mjasic
asked on
LDAP with VbScript: Add users to groups (CN)
Hello,
I have to develop Windows script in VbScript that loops through MySql Database(table called Websencelog, this part shouldn't be complicated), finds the value in a field "Websencegrp" and add the user to a specified Websence group in LDAP.
There are some fields in MySql (user's OU, UID) that can be used to specify the user. UID is equal to a samAccountName.
The structure of the LDAP tree is something like this:
imp.corp.mycompany.ca
OU = adtest
CN = Builtin
CN = computers
...
OU = PrintingDiv
OU = Services
OU = WEBSENCE
OU = Head Office
OU = Head Office
CN= 56_WS_Company_Head_Office
OU = Informations Products
OU = Books
CN=15_WS_Management
CN=16_WS_BestBook
...
OU = Marketing
OU = Direct Marketing
CN=41_WS_Intranet Communications
CN=42_WS_Bayweb
...
OU=General Management
CN=57_WS_Marketing Products
...
OU = Retial
CN=20_WS_Management
...
The point is that for each record in a table websencelog, in a websencegrp field I find the name of a Websence group (such as: 56_WS_Company_Head_Office, or 16_WS_BestBook, etc.). By using OU and UID in the record, I have to add the user to a group (like 56_WS_Company_Head_Office) .
Is it possible to do it?
Mike
P.S. I think that I have right to add the extra points. So, If the solution works, I am ready to give a total of 600 or 700 poins.
I have to develop Windows script in VbScript that loops through MySql Database(table called Websencelog, this part shouldn't be complicated), finds the value in a field "Websencegrp" and add the user to a specified Websence group in LDAP.
There are some fields in MySql (user's OU, UID) that can be used to specify the user. UID is equal to a samAccountName.
The structure of the LDAP tree is something like this:
imp.corp.mycompany.ca
OU = adtest
CN = Builtin
CN = computers
...
OU = PrintingDiv
OU = Services
OU = WEBSENCE
OU = Head Office
OU = Head Office
CN= 56_WS_Company_Head_Office
OU = Informations Products
OU = Books
CN=15_WS_Management
CN=16_WS_BestBook
...
OU = Marketing
OU = Direct Marketing
CN=41_WS_Intranet Communications
CN=42_WS_Bayweb
...
OU=General Management
CN=57_WS_Marketing Products
...
OU = Retial
CN=20_WS_Management
...
The point is that for each record in a table websencelog, in a websencegrp field I find the name of a Websence group (such as: 56_WS_Company_Head_Office,
Is it possible to do it?
Mike
P.S. I think that I have right to add the extra points. So, If the solution works, I am ready to give a total of 600 or 700 poins.
Oh, and here's a link to a Microsoft page that covers adding users to groups: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/iadsgroup_add.asp
ASKER
Generaly, I know how to add a user to a group. My problem is that the application (somebody else has developed it and I just add some modules) cannot be modified each time somebody adds a new group.
Suppose a new group has been added:99_WS_MyDummyGrp, inside of MyDummyOU which is inside MyDummyFirstLevelOU and I want to add a user John Doe to this group.
In mySql table Websencelog I have the following fields:
UID: doejoh (and not: John Doe which is CN)
User OU: OU=PrintingDiv, DC=imp, DC=Company, DC=com
Websencegrp: 99_WS_MyDummyOU
I should do something like this:
Set objGroup = GetObject("LDAP://CN=99_WS _MyDummyOU , OU=MyDummyFirstLevelOU, OU=Websence,DC=Company,DC= com")
objGroup.Add ("LDAP://CN=John Doe, OU=Users, OU=PrintingDiv,DC=imp,DC=C ompany,DC= com")
but the application doesn't know where this group is in Websence branch because in a table I have only group name and not the path.
Any idea how to resolve it?
Suppose a new group has been added:99_WS_MyDummyGrp, inside of MyDummyOU which is inside MyDummyFirstLevelOU and I want to add a user John Doe to this group.
In mySql table Websencelog I have the following fields:
UID: doejoh (and not: John Doe which is CN)
User OU: OU=PrintingDiv, DC=imp, DC=Company, DC=com
Websencegrp: 99_WS_MyDummyOU
I should do something like this:
Set objGroup = GetObject("LDAP://CN=99_WS
objGroup.Add ("LDAP://CN=John Doe, OU=Users, OU=PrintingDiv,DC=imp,DC=C
but the application doesn't know where this group is in Websence branch because in a table I have only group name and not the path.
Any idea how to resolve it?
Just to make sure I understand, the question is how to get the full LDAP path to a group when all you know is the group name. Is that correct?
ASKER
Yes, that is correct.
All i know is 99_WS_MyDummyOU
(and I should find: OU=MyDummyFirstLevelOU, OU=Websence,DC=Company,DC= com)
All i know is 99_WS_MyDummyOU
(and I should find: OU=MyDummyFirstLevelOU, OU=Websence,DC=Company,DC=
Well, this may not be the most elegant solution, but it does work. I don't know of a way to get a group object using LDAP without knowing the path to the object up front. So, the solution I came up with is to build two parallel arrays, one holding the names of the groups and the other the ADSPath of the groups. I populate the arrays by starting at the root of the domain and grabbing all of the OUs in that container. I then search each OU found in the root looking for nested OUs. Using this approach I traverse my way though the directory structure. As I pass through each OU I search it for groups. Each group I find gets added to the two arrays. There is an advantage to this approach. With all the groups loaded into the arrays I don't have to keep accessing AD over and over for each record. That should make the code faster than having to access AD each time I need to search for a group.
Ok, now how do we use this? Well, that's simple. You read the group out of the database and then search the first array looking for a match. If you find one, then the corresponding record in the second array will contain the ADSPath to the group. All you have to do is use GetObject with that ADSPath and you'll have the group object you want. To build the arrays you'll need to put the code at the begining of your script. All you need to do is pass it the path to the root of your domain. The For Next loop surrounding the Wscript.Echo is just for testing. I had it in there while I tested this in my domain to ensure it worked. You might want to try it once in your domain to satisfy yourself that it works. It'll build the arrays and then print out the names of all the groups it found.
I hope this helps. I tested the code in my domain and it worked fine.
----- Script: GetGroups.vbs
Dim arrGroupNames()
Dim arrGroupPaths()
Dim bolFirstPass
bolFirstPass = True
ProcessOU "LDAP://myserver.company.c om/dc=comp any,dc=com "
For x = 0 To UBound(arrGroupNames)
Wscript.Echo arrGroupNames(x)
Next
Wscript.Quit
Private Sub ProcessOU(strADSPath)
Dim objAD
Dim objOU
Set objAD = GetObject(strADSPath)
objAD.Filter = Array("OrganizationalUnit" )
For Each objOU In objAD
ProcessOU objOU.ADsPath
Next
SearchForGroups objAD.ADsPath
End Sub
Private Sub SearchForGroups(strADSPath )
Dim objOU
Dim objGroup
Set objOU = GetObject(strADSPath)
objOU.Filter = Array("group")
For Each objGroup In objOU
If bolFirstPass Then
bolFirstPass = False
ReDim arrGroupNames(0)
ReDim arrGroupPaths(0)
Else
ReDim Preserve arrGroupNames(UBound(arrGr oupNames) + 1)
ReDim Preserve arrGroupPaths(UBound(arrGr oupPaths) + 1)
End If
arrGroupNames(UBound(arrGr oupNames)) = Mid(objGroup.Name, 4)
arrGroupPaths(UBound(arrGr oupPaths)) = objGroup.ADsPath
Next
End Sub
----- End Script
Ok, now how do we use this? Well, that's simple. You read the group out of the database and then search the first array looking for a match. If you find one, then the corresponding record in the second array will contain the ADSPath to the group. All you have to do is use GetObject with that ADSPath and you'll have the group object you want. To build the arrays you'll need to put the code at the begining of your script. All you need to do is pass it the path to the root of your domain. The For Next loop surrounding the Wscript.Echo is just for testing. I had it in there while I tested this in my domain to ensure it worked. You might want to try it once in your domain to satisfy yourself that it works. It'll build the arrays and then print out the names of all the groups it found.
I hope this helps. I tested the code in my domain and it worked fine.
----- Script: GetGroups.vbs
Dim arrGroupNames()
Dim arrGroupPaths()
Dim bolFirstPass
bolFirstPass = True
ProcessOU "LDAP://myserver.company.c
For x = 0 To UBound(arrGroupNames)
Wscript.Echo arrGroupNames(x)
Next
Wscript.Quit
Private Sub ProcessOU(strADSPath)
Dim objAD
Dim objOU
Set objAD = GetObject(strADSPath)
objAD.Filter = Array("OrganizationalUnit"
For Each objOU In objAD
ProcessOU objOU.ADsPath
Next
SearchForGroups objAD.ADsPath
End Sub
Private Sub SearchForGroups(strADSPath
Dim objOU
Dim objGroup
Set objOU = GetObject(strADSPath)
objOU.Filter = Array("group")
For Each objGroup In objOU
If bolFirstPass Then
bolFirstPass = False
ReDim arrGroupNames(0)
ReDim arrGroupPaths(0)
Else
ReDim Preserve arrGroupNames(UBound(arrGr
ReDim Preserve arrGroupPaths(UBound(arrGr
End If
arrGroupNames(UBound(arrGr
arrGroupPaths(UBound(arrGr
Next
End Sub
----- End Script
ASKER
I didn't have time to test it, so I'll do it probably tomorrow.
ASKER
Hello BlueDevilFan,
OK, I'll show you what I started some time ago and I was blocked.
How can I use your functions to include the into this script (I'm quite newbie in LDAP, so the few things I know are these that I found on the internet)?
Here's the code:
Dim myconn
Dim myrs
Dim mySQL
Dim myrows
Dim Container
Dim Group
dim strOu
Dim strCN
Dim User
Dim strGroupPath)
on error resume next
set myconn=CreateObject("ADODB .connectio n")
if err<>0 then msgbox err.number & " - " & err.description & "(0)"
myconn.Open "DSN=transpass"
if err<>0 then msgbox err.number & " - " & err.description & "(1)"
set myrs=CreateObject("ADODB.R ecordset")
mySQL = "SELECT * from websencelog"
myrs.Source = mySQL
if err<>0 then msgbox err.number & " - " & err.description & "(2)"
Set myrs.ActiveConnection = myconn
myrs.Open
'strGroupPath=
Do UNTIL myrs.eof
strOU=myrs("ou")
strCN=myrs("uid")
' I'd probably have to set your things here, but have no idea how
' set Container = GetObject("LDAP://" & strOU)
' set Group = GetObject("LDAP://CN=" & myrs("websencegrp") & "," & strGroupPath)
' Group.Add ("LDAP"//CN=" & strcn & "," & strOU)
' msgbox myrs("uid") & vbcrlf & myrs("websencegrp")
myrs.movenext
LOOP
myrs.Close
myconn.Close
wscript.Quit (0)
OK, I'll show you what I started some time ago and I was blocked.
How can I use your functions to include the into this script (I'm quite newbie in LDAP, so the few things I know are these that I found on the internet)?
Here's the code:
Dim myconn
Dim myrs
Dim mySQL
Dim myrows
Dim Container
Dim Group
dim strOu
Dim strCN
Dim User
Dim strGroupPath)
on error resume next
set myconn=CreateObject("ADODB
if err<>0 then msgbox err.number & " - " & err.description & "(0)"
myconn.Open "DSN=transpass"
if err<>0 then msgbox err.number & " - " & err.description & "(1)"
set myrs=CreateObject("ADODB.R
mySQL = "SELECT * from websencelog"
myrs.Source = mySQL
if err<>0 then msgbox err.number & " - " & err.description & "(2)"
Set myrs.ActiveConnection = myconn
myrs.Open
'strGroupPath=
Do UNTIL myrs.eof
strOU=myrs("ou")
strCN=myrs("uid")
' I'd probably have to set your things here, but have no idea how
' set Container = GetObject("LDAP://" & strOU)
' set Group = GetObject("LDAP://CN=" & myrs("websencegrp") & "," & strGroupPath)
' Group.Add ("LDAP"//CN=" & strcn & "," & strOU)
' msgbox myrs("uid") & vbcrlf & myrs("websencegrp")
myrs.movenext
LOOP
myrs.Close
myconn.Close
wscript.Quit (0)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a lot, it worked :)
I just had to change a piece of code:
Dim strWebsence
strWebsence = myrs("websencegrp")
...
For x = 0 to (UBound(arrGroupNames) - 1)
' If UBound(x) = strWebsence Then ' Replaced by the following line, because in DB I hawe only the name of the group (that was the cause of the trouble of adding to the group):
If instr(arrGroupPaths(x), strWebsence) > 0 Then
Set objGroup = GetObject(arrGroupPaths(x) )
'Code to add the user to the group
objGroup.Add ("Ldap:/CN=" & strCN & "," & strOU
Exit For
End If
Next
Thanks again, you deserved every point I give you.
I just had to change a piece of code:
Dim strWebsence
strWebsence = myrs("websencegrp")
...
For x = 0 to (UBound(arrGroupNames) - 1)
' If UBound(x) = strWebsence Then ' Replaced by the following line, because in DB I hawe only the name of the group (that was the cause of the trouble of adding to the group):
If instr(arrGroupPaths(x), strWebsence) > 0 Then
Set objGroup = GetObject(arrGroupPaths(x)
'Code to add the user to the group
objGroup.Add ("Ldap:/CN=" & strCN & "," & strOU
Exit For
End If
Next
Thanks again, you deserved every point I give you.
No problem. Glad I could help. Cheers.
ASKER
Hello BlueDevilFan,
It is not against the rules to give the extra points and I already did it in the past.
Mike
It is not against the rules to give the extra points and I already did it in the past.
Mike
Ok.
Dim objGroup, strUsername, strUserOU
For Each Record in SQLTable
strUsername = SQLUserName
strUserOU = SQLUserOU
Select Case strUserOU
Case "Books"
Set objGroup = GetObject("LDAP://CN=15_WS
objGroup.Add ("LDAP://CN=" & strUsername & ",OU=Books,OU=Information Products,OU=Websence,DC=Co
Case "Retail"
Set objGroup = GetObject("LDAP://CN=20_WS
objGroup.Add ("LDAP://CN=" & strUsername & ",OU=Retail,OU=Websence,DC
Case "..."
End Select
Next
Set objGroup = Nothing