Re: Missing Users in "Group Listing"...
- From: "Richard Mueller [MVP]" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 15 Jun 2005 13:32:37 -0500
William Robertson wrote:
> I have a very simple script which accepts the name of a User Group, and
then
> lists the names of all users who are a member thereof... An excerpt of
this
> script is listed below...
> '******************************************************
> ADGroup="CN=DialupUsers, OU=Servers"
> ADDomain="DC=domainname,DC=com"
>
> Set objGroup = GetObject ("LDAP://"&ADGroup&","&ADDomain)
> For each objMember in objGroup.Members
> WScript.Echo objMember.sAMAccountName & "," & objMember.sAMAccountName
&
> "," & objMember.Name
> Next
> '******************************************************
>
> The problem that I have is that any User Account that has the ADGroup in
> question as it's Primary Group, does not get included in my report. Case
in
> point:
> I have a few "contractor" logons of people who dialup into our
organisation
> for support purposes. These user accounts typically are not members of any
> Active Directory groups, apart from my "DialupUsers" group which is used
to
> authorise these support users on my IAS server. These user accounts are
only
> a member of 1 group, thus the "DialupUsers" group is set as the "Primary
> Group" for these users.
> I have managed to duplicate this as follows:
> - Set the Primary Group of a user account to "Group1"
> - Run the above script, and the user account in question will not be
> reported in the results
> - Take the same user account above, add them to another group, set the
> Primary group to this "Group2", and run the above script again.
> - The user i question will now be returned...
>
> Anyone perhaps got an idea on how to get past this??
Hi,
As you've discovered, the LDAP provider does not reveal membership in the
"primary" group, at least without extra effort. To find all users that have
a given group designated as their "primary", retrieve the value of the
"primaryGroupToken" attribute of the group object. Then, use ADO to search
for all users that have a matching value for the "primaryGroupID" attribute
of the user object. I have an example VBScript program that documents group
membership and demonstrates this linked here:
http://www.rlmueller.net/List%20Members%20of%20a%20Group.htm
The program above also reveals nested group membership, which your snippet
does not. If you don't have nested groups, another solution is to use the
WinNT provider. The WinNT provider is blind to nested groups, but the WinNT
Members method of the group object does include any members that have the
group designated as primary. Your snippet could be converted to use the
WinNT provider.
--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab web site - http://www.rlmueller.net
--
.
- References:
- Missing Users in "Group Listing"...
- From: William Robertson
- Missing Users in "Group Listing"...
- Prev by Date: Re: LastLogon
- Next by Date: Set NIC Speed to Auto Detect
- Previous by thread: Missing Users in "Group Listing"...
- Next by thread: If ckbxlist ckd
- Index(es):
Relevant Pages
|
