Solved

Windows 2003 LDAP read permissions

Posted on 2004-09-21
2
447 Views
Last Modified: 2011-09-20
This question must have been asked before, but I could not find it.

My login script does a lookup to find out what groups you belong to in order to map the correct drive letters.  It works fine as long as you are a member of the Domain Admin group or a member of a group that has modify computer accounts permissions for RIS imaging.  

Here is the script and it fails at the line "For Each strGroup in objUser.memberOf"

'***************************************
'Declair group variables and set them to 0
'This will determine what groups the user belongs too

dim strUser, objUser, strGroup, objGroup
Set objADSysInfo = CreateObject("ADSystemInfo")

dim Group1
Group1=0

dim Group2
Group2=0

strUser = objADSysInfo.UserName
Set objUser = GetObject("LDAP://" & strUser)
For Each strGroup in objUser.memberOf
    Set objGroup = GetObject("LDAP://" & strGroup)

          if Instr(strGroup, "Group1") then
          Group=1
         end if
   
          if InStr(strGroup, "Group2") then
          Group2=1
          end if
'un-Rem the line below to view what group memberships the script found
Wscript.Echo objGroup.CN    
next
'***************************************

I get an "Object is not a collection error" and I have determined that it is unable to poll the LDAP to find out what groups you belong too.  From another article I read (on a different forum) it looks like it works fine in Windows 2000.  Windows 2003 added a security feature.  I have tried to add Domain Users Read permisions to the User Container in AD, but that did not work.  

What read permissions do I need to add to fix this?  I'm sure the answer is right in front of me, but I can't see it.

Thanks
0
Comment
Question by:crazycanuck42
2 Comments
 
LVL 10

Accepted Solution

by:
jhautani earned 200 total points
ID: 12120996
Your script works unmodified as a user if the user belongs to more than two groups, not including 'Domain Users'.

Replace the
  For Each strGroup in objUser.memberOf
with
  For Each strGroup in objUser.GetEx("memberOf")

Then a collection is always returned and the line works, no matter how many groups the user belongs to.

Reference: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/accessing_attributes_with_adsi.asp

hope this helps
0
 

Author Comment

by:crazycanuck42
ID: 12122306
Works like a charm.  Although I do not understand how since some other people are members of multiple groups and do not have a problem, they are just members of a gorup that has admin like permissions to the Machine accoutns for RIS imaging.

Thank you very much, I would not have figured this one out on my own.

I have awarded points.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now