WinNTSystemInfo")
> sDomain = oSysInfo.DomainName
> Set oGroup = GetObject("WinNT://" & sDomain & "/" & "GG_I")
> IsMember = oGroup.IsMember("WinNT://" & sDomain & "/" & "GG_I_CA")
> IF isMember Then wscript.echo "Group is member"
>
> If I try to check if a user is member of a group, everything works fine.
> Is there another method to check group membership (I wouldn't like to
> have the list of members and recursively check it)?
> Thanks,

Hi,

The problem is that the WinNT provider does not recognize groups as members
of global or universal security groups. This was not allowed in NT. WinNT
does recognize groups as members of domain local groups and distribution
groups. You need to use the LDAP provider. To bind with LDAP you need the
Distinguished Name (DN) of the group. For example:

Set objGroup1 = GetObject("LDAP://cn=GG_I,ou=Sales,dc=MyDomain,dc=com")
Set objGroup2 = GetObject("LDAP://cn=GG_I_CA,ou=Admin,dc=MyDomain,dc=com")

If objGroup1.IsMember(objGroup2.AdsPath) Then
Wscript.Echo "Group " & objGroup2.sAMAccountName & " is a member of group
" _
& objGroup1.sAMAccountName
End If

If you only have the NT name of the group (the sAMAccountName), you can use
the NameTranslate object to convert this to the DN required for LDAP. For
example:

' Determine DNS domain name from RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use the NameTranslate object to find the NetBIOS domain name from the
' DNS domain name.
Set objTrans = CreateObject("NameTranslate")
objTrans.Init 3, strDNSDomain
objTrans.Set 1, strDNSDomain
strNetBIOSDomain = objTrans.Get(3)
' Remove trailing backslash.
strNetBIOSDomain = Left(strNetBIOSDomain, Len(strNetBIOSDomain) - 1)

' Use the NameTranslate object to convert the NT name to the
' Distinguished Name required for the LDAP provider.
strNTName = "TestGroup"
objTrans.Init 1, strNetBIOSDomain
objTrans.Set 3, strNetBIOSDomain & "\" & strNTName
strDN = objTrans.Get(1)

' Bind to the object in Active Directory with the LDAP provider.
Set objGroup = GetObject("LDAP://" & strDN)

I hope this helps.

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--


Top