Solved

Windows 2003 LDAP read permissions

Posted on 2004-09-21
2
450 Views
Last Modified: 2011-09-20
This question must have been asked before, but I could not find it.

My login script does a lookup to find out what groups you belong to in order to map the correct drive letters.  It works fine as long as you are a member of the Domain Admin group or a member of a group that has modify computer accounts permissions for RIS imaging.  

Here is the script and it fails at the line "For Each strGroup in objUser.memberOf"

'***************************************
'Declair group variables and set them to 0
'This will determine what groups the user belongs too

dim strUser, objUser, strGroup, objGroup
Set objADSysInfo = CreateObject("ADSystemInfo")

dim Group1
Group1=0

dim Group2
Group2=0

strUser = objADSysInfo.UserName
Set objUser = GetObject("LDAP://" & strUser)
For Each strGroup in objUser.memberOf
    Set objGroup = GetObject("LDAP://" & strGroup)

          if Instr(strGroup, "Group1") then
          Group=1
         end if
   
          if InStr(strGroup, "Group2") then
          Group2=1
          end if
'un-Rem the line below to view what group memberships the script found
Wscript.Echo objGroup.CN    
next
'***************************************

I get an "Object is not a collection error" and I have determined that it is unable to poll the LDAP to find out what groups you belong too.  From another article I read (on a different forum) it looks like it works fine in Windows 2000.  Windows 2003 added a security feature.  I have tried to add Domain Users Read permisions to the User Container in AD, but that did not work.  

What read permissions do I need to add to fix this?  I'm sure the answer is right in front of me, but I can't see it.

Thanks
0
Comment
Question by:crazycanuck42
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 10

Accepted Solution

by:
jhautani earned 200 total points
ID: 12120996
Your script works unmodified as a user if the user belongs to more than two groups, not including 'Domain Users'.

Replace the
  For Each strGroup in objUser.memberOf
with
  For Each strGroup in objUser.GetEx("memberOf")

Then a collection is always returned and the line works, no matter how many groups the user belongs to.

Reference: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/accessing_attributes_with_adsi.asp

hope this helps
0
 

Author Comment

by:crazycanuck42
ID: 12122306
Works like a charm.  Although I do not understand how since some other people are members of multiple groups and do not have a problem, they are just members of a gorup that has admin like permissions to the Machine accoutns for RIS imaging.

Thank you very much, I would not have figured this one out on my own.

I have awarded points.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
heat agent push through GPO 2 75
SolarWind and DNS Server 12 90
Forcibly removing a 2003 server from the Domain 4 62
Auditing domain account logon attempt, failure, lockout 2 159
by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question