Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 458
  • Last Modified:

Windows 2003 LDAP read permissions

This question must have been asked before, but I could not find it.

My login script does a lookup to find out what groups you belong to in order to map the correct drive letters.  It works fine as long as you are a member of the Domain Admin group or a member of a group that has modify computer accounts permissions for RIS imaging.  

Here is the script and it fails at the line "For Each strGroup in objUser.memberOf"

'***************************************
'Declair group variables and set them to 0
'This will determine what groups the user belongs too

dim strUser, objUser, strGroup, objGroup
Set objADSysInfo = CreateObject("ADSystemInfo")

dim Group1
Group1=0

dim Group2
Group2=0

strUser = objADSysInfo.UserName
Set objUser = GetObject("LDAP://" & strUser)
For Each strGroup in objUser.memberOf
    Set objGroup = GetObject("LDAP://" & strGroup)

          if Instr(strGroup, "Group1") then
          Group=1
         end if
   
          if InStr(strGroup, "Group2") then
          Group2=1
          end if
'un-Rem the line below to view what group memberships the script found
Wscript.Echo objGroup.CN    
next
'***************************************

I get an "Object is not a collection error" and I have determined that it is unable to poll the LDAP to find out what groups you belong too.  From another article I read (on a different forum) it looks like it works fine in Windows 2000.  Windows 2003 added a security feature.  I have tried to add Domain Users Read permisions to the User Container in AD, but that did not work.  

What read permissions do I need to add to fix this?  I'm sure the answer is right in front of me, but I can't see it.

Thanks
0
crazycanuck42
Asked:
crazycanuck42
1 Solution
 
jhautaniCommented:
Your script works unmodified as a user if the user belongs to more than two groups, not including 'Domain Users'.

Replace the
  For Each strGroup in objUser.memberOf
with
  For Each strGroup in objUser.GetEx("memberOf")

Then a collection is always returned and the line works, no matter how many groups the user belongs to.

Reference: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/accessing_attributes_with_adsi.asp

hope this helps
0
 
crazycanuck42Author Commented:
Works like a charm.  Although I do not understand how since some other people are members of multiple groups and do not have a problem, they are just members of a gorup that has admin like permissions to the Machine accoutns for RIS imaging.

Thank you very much, I would not have figured this one out on my own.

I have awarded points.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now