Re: EnumLocalGroup - fails when "NT AUTORITY/SYSTEM" is member of group


"Mack" <mbarss@xxxxxxx> wrote in message
news:d218b4d9-3605-4a3c-9ad6-f51b6bf3ae44@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello Group,

I am using modified version of Richard Muellars script to enumerate
members of the local group.
What I am finding is the the script fails when it hits a server that
has "NT AUTHORITY/SYSTEM" indicated in the local Administrators
group.

Is there anyway to have the script either to ignore the entry and go
on to the next entry in the local administartor group?

The script fails in the EnumDomainGroup routine for

objTrans.Set ADS_NAME_TYPE_NT4, strNTName


' NameTranslate already setup. Check if objDomainGroup
' bound with WinNT.
If (blnNT = True) Then
' Convert NetBIOS name of group to Distinguished Name.
strNTName = strNetBIOSDomain & "\" & objDomainGroup.Name
objTrans.Set ADS_NAME_TYPE_NT4, strNTName
strGroupDN = objTrans.Get(ADS_NAME_TYPE_1779)
Else
' objDomainGroup bound with LDAP. Retrieve Distinguished
Name.
strGroupDN = objDomainGroup.distinguishedName
End If


Any help is greatly appreciated as I am not skilled with vbs
scripting.

Malcolm



.. snip.

The problem is that these objects, well known security principals, do not
have NT (or NetBIOS) names (of form ADS_NAME_TYPE_NT4). This includes Self,
Everyone, Service, System, Local Service, etc. They are in the AD container
"cn=WellKnown Security Principals,cn=Configuration,dc=MyDomain,dc=com". What
confuses me is that Sub EnumDomainGroup should only be called if the member
of the local group is a group, and "NT Authority\System" is not a group. I'm
going to have to experiment with this.

For now, one solution would be search for the string "NT AUTHORITY" and exit
the sub. Another solution is to trap the error. For example:

On Error Resume Next
objTrans.Set ADS_NAME_TYPE_NT4, strNTName
If (Err.Number <> 0) Then
On Error GoTo 0
Exit Sub
End If
On Error GoTo 0

This assumes there is no need to bind to the object (hence exit the sub)
since there cannot be members.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--


.

Relevant Pages

  • Re: List Members of a Group (with user input)
    ... Wscript.Echo "No members" ... Dim objRootDSE, objTrans, strNetBIOSDomain, strGroup ... I would like one that does not require editing of the script each time. ... Dim UserCount, gga, CNgga ...
    (microsoft.public.scripting.vbscript)
  • Re: I need help with a login script
    ... You rewrite the script but I think it will be time consuming trying ... "Costas" wrote: ... Users are members of security group Accounting sales etc. Lsnsrv01 is ... wshNetWork.SetDefaultPrinter "\\lsnsrv01\2840Color" ElseIf ...
    (microsoft.public.windows.server.sbs)
  • Re: I need help with a login script
    ... You rewrite the script but I think it will be time consuming trying ... On Error GoTo 0 ... Users are members of security group Accounting sales etc. Lsnsrv01 is the ... wshNetWork.SetDefaultPrinter "\\lsnsrv01\2840Color" ElseIf InStrThen ...
    (microsoft.public.windows.server.sbs)
  • Re: Missing Users in "Group Listing"...
    ... > script is listed below... ... > - Run the above script, and the user account in question will not be ... for all users that have a matching value for the "primaryGroupID" attribute ... Members method of the group object does include any members that have the ...
    (microsoft.public.scripting.vbscript)
  • Re: Sending email to groups
    ... make them members of a Category, and full contacts if they're currently only ... this feature exists in Word X/Data Merge Manager. ... Run "Make Group Contacts" script on the group, in Entourage. ...
    (microsoft.public.mac.office.entourage)