Inconsistent Results

TheMSsForum.com: The Microsoft Software Forum

Hello,

I have written a vbscript - actually an HTA, which checks to see if a
user is a member of an AD group. For some users it will correctly
return the correct results. For others it will say that a user is not a
member of a group when actually they are. When looking at group
membership through the Active Directory snap in it shows the correct
membership. At first I thought the issue might be something to do with
the Domain Controller the script was interrogating, however looking on
those DC's with the AD snap in also shows the correct membership. It is
worth mentioning that newer accounts dont seem to return the correct
results. The only thing that needs to be changed in the HTA is
"strNetBIOSDomain = "DOMAIN"" and replace DOMAIN with your correct
Domain name.

Here is my HTA:

<html>
<head>
<title>HTA Helpomatic</title>

<HTA:APPLICATION
ID="objHTAHelpomatic"
APPLICATIONNAME="HTAHelpomatic"
SCROLL="yes"
SINGLEINSTANCE="yes"
WINDOWSTATE="normal"
>
</head>

<SCRIPT Language="VBScript">
Sub RunScript

strGroup = group.value
strGroupText = group.value
strUser = user.value

Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
Dim objTrans, objShell, objGroup
Set objShell = CreateObject("Wscript.Shell")
strNetBIOSDomain = "DOMAIN"
Set objTrans = CreateObject("NameTranslate")
objTrans.Init ADS_NAME_INITTYPE_GC, ""

objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & "\" & strUser
strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)

objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & "\" & strGroup
strGroupDN = objTrans.Get(ADS_NAME_TYPE_1779)

'msgbox struserdn
'MsgBox strGroupDN
'MsgBox """" & "LDAP://" & strGroupDN & """"
'strGroupDN = """" & "LDAP://" & strGroupDN & """"
strGroupDN = "LDAP://" & strGroupDN
'MsgBox strGroupDN

Set objGroup = GetObject(strGroupDN)
objGroup.GetInfo

arrMemberOf = objGroup.GetEx("member")
StrCompare = struserdn
For Each strMember in arrMemberOf
intCompare = StrComp(StrCompare, strMember, vbTextCompare)
If intCompare = 0 Then
MsgBox "User is a member of the " & strGroupText & "
group",,"Group Information"
Exit For
End if
Next

If intCompare <> 0 Then
MsgBox "User is not a member of the " & strGroupText & " group",,"Group
Information"
End If

End sub

</SCRIPT>
<body>
<font color="red">
<face ="Times New Roman">
<H1 align="center"font color="red"> Is User Member of Group </H1>
<font color="blue" face="Times New Roman" size="4">User
<input type="text" name="User" size="25">
<font color="blue" face="Times New Roman" size="4">Group
<input type="text" name="Group" size="25">
<br>
<br>
<input id=runbutton class="button" type="button" value="Get Info"
name="run_button" onClick="RunScript">
</body>
</html>




Many thanks for any assistance,

Ben
Top

Re: Inconsistent Results by Richard

Richard
Wed Dec 13 10:49:24 CST 2006

Hi,

First, the member attribute of the group object never includes any members
that have the group designated as their "primary" group. Usually, this is
not a problem, as everyone should have "Domain Users" designated as their
"primary" group and you can just assume this.

Second, the method you use to enumerate members of the group will raise an
error if the member attribute is empty. One solution would be to trap the
error:
=================
On Error Resume Next
arrMemberOf = objGroup.GetEx("member")
If (Err.Number = 0) Then
' No error, at least on member in collection.
On Error GoTo 0
StrCompare = struserdn
For Each strMember in arrMemberOf
intCompare = StrComp(StrCompare, strMember, vbTextCompare)
If intCompare = 0 Then
MsgBox "User is a member of the " & strGroupText _
& " group",,"Group Information"
Exit For
End if
Next
Else
' Error, no members.
On Error GoTo 0
intCompare = 1
End If

If intCompare <> 0 Then
MsgBox "User is not a member of the " & strGroupText _
& " group",,"Group Information"
End If
==========
Finally, membership due to group nesting is not revealed by the member
attribute. However, such membership is not shown in the GUI either. I don't
think any of these points explains what you see. The other possibility is
that the member attribute has not replicated, but you seem to have
eliminated that possibility.

However, it might be more straightforward to use the IsMember method of the
group object. You pass the AdsPath of the prospective member to this method
and it returns True if that corresponds to a member, False otherwise:
=============
strGroupDN = "LDAP://" & strGroupDN
Set objGroup = GetObject(strGroupDN)

If (objGroup.IsMember("LDAP://" & strUserDN) = True) Then
MsgBox "User is a member of the " & strGroupText _
& " group",,"Group Information"
Else
MsgBox "User is not a member of the " & strGroupText _
& " group",,"Group Information"
End If
--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

<benjaminbrazil@gmail.com> wrote in message
news:1166007121.784408.117450@73g2000cwn.googlegroups.com...
> Hello,
>
> I have written a vbscript - actually an HTA, which checks to see if a
> user is a member of an AD group. For some users it will correctly
> return the correct results. For others it will say that a user is not a
> member of a group when actually they are. When looking at group
> membership through the Active Directory snap in it shows the correct
> membership. At first I thought the issue might be something to do with
> the Domain Controller the script was interrogating, however looking on
> those DC's with the AD snap in also shows the correct membership. It is
> worth mentioning that newer accounts dont seem to return the correct
> results. The only thing that needs to be changed in the HTA is
> "strNetBIOSDomain = "DOMAIN"" and replace DOMAIN with your correct
> Domain name.
>
> Here is my HTA:
>
> <html>
> <head>
> <title>HTA Helpomatic</title>
>
> <HTA:APPLICATION
> ID="objHTAHelpomatic"
> APPLICATIONNAME="HTAHelpomatic"
> SCROLL="yes"
> SINGLEINSTANCE="yes"
> WINDOWSTATE="normal"
>>
> </head>
>
> <SCRIPT Language="VBScript">
> Sub RunScript
>
> strGroup = group.value
> strGroupText = group.value
> strUser = user.value
>
> Const ADS_NAME_INITTYPE_GC = 3
> Const ADS_NAME_TYPE_NT4 = 3
> Const ADS_NAME_TYPE_1779 = 1
> Dim objTrans, objShell, objGroup
> Set objShell = CreateObject("Wscript.Shell")
> strNetBIOSDomain = "DOMAIN"
> Set objTrans = CreateObject("NameTranslate")
> objTrans.Init ADS_NAME_INITTYPE_GC, ""
>
> objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & "\" & strUser
> strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
>
> objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & "\" & strGroup
> strGroupDN = objTrans.Get(ADS_NAME_TYPE_1779)
>
> 'msgbox struserdn
> 'MsgBox strGroupDN
> 'MsgBox """" & "LDAP://" & strGroupDN & """"
> 'strGroupDN = """" & "LDAP://" & strGroupDN & """"
> strGroupDN = "LDAP://" & strGroupDN
> 'MsgBox strGroupDN
>
> Set objGroup = GetObject(strGroupDN)
> objGroup.GetInfo
>
> arrMemberOf = objGroup.GetEx("member")
> StrCompare = struserdn
> For Each strMember in arrMemberOf
> intCompare = StrComp(StrCompare, strMember, vbTextCompare)
> If intCompare = 0 Then
> MsgBox "User is a member of the " & strGroupText & "
> group",,"Group Information"
> Exit For
> End if
> Next
>
> If intCompare <> 0 Then
> MsgBox "User is not a member of the " & strGroupText & " group",,"Group
> Information"
> End If
>
> End sub
>
> </SCRIPT>
> <body>
> <font color="red">
> <face ="Times New Roman">
> <H1 align="center"font color="red"> Is User Member of Group </H1>
> <font color="blue" face="Times New Roman" size="4">User
> <input type="text" name="User" size="25">
> <font color="blue" face="Times New Roman" size="4">Group
> <input type="text" name="Group" size="25">
> <br>
> <br>
> <input id=runbutton class="button" type="button" value="Get Info"
> name="run_button" onClick="RunScript">
> </body>
> </html>
>
>
>
>
> Many thanks for any assistance,
>
> Ben
>


Top

Re: Inconsistent Results by benjaminbrazil

benjaminbrazil
Wed Dec 13 11:28:54 CST 2006

Hi Richard,

thanks for your advice.
Your code works.

Ben.

Top