Solved

Windows 2003 LDAP read permissions

Posted on 2004-09-21
2
451 Views
Last Modified: 2011-09-20
This question must have been asked before, but I could not find it.

My login script does a lookup to find out what groups you belong to in order to map the correct drive letters.  It works fine as long as you are a member of the Domain Admin group or a member of a group that has modify computer accounts permissions for RIS imaging.  

Here is the script and it fails at the line "For Each strGroup in objUser.memberOf"

'***************************************
'Declair group variables and set them to 0
'This will determine what groups the user belongs too

dim strUser, objUser, strGroup, objGroup
Set objADSysInfo = CreateObject("ADSystemInfo")

dim Group1
Group1=0

dim Group2
Group2=0

strUser = objADSysInfo.UserName
Set objUser = GetObject("LDAP://" & strUser)
For Each strGroup in objUser.memberOf
    Set objGroup = GetObject("LDAP://" & strGroup)

          if Instr(strGroup, "Group1") then
          Group=1
         end if
   
          if InStr(strGroup, "Group2") then
          Group2=1
          end if
'un-Rem the line below to view what group memberships the script found
Wscript.Echo objGroup.CN    
next
'***************************************

I get an "Object is not a collection error" and I have determined that it is unable to poll the LDAP to find out what groups you belong too.  From another article I read (on a different forum) it looks like it works fine in Windows 2000.  Windows 2003 added a security feature.  I have tried to add Domain Users Read permisions to the User Container in AD, but that did not work.  

What read permissions do I need to add to fix this?  I'm sure the answer is right in front of me, but I can't see it.

Thanks
0
Comment
Question by:crazycanuck42
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 10

Accepted Solution

by:
jhautani earned 200 total points
ID: 12120996
Your script works unmodified as a user if the user belongs to more than two groups, not including 'Domain Users'.

Replace the
  For Each strGroup in objUser.memberOf
with
  For Each strGroup in objUser.GetEx("memberOf")

Then a collection is always returned and the line works, no matter how many groups the user belongs to.

Reference: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/accessing_attributes_with_adsi.asp

hope this helps
0
 

Author Comment

by:crazycanuck42
ID: 12122306
Works like a charm.  Although I do not understand how since some other people are members of multiple groups and do not have a problem, they are just members of a gorup that has admin like permissions to the Machine accoutns for RIS imaging.

Thank you very much, I would not have figured this one out on my own.

I have awarded points.
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
setup share and NTFS permissions. 12 98
Event ID: 1202 / Source: SceCli 6 152
Task with PowerShell Script is failing with 0x41301 7 129
Cannot take ownership of a folder 8 89
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question