Re: Security Groups from VPN

On Feb 10, 9:35 am, jimmysjams <jimmysj...@xxxxxxxxx> wrote:
On Feb 9, 11:17 am, "Richard Mueller [MVP]" <rlmueller-





nos...@xxxxxxxxxxxxxxxxxxxx> wrote:
"jimmysjams" <jimmysj...@xxxxxxxxx> wrote in message

news:2d46b7eb-53b2-463a-85d9-d599b968c63c@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Feb 9, 10:20 am, "Richard Mueller [MVP]" <rlmueller-

nos...@xxxxxxxxxxxxxxxxxxxx> wrote:
"jimmysjams" <jimmysj...@xxxxxxxxx> wrote in message

news:498a6b3f-7ab9-428c-b83f-13896881b7f0@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I'm still having problems retrieving a user's security groups from a
VPN connection. I've established the connection by requiring the
username and password but no matter what I try I can't seem to get the
security groups for the user. Any help with this problem will be
greatly appreciated.

Set objDomain = GetObject("LDAP://domain.com/RootDSE";)

strDomain = objDomain.Get("dnsHostName")

Set objUser = GetObject("WinNT://" & strDomain & "/" & userName)

This returns an error of the network path not found.

That can't work. The dnsHostName will be in the form
MyCompany.MyDomain.com.
The WinNT provider requires the NetBIOS name of the domain. I don't have a
vpn to test, but I would suggest one of the following:
========
Set objNetwork = CreateObject("Wscript.Network")
strDomain = objNetwork.Domain
strUser = objNetwork.UserName
Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & "/,user")
--- or
Set objSysInfo = CreateObject("ADSystemInfo")
strUserDN = objSysInfo.UserName
Set objUser = GetObject("LDAP://"; & strUserDN)
=======
In your example, how do you know the value of "userName"?

--
Richard Mueller
MVP Directory Services
Hilltop Lab -http://www.rlmueller.net
--

I prompt the user for username and password and log into to the vpn
that way.  The computers I have to get this script to work on are not
members of the domain.

In your first example code will retrieve the local username and
security group.  I've tried the second but I'm not an active directory
expert.  The error it returns is "No mapping between acount names and
security IDs was done."

----------
That's the error you get from the ADSystemInfo object when you are not
authenticated to the domain. If the wshNetwork object does not work and
return the NetBIOS name of the domain, you will need to use the LDAP
provider. The RootDSE object does not reveal the NetBIOS name of the domain,
which is required for the WinNT provider. I would recommend the LDAP
provider anyway, as it is faster and reveals more attributes. The only
drawback is that it does not easily reveal membership in the "primary" group
of the user, but that should always be "Domain Users" anyway.

If you can bind to the RootDSE object, you can use the following to retrieve
the DN of the domain:

Set objRootDSE = GetObject("LDAP://domain.com/RootDSE";)
strDNSDomain = objRootDSE.Get("defaultNamingContext")

The problem with my suggestion is that you have the NT name of the user (the
value of the sAMAccountName attribute, also called the "pre-Windows 2000
logon name"). You need the Distinguished Name (DN) of the user to use the
LDAP provider. The IADsNameTranslate interface can be used to convert the NT
name to the DN, but if you are not authenticated to the domain you may need
to use alternate credentials.

Maybe the best solution is to hard code the NetBIOS name of the domain.
Either that, or prompt the user for the name of the domain. Or, possibly
parse the dnsHostName for the part you believe is the NetBIOS name of the
domain. Note that this is not guarenteed to work, as the highest level
domain component of the dnsHostName can be completely different from the
NetBIOS name. This may work in many (but not all) cases. Or, maybe someone
else has a suggestion.

--
Richard Mueller
MVP Directory Services
Hilltop Lab -http://www.rlmueller.net
--

I've perused some of the code examples you have on your website and
they work great on the domain.  The problem is I get a permission
denied error when I try to run them off the domain.  Is there a way to
authenticate the user and then try to run the code below?

Const ADS_NAME_INITTYPE_DOMAIN = 1
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
strNTName = "DOMAIN\Username"

Set objTrans = CreateObject("NameTranslate")
objTrans.Init ADS_NAME_INITTYPE_DOMAIN, "DOMAIN"  'permission denied

objTrans.Set ADS_NAME_TYPE_NT4, strNTName
strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
strUserDN = Replace(strUserDN, "/", "\/")
Set objUser = GetObject("LDAP://"; & strUserDN)

You've been very helpful so far Richard, thank you for your time.- Hide quoted text -

- Show quoted text -

Right after I posted that last comment I figured it out. The purpose
was to write a script that would map network drives over a vpn based
on security group. All the groups and drives are stored in a
dictionary object retrieved from a different function. I've posted
the code for anybody who comes across the same problems I have.

Sub MapDrivesForUser(userName, password)
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1

Dim objUser
Dim dictionaryGroups
Dim objFSO
Dim strDomain
Dim objTrans

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTrans = CreateObject("NameTranslate")
Set objNetwork = CreateObject("WScript.Network")

strDomain = "DOMAIN"
strNTName = strDomain & "\" & userName

objTrans.InitEx ADS_NAME_INITTYPE_GC, "", userName, strDomain,
password
objTrans.Set ADS_NAME_TYPE_NT4, strNTName

strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)

strUserDN = Replace(strUserDN, "/", "\/")
Set objDSObj = GetObject("LDAP:")
Set objUser = objDSObj.OpenDSObject("LDAP://domain.com/"; &
strUserDN, strNTName, strPassword, ADS_SECURE_AUTHENTICATION or
ADS_SERVER_BIND)

Set dictionaryGroups = BuildDriveDictionary(userName)

On Error Resume Next
For Each oGroup in objUser.Groups
groupName = UCase(Right(oGroup.Name,Len(oGroup.Name)-3))
If dictionaryGroups.Exists(groupName) Then
Set dictItem = dictionaryGroups.Item(groupName)
For Each key in dictItem.Keys
If objFSO.DriveExists(key) Then
objNetwork.RemoveNetworkDrive(key)
End If
objNetwork.MapNetworkDrive key, dictItem.Item(key)
Next
End If
Next
End Sub

Again, thank you very much Richard! I wouldn't have gotten it without
your help.
.

Relevant Pages

  • Re: Security Groups from VPN
    ... security groups for the user. ... The WinNT provider requires the NetBIOS name of the domain. ... Richard Mueller ... Dim dictionaryGroups ...
    (microsoft.public.scripting.vbscript)
  • Re: Security Groups from VPN
    ... security groups for the user. ... The WinNT provider requires the NetBIOS name of the domain. ... I prompt the user for username and password and log into to the vpn ...
    (microsoft.public.scripting.vbscript)
  • Re: how to shut off netbios-ns/port:137 (udp)
    ... m/freeDownload.jsp Actually the built in security policy ... is capable of blocking netbios attacks but as the previous ... Settings -> Security Settings. ... security rule consists of two key components: an IP filter ...
    (microsoft.public.security)
  • Usernametoken cant beused inweb services that are invoked bywebcl
    ... This is my Web service Client. ... Dim obj As New LoginForm ... Public Class WseSecurityHelpers ... Microsoft.Web.Services2.Security.SecurityFault: ...
    (microsoft.public.dotnet.security)
  • Re: question about ip addresses
    ... You are using a program to communicate to someone ... a client program, and one is the server program. ... This is neither unreasonable, nor a security issue. ... provider, your country, and likely one can deduce some more accurate ...
    (alt.computer.security)
Quantcast