VBScript - AD - Groups Contents Under Construction ◄.Contents.► Add 1000 Sample Users to a Security Group Add a User to Two Security Groups Add New Members to a Security Group Assign a Group Manager Change the Scope of a Security Group Create a Universal Distribution Group Create a Universal Security Group Create a Domain Local Distribution Group Create a Domain Local Security Group Create a Global Distribution Group Create a Global Security Group Delete a Group from Active Directory List the Active Directory Groups a User Belongs To List All the Members of a Group List the Attributes of the Group Class List the General Properties of a Group List Group Memberships for All the Users in an OU List Group Object Information List the Managed By Information for a Group List Other Groups a Group Belongs To List the Owner of a Group List the Primary Group for a User Account List the Security Descriptor for a Group List the System Access Control List for a Group Modify Group Attributes Modify Group Type Move a Group Within a Domain Remove All Group Memberships for a User Account Remove All the Members of a Group Remove the Manager of a Group Remove a User from a Group Replace Group Membership with All-New Members Δ Add 1000 Sample Users to a Security Group   'Demonstration script that creates a security group named Group1, and adds one thousand users ) '(UserNo1 through UserNo10000) to that group. This script is not intended for use in a production 'environment. Const ADS_PROPERTY_APPEND = 3 Set objRootDSE = GetObject("LDAP://rootDSE") Set objContainer = GetObject("LDAP://cn=Users," & _ objRootDSE.Get("defaultNamingContext")) Set objGroup = objContainer.Create("Group", "cn=Group1") objGroup.Put "sAMAccountName","Group1" objGroup.SetInfo For i = 1 To 1000 strDN = ",cn=Users," & objRootDSE.defaultNamingContext objGroup.PutEx ADS_PROPERTY_APPEND, "member", _ Array("cn=UserNo" & i & strDN) objGroup.SetInfo Next WScript.Echo "Group1 created and 1000 Users added to the group." Δ     Δ Add a User to Two Security Groups 'Adds a user (MyerKen) to two different Active Directory security groups: Atl-Users and NA-Employees. Const ADS_PROPERTY_APPEND = 3 Set objGroup = GetObject _ ("LDAP://cn=Atl-Users,cn=Users,dc=NA,dc=fabrikam,dc=com") objGroup.PutEx ADS_PROPERTY_APPEND, _ "member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objGroup.SetInfo Set objGroup = GetObject _ ("LDAP://cn=NA-Employees,cn=Users,dc=NA,dc=fabrikam,dc=com") objGroup.PutEx ADS_PROPERTY_APPEND, _ "member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objGroup.SetInfo Δ     Δ Add New Members to a Security Group 'Adds two groups (Executives and Scientists) and one user account (MyerKen) to the Sea-Users group in 'Active Directory. Const ADS_PROPERTY_APPEND = 3 Set objGroup = GetObject _ ("LDAP://cn=Sea-Users,cn=Users,dc=NA,dc=fabrikam,dc=com") objGroup.PutEx ADS_PROPERTY_APPEND, "member", _ Array("cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com", _ "cn=Executives,ou=Management,dc=NA,dc=fabrikam,dc=com", _ "cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objGroup.SetInfo Δ     Δ Assign a Group Manager   'Adds a user (MyerKen) to two different Active Directory security groups: Atl-Users and NA-Employees. Const ADS_PROPERTY_APPEND = 3 Set objGroup = GetObject _ ("LDAP://cn=Atl-Users,cn=Users,dc=NA,dc=fabrikam,dc=com") objGroup.PutEx ADS_PROPERTY_APPEND, _ "member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objGroup.SetInfo Set objGroup = GetObject _ ("LDAP://cn=NA-Employees,cn=Users,dc=NA,dc=fabrikam,dc=com") objGroup.PutEx ADS_PROPERTY_APPEND, _ "member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objGroup.SetInfo Δ     Δ Change the Scope of a Security Group 'Changes a global distribution group named Scientists to a universal security group. Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2 Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4 Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8 Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000 Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.Put "groupType", _ ADS_GROUP_TYPE_GLOBAL_GROUP + ADS_GROUP_TYPE_SECURITY_ENABLED objGroup.SetInfo Δ     Δ Create a Universal Distribution Group 'Creates a universal Active Directory distribution group named Customers. Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8 Set objOU = GetObject("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") Set objGroup = objOU.Create("Group", "cn=Customers") objGroup.Put "sAMAccountName", "customers" objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP objGroup.SetInfo Δ     Δ Create a Universal Security Group 'Creates a universal Active Directory security group named All-Employees. Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8 Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000 Set objOU = GetObject("LDAP://cn=Users,dc=NA,dc=fabrikam,dc=com") Set objGroup = objOU.Create("Group", "cn=All-Employees") objGroup.Put "sAMAccountName", "AllEmployees" objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP Or _ ADS_GROUP_TYPE_SECURITY_ENABLED objGroup.SetInfo Δ     Δ Create a Domain Local Distribution Group 'Creates a domain local Active Directory distribution group named Vendors. Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4 Set objOU = GetObject("LDAP://ou=HR,dc=NA,dc=fabrikam,dc=com") Set objGroup = objOU.Create("Group", "cn=Vendors") objGroup.Put "sAMAccountName", "vendors" objGroup.Put "groupType", ADS_GROUP_TYPE_LOCAL_GROUP objGroup.SetInfo Δ     Δ Create a Domain Local Security Group 'Creates a domain local Active Directory security group named DB-Servers. Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4 Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000 Set objOU = GetObject("LDAP://cn=Computers,dc=NA,dc=fabrikam,dc=com") Set objGroup = objOU.Create("Group", "cn=DB-Servers") objGroup.Put "sAMAccountName", "DBServers" objGroup.Put "groupType", ADS_GROUP_TYPE_LOCAL_GROUP Or _ ADS_GROUP_TYPE_SECURITY_ENABLED objGroup.SetInfo Δ     Δ Create a Global Distribution Group 'Creates a global Active Directory distribution group named Scientists. Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2 Set objOU = GetObject("LDAP://ou=R&D,dc=NA,dc=fabrikam,dc=com") Set objGroup = objOU.Create("Group", "cn=Scientists") objGroup.Put "sAMAccountName", "scientists" objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP objGroup.SetInfo Δ     Δ Create a Global Security Group 'Creates a global Active Directory security group named HR-Employees. Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2 Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000 Set objOU = GetObject("LDAP://ou=HR,dc=NA,dc=fabrikam,dc=com") Set objGroup = objOU.Create("Group", "cn=HR-Employees") objGroup.Put "sAMAccountName", "HRStaff" objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP Or _ ADS_GROUP_TYPE_SECURITY_ENABLED objGroup.SetInfo Δ     Δ Delete a Group from Active Directory 'Deletes a group named atl-users from the HR organizational unit in the domain fabrikam.com. Set objOU = GetObject("LDAP://ou=hr,dc=fabrikam,dc=com") objOU.Delete "group", "cn=atl-users" Δ     Δ List the Active Directory Groups a User Belongs To 'Returns a list of all the Active Directory security groups (including the primary group) that include the 'MyerKen user account as a member. On Error Resume Next Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") intPrimaryGroupID = objUser.Get("primaryGroupID") arrMemberOf = objUser.GetEx("memberOf") If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then WScript.Echo "The memberOf attribute is not set." Else WScript.Echo "Member of: " For Each Group in arrMemberOf WScript.Echo Group Next End If Set objConnection = CreateObject("ADODB.Connection") objConnection.Open "Provider=ADsDSOObject;" Set objCommand = CreateObject("ADODB.Command") objCommand.ActiveConnection = objConnection objCommand.CommandText = _ ";(objectCategory=Group);" & _ "distinguishedName,primaryGroupToken;subtree" Set objRecordSet = objCommand.Execute Do Until objRecordset.EOF If objRecordset.Fields("primaryGroupToken") = intPrimaryGroupID Then WScript.Echo "Primary group:" WScript.Echo objRecordset.Fields("distinguishedName") & _ " (primaryGroupID: " & intPrimaryGroupID & ")" End If objRecordset.MoveNext Loop objConnection.Close Δ     Δ List All the Members of a Group 'Returns the members of an Active Directory group named Scientists. On Error Resume Next Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.GetInfo arrMemberOf = objGroup.GetEx("member") WScript.Echo "Members:" For Each strMember in arrMemberOf WScript.echo strMember Next Δ     Δ List the Attributes of the Group Class 'Returns a list of mandatory and optional attributes of the group class (as stored in the Active Directory 'schema). Set objGroupClass = GetObject("LDAP://schema/group") Set objSchemaClass = GetObject(objGroupClass.Parent) i = 0 WScript.Echo "Mandatory attributes:" For Each strAttribute in objGroupClass.MandatoryProperties i= i + 1 WScript.Echo i & vbTab & strAttribute Set objAttribute = objSchemaClass.GetObject("Property", strAttribute) WScript.Echo " (Syntax: " & objAttribute.Syntax & ")" If objAttribute.MultiValued Then WScript.Echo " Multivalued" Else WScript.Echo " Single-valued" End If Next WScript.Echo VbCrLf & "Optional attributes:" For Each strAttribute in objGroupClass.OptionalProperties i= i + 1 Wscript.Echo i & vbTab & strAttribute Set objAttribute = objSchemaClass.GetObject("Property", strAttribute) Wscript.Echo " [Syntax: " & objAttribute.Syntax & "]" If objAttribute.MultiValued Then WScript.Echo " Multivalued" Else WScript.Echo " Single-valued" End If Next Δ     Δ List the General Properties of a Group 'Reads the values found on the General Properties page in Active Directory Users and Computers for a 'group named Scientists. On Error Resume Next Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2 Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4 Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8 Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000 Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") WScript.Echo "Name: " & objGroup.Name WScript.Echo "SAM Account Name: " & objGroup.SAMAccountName WScript.Echo "Mail: " & objGroup.Mail WScript.Echo "Info: " & objGroup.Info If intGroupType AND ADS_GROUP_TYPE_LOCAL_GROUP Then WScript.Echo "Group scope: Domain local" ElseIf intGroupType AND ADS_GROUP_TYPE_GLOBAL_GROUP Then WScript.Echo "Group scope: Global" ElseIf intGroupType AND ADS_GROUP_TYPE_UNIVERSAL_GROUP Then WScript.Echo "Group scope: Universal" Else WScript.Echo "Group scope: Unknown" End If If intGroupType AND ADS_GROUP_TYPE_SECURITY_ENABLED Then WScript.Echo "Group type: Security group" Else WScript.Echo "Group type: Distribution group" End If For Each strValue in objGroup.Description WScript.Echo "Description: " & strValue Next Δ     Δ List Group Memberships for All the Users in an OU   'Retrieves the memberOf and primaryGroupID attributes of a user account to display group membership. 'Note that the primaryGroupID attribute contains an integer that maps to the name of the primary group. 'The memberOf attribute does not contain the name of the primary group of which the user is a member. On Error Resume Next Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D Set objOU = GetObject _ ("LDAP://cn=Users,dc=NA,dc=fabrikam,dc=com") ObjOU.Filter= Array("user") For Each objUser in objOU WScript.Echo objUser.cn & " is a member of: " WScript.Echo vbTab & "Primary Group ID: " & _ objUser.Get("primaryGroupID") arrMemberOf = objUser.GetEx("memberOf") If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then For Each Group in arrMemberOf WScript.Echo vbTab & Group Next Else WScript.Echo vbTab & "memberOf attribute is not set" Err.Clear End If Wscript.Echo Next Δ     Δ List Group Object Information 'Retrieves the information found on the Object page in Active Directory Users and Computers for a 'security group named Scientists. Set objGroup = GetObject _ ("GC://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") strWhenCreated = objGroup.Get("whenCreated") strWhenChanged = objGroup.Get("whenChanged") Set objUSNChanged = objGroup.Get("uSNChanged") dblUSNChanged = _ Abs(objUSNChanged.HighPart * 2^32 + objUSNChanged.LowPart) Set objUSNCreated = objGroup.Get("uSNCreated") dblUSNCreated = _ Abs(objUSNCreated.HighPart * 2^32 + objUSNCreated.LowPart) objGroup.GetInfoEx Array("canonicalName"), 0 arrCanonicalName = objGroup.GetEx("canonicalName") WScript.echo "CanonicalName of object:" For Each strValue in arrCanonicalName WScript.Echo vbTab & strValue Next WScript.Echo WScript.Echo "Object class: " & objGroup.Class WScript.Echo "When Created: " & strWhenCreated & " (Created - GMT)" WScript.Echo "When Changed: " & strWhenChanged & " (Modified - GMT)" WScript.Echo WScript.Echo "USN Changed: " & dblUSNChanged & " (USN Current)" WScript.Echo "USN Created: " & dblUSNCreated & " (USN Original)" Δ     Δ List the Managed By Information for a Group 'Returns information about the manager assigned to an Active Directory security group named Scientists. On Error Resume Next Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") strManagedBy = objGroup.Get("managedBy") If IsEmpty(strManagedBy) = TRUE Then WScript.Echo "No user account is assigned to manage " & _ "this group." Else Set objUser = GetObject("LDAP://" & strManagedBy) Call GetUpdateMemberList WScript.Echo "Office: " & _ objUser.physicalDeliveryOfficeName WScript.Echo "Street Address: " & objUser.streetAddress WScript.Echo "Locality: " & objUser.l WScript.Echo "State/Province: " & objUser.st WScript.Echo "Country: " & objUser.c WScript.Echo "Telephone Number: " & objUser.telephoneNumber WScript.Echo "Fax Number: " & _ objUser.facsimileTelephoneNumber End If Sub GetUpdateMemberList Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 Const Member_SchemaIDGuid = "{BF9679C0-0DE6-11D0-A285-00AA003049E2}" Const ADS_RIGHT_DS_WRITE_PROP = &H20 objUser.GetInfoEx Array("canonicalName"),0 strCanonicalName = objUser.Get("canonicalName") strDomain = Mid(strCanonicalName,1,InStr(1,strCanonicalName,".")-1) strSAMAccountName = objUser.Get("sAMAccountName") Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor") Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl blnMatch = False For Each objAce In objDiscretionaryAcl If LCase(objAce.Trustee) = _ LCase(strDomain & "\" & strSAMAccountName) AND _ objAce.ObjectType = Member_SchemaIDGuid AND _ objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT AND _ objAce.AccessMask And ADS_RIGHT_DS_WRITE_PROP Then blnMatch = True End If Next If blnMatch Then WScript.Echo "Manager can update the member list" Else WScript.Echo "Manager cannot update the member list." End If End Sub Δ     Δ List Other Groups a Group Belongs To 'Returns a list of all the groups that the Active Directory security group Scientists is a member of. On Error Resume Next Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.GetInfo arrMembersOf = objGroup.GetEx("memberOf") WScript.Echo "MembersOf:" For Each strMemberOf in arrMembersOf WScript.Echo strMemberOf Next Δ     Δ List the Owner of a Group 'Returns the owner of an Active Directory security group named Scientists. Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor") WScript.Echo "Owner Tab" WScript.Echo "Current owner of this item: " & objNtSecurityDescriptor.Owner Δ     Δ List the Primary Group for a User Account 'Reports the primary group for the MyerKen Active Directory user account. On Error Resume Next Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") intPrimaryGroupID = objUser.Get("primaryGroupID") Set objConnection = CreateObject("ADODB.Connection") objConnection.Open "Provider=ADsDSOObject;" Set objCommand = CreateObject("ADODB.Command") objCommand.ActiveConnection = objConnection objCommand.CommandText = _ ";(objectCategory=Group);" & _ "distinguishedName,primaryGroupToken;subtree" Set objRecordSet = objCommand.Execute Do Until objRecordset.EOF If objRecordset.Fields("primaryGroupToken") = intPrimaryGroupID Then WScript.Echo "Primary group:" WScript.Echo objRecordset.Fields("distinguishedName") & _ " (primaryGroupID: " & intPrimaryGroupID & ")" End If objRecordset.MoveNext Loop objConnection.Close Δ     Δ List the Security Descriptor for a Group   'Returns information found on the security descriptor for the Active Directory group named Scientists. Const SE_DACL_PROTECTED = &H1000 Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor") intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control WScript.Echo "Permissions Tab" strMessage = "Allow inheritable permissions from the parent to " & _ "propogate to this object and all child objects " If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then Wscript.Echo strMessage & "is disabled." Else WScript.Echo strMessage & "is enabled." End If WScript.Echo Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl DisplayAceInformation objDiscretionaryAcl, "DACL" Sub DisplayAceInformation(SecurityStructure, strType) Const ADS_ACETYPE_ACCESS_ALLOWED = &H0 Const ADS_ACETYPE_ACCESS_DENIED = &H1 Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6 intAceCount = 0 For Each objAce In SecurityStructure strTrustee = Mid(objAce.Trustee,1,12) If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then intAceCount = intAceCount + 1 WScript.Echo strType & " permission entry: " & intAceCount WScript.Echo "Name: " & objAce.Trustee intAceType = objAce.AceType If (intAceType = ADS_ACETYPE_ACCESS_ALLOWED Or _ intAceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then WScript.Echo "Type: Allow Access" ElseIf (intAceType = ADS_ACETYPE_ACCESS_DENIED Or _ intAceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) Then WScript.Echo "Type: Deny Acess" Else WScript.Echo "Acess Type Unknown." End If ReadBitsInAccessMask(objAce.AccessMask) WScript.Echo VbCr End If Next End Sub Sub ReadBitsInAccessMask(AccessMask) Const ADS_RIGHT_DELETE = &H10000 Const ADS_RIGHT_READ_CONTROL = &H20000 Const ADS_RIGHT_WRITE_DAC = &H40000 Const ADS_RIGHT_WRITE_OWNER = &H80000 Const ADS_RIGHT_DS_CREATE_CHILD = &H1 Const ADS_RIGHT_DS_DELETE_CHILD = &H2 Const ADS_RIGHT_ACTRL_DS_LIST = &H4 Const ADS_RIGHT_DS_SELF = &H8 Const ADS_RIGHT_DS_READ_PROP = &H10 Const ADS_RIGHT_DS_WRITE_PROP = &H20 Const ADS_RIGHT_DS_DELETE_TREE = &H40 Const ADS_RIGHT_DS_LIST_OBJECT = &H80 Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100 WScript.Echo VbCrLf & "Standard Access Rights" If (AccessMask And ADS_RIGHT_DELETE) Then _ WScript.Echo vbTab & "-Delete an object." If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _ WScript.Echo vbTab & "-Read permissions." If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _ WScript.Echo vbTab & "-Write permissions." If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _ WScript.Echo vbTab & "-Modify owner." WScript.Echo VbCrLf & "Directory Service Specific Access Rights" If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _ WScript.Echo vbTab & "-Create child objects." If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _ WScript.Echo vbTab & "-Delete child objects." If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _ WScript.Echo vbTab & "-Enumerate an object." If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _ WScript.Echo vbTab & "-Read the properties of an object." If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _ WScript.Echo vbTab & "-Write the properties of an object." If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _ WScript.Echo vbTab & "-Delete a tree of objects" If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _ WScript.Echo vbTab & "-List a tree of objects." WScript.Echo VbCrLf & "Control Access Rights" If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _ (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then WScript.Echo "-None" Else If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _ WScript.Echo vbTab & "-Extended access rights." If (AccessMask And ADS_RIGHT_DS_SELF) Then WScript.Echo vbTab & "-Active Directory must validate a property " WScript.Echo vbTab & " write operation beyond the schema " & _ "definition " WScript.Echo vbTab & " for the attribute." End If End If End Sub Δ     Δ List the System Access Control List for a Group 'Returns information found on the System Access Control List (SACL) for an Active Directory security 'group named Scientists. Const SE_SACL_PROTECTED = &H2000 Const ADS_SECURITY_INFO_OWNER = &H1 Const ADS_SECURITY_INFO_GROUP = &H2 Const ADS_OPTION_SECURITY_MASK =&H3 Const ADS_SECURITY_INFO_DACL = &H4 Const ADS_SECURITY_INFO_SACL = &H8 Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER _ Or ADS_SECURITY_INFO_GROUP Or ADS_SECURITY_INFO_DACL _ Or ADS_SECURITY_INFO_SACL Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor") intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control WScript.Echo "Auditing Tab" strMessage = "Allow inheritable auditing entries from" & _ "the parent to " strMessage = strMessage & "propogate to this object and all child objects " If (intNtSecurityDescriptorControl And SE_SACL_PROTECTED) Then Wscript.Echo strMessage & "is disabled." Else WScript.Echo strMessage & "is enabled." End If WScript.Echo Set objSacl = objNtSecurityDescriptor.SystemAcl DisplayAceInformation objSacl, "SACL" Sub DisplayAceInformation(SecurityStructure, strType) Const ADS_ACETYPE_SYSTEM_AUDIT = &H2 Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7 intAceCount = 0 For Each objAce In SecurityStructure strTrustee = Mid(objAce.Trustee,1,12) If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then intAceCount = intAceCount + 1 WScript.Echo strType & " permission entry: " & intAceCount WScript.Echo "Name: " & objAce.Trustee intAceType = objAce.AceType WScript.Echo "ACETYPE IS: " & intAceType If (intAceType = ADS_ACETYPE_SYSTEM_AUDIT or _ intAceType = ADS_ACETYPE_SYSTEM_AUDIT_OBJECT) Then WScript.Echo "Type: Success or Failure Audit" Else WScript.Echo "Audit Type Unknown." End If ReadBitsInAccessMask(objAce.AccessMask) WScript.Echo End If Next End Sub Sub ReadBitsInAccessMask(AccessMask) Const ADS_RIGHT_DELETE = &H10000 Const ADS_RIGHT_READ_CONTROL = &H20000 Const ADS_RIGHT_WRITE_DAC = &H40000 Const ADS_RIGHT_WRITE_OWNER = &H80000 Const ADS_RIGHT_DS_CREATE_CHILD = &H1 Const ADS_RIGHT_DS_DELETE_CHILD = &H2 Const ADS_RIGHT_ACTRL_DS_LIST = &H4 Const ADS_RIGHT_DS_SELF = &H8 Const ADS_RIGHT_DS_READ_PROP = &H10 Const ADS_RIGHT_DS_WRITE_PROP = &H20 Const ADS_RIGHT_DS_DELETE_TREE = &H40 Const ADS_RIGHT_DS_LIST_OBJECT = &H80 Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100 WScript.Echo VbCrLf & "Standard Access Rights" If (AccessMask And ADS_RIGHT_DELETE) Then _ WScript.Echo vbTab & "-Delete an object." If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _ WScript.Echo vbTab & "-Read permissions." If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _ WScript.Echo vbTab & "-Write permissions." If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _ WScript.Echo vbTab & "-Modify owner." WScript.Echo VbCrLf & "Directory Service Specific Access Rights" If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _ WScript.Echo vbTab & "-Create child objects." If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _ WScript.Echo vbTab & "-Delete child objects." If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _ WScript.Echo vbTab & "-Enumerate an object." If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _ WScript.Echo vbTab & "-Read the properties of an object." If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _ WScript.Echo vbTab & "-Write the properties of an object." If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _ WScript.Echo vbTab & "-Delete a tree of objects" If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _ WScript.Echo vbTab & "-List a tree of objects." WScript.Echo VbCrLf & "Control Access Rights" If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _ (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then WScript.Echo "-None" Else If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _ WScript.Echo vbTab & "-Extended access rights." If (AccessMask And ADS_RIGHT_DS_SELF) Then WScript.Echo vbTab & "-Active Directory must validate a property " WScript.Echo vbTab & " write operation beyond the schema " & _ "definition " WScript.Echo vbTab & " for the attribute." End If End If End Sub Δ     Δ Modify Group Attributes 'Modifies both single-value (samAccountName, mail, info) and multi-value (description) attributes for a 'group named Scientists. Const ADS_PROPERTY_UPDATE = 2 Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.Put "sAMAccountName", "Scientist01" objGroup.Put "mail", "YoungRob@fabrikam.com" objGroup.Put "info", "Use this group for official communications " & _ "with scientists who are contracted to work with Contoso.com." objGroup.PutEx ADS_PROPERTY_UPDATE, _ "description", Array("Scientist Mailing List") objGroup.SetInfo Δ     Δ Modify Group Type   'Changes a local group named Scientists to a global security group Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2 Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4 Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8 Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000 Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.Put "groupType", _ ADS_GROUP_TYPE_UNIVERSAL_GROUP + ADS_GROUP_TYPE_SECURITY_ENABLED objGroup.SetInfo Δ     Δ Move a Group Within a Domain 'Moves a group account from the HR OU to the Users container. Set objOU = GetObject("LDAP://cn=Users,dc=NA,dc=fabrikam,dc=com") objOU.MoveHere "LDAP://cn=atl-users,ou=HR,dc=NA,dc=fabrikam,dc=com", _ vbNullString Δ     Δ Remove All Group Memberships for a User Account 'Removes the MyerKen user account from all Active Directory security groups. On Error Resume Next Const ADS_PROPERTY_DELETE = 4 Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") arrMemberOf = objUser.GetEx("memberOf") If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then WScript.Echo "This account is not a member of any security groups." WScript.Quit End If For Each Group in arrMemberOf Set objGroup = GetObject("LDAP://" & Group) objGroup.PutEx ADS_PROPERTY_DELETE, _ "member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objGroup.SetInfo Next Δ     Δ Remove All the Members of a Group 'Removes all the members of an Active Directory group named Sea-Users. Const ADS_PROPERTY_CLEAR = 1 Set objGroup = GetObject _ ("LDAP://cn=Sea-Users,cn=Users,dc=NA,dc=fabrikam,dc=com") objGroup.PutEx ADS_PROPERTY_CLEAR, "member", 0 objGroup.SetInfo Δ     Δ Remove the Manager of a Group 'Removes the manager entry for the Active Directory security group named Scientists. When this script is 'run, the group will no longer have an assigned manager. Const ADS_PROPERTY_CLEAR = 1 Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.PutEx ADS_PROPERTY_CLEAR, "managedBy", 0 objGroup.SetInfo Δ     Δ Remove a User from a Group 'Removes user MyerKen from the group Sea-Users. Const ADS_PROPERTY_DELETE = 4 Set objGroup = GetObject _ ("LDAP://cn=Sea-Users,cn=Users,dc=NA,dc=fabrikam,dc=com") objGroup.PutEx ADS_PROPERTY_DELETE, _ "member",Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objGroup.SetInfo Δ     Δ Replace Group Membership with All-New Members 'Replaces the existing membership of a group named Scientists with two new group members: YoungRob 'and ShenAlan. Const ADS_PROPERTY_UPDATE = 2 Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.PutEx ADS_PROPERTY_UPDATE, "member", _ Array("cn=YoungRob,ou=R&D,dc=NA,dc=fabrikam,dc=com", _ "cn=ShenAlan,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.SetInfo Δ

..About ..I'm a Computer   ..Systems Engineer ..Living and loving life ........................................ ..Author ....