troubleshooting Question

VBScript created user does not appear when querying groups using VBScript

Avatar of SynsealIT
SynsealIT asked on
Web Languages and Standards
5 Comments1 Solution747 ViewsLast Modified:
Hi all,

I have been working very hard to automate user and computer creation and configuration, and I am just about there.

As Part of the process I have written a HTA for creating new users, and at face value it seems to work perfectly.

Here is the code for the function that creates the user.

========================================================================================================

Function addUser()
      
            Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
            Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
            Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1
            Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
            Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
            
            ExHome = "/o=Exchange/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=SERVERNAME"
            MDB = "CN=Mailbox Store (SERVERNAME),CN=First Storage Group,CN=InformationStore,CN=SERVERNAME,CN=Servers,"& _
                  "CN=First Administrative Group,CN=Administrative Groups,CN=Exchange,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com"
            
            Dim phngroup()
            Dim secgroup()
            Dim disgroup()
            
            
      
            'collect the new users details from the form, and place them in variables to be worked with.
            FirstName = document.frmNewUser.FirstName.value
            LastName = document.frmNewUser.LastName.value
            Mail = document.frmNewUser.Mail.value
            Pass = document.frmNewUser.Pass.value
            PassCheck = document.frmNewUser.PassCheck.value
            Department = document.frmNewUser.Deparment.value
            Office = document.frmNewUser.Office.value
            Phone = document.frmNewUser.Phone.value
            Mobile = document.frmNewUser.Mobile.value
            Manager = document.frmNewUser.SelManager.value
            ldapPath = document.frmNewUser.SelOU.value
            
            'begin creating the new user.
            If Pass <> PassCheck then
                  msgbox "the passwords do not match"
                  exit function
            Else
                  'configure the username and email address
                  UserName = FirstName & "." & LastName
                  FullName = FirstName & " " & LastName
                  MailAddress = UserName & "@synseal.com"
            End If
            
            
            ldapPath = "OU=Users," & ldapPath
            Set objOU = GetObject("LDAP://" & ldapPath)
            
            Set objUser = objOU.Create("User", "cn=" & FullName)
            objUser.Put "sAMAccountName", UserName
            objUser.Put "displayName", FullName
            objUser.Put "givenName", FirstName
            objUser.Put "mailNickname", FullName
            objUser.Put "name", FullName
            objUser.Put "sn", LastName
            objUser.Put "userPrincipalName", UserName
            If Mobile > "" then
                  objUser.Put "mobile", Mobile
            End If
            If Phone > "" then
                  objUser.Put "telephoneNumber", Phone
            End If
            If Manager > "" then
                  objUser.Put "manager", Manager
            End If
            objUser.Put "scriptPath", "LogonScript.vbs"
            objUser.Put "homeDirectory", "\\server\Users\" & UserName
            objUser.Put "homeDrive", "L:"
            objUser.Put "company", "My company Ltd"
            objUser.Put "department", Department
            objUser.Put "description", Department
            objUser.Put "physicalDeliveryOfficeName", Office
            objUser.SetInfo
            objUser.SetPassword Pass
            objUser.AccountDisabled = FALSE
            objUser.SetInfo
            UserPath = "cn=" & FullName & "," & ldapPath
            
            if Mail = "on" then
                  objUser.Put "msExchHomeServerName", ExHome
                  objUser.Put "mail", MailAddress
                  objUser.Put "mailnickname", UserName
                  objUser.put "mDBUseDefaults", TRUE
                  objUser.Put "homeMDB", MDB
                  objUser.SetInfo
            end if
            
            'create user folder and add security
            Set objFSO = CreateObject("Scripting.FileSystemObject")
            If objFSO.FolderExists("\\server\Users\" & UserName) = False Then
                  objFSO.CreateFolder("\\server\Users\" & UserName)
            End If
            aclupdate "\\server\Users\" & UserName,"DOMAIN\" & UserName
            If Manager <> "" then
                  Set objManager = GetObject("LDAP://" & Manager)
                  manname = objManager.Get("sAMAccountName")

                  aclupdate "\\server\Users\" & UserName,"SYNSEAL\" & manname
            End if
            
            
            'prevent password from expiering
            intUAC = objUser.Get("userAccountControl")
            objUser.Put "userAccountControl", intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
          objUser.SetInfo
                
            'prevent user from changing password
            Set objSD = objUser.Get("ntSecurityDescriptor")
            Set objDACL = objSD.DiscretionaryAcl
            arrTrustees = array("nt authority\self", "EVERYONE")
            
            
            For Each strTrustee in arrTrustees
                   Set objACE = CreateObject("AccessControlEntry")
                objACE.Trustee = strTrustee
                  objACE.AceFlags = 0
                  objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
                  objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
                  objACE.ObjectType = CHANGE_PASSWORD_GUID
                  objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
                  objDACL.AddAce objACE
            Next
 
            objSD.DiscretionaryAcl = objDACL
            objUser.Put "nTSecurityDescriptor", objSD
            objUser. SetInfo
            
            count = 0
            for each value in document.frmNewUser.PhoneGroups
                  document.frmNewUser.PhoneGroups.selectedIndex = count
                  ReDim Preserve phngroup(count)
                  phngroup(count) = document.frmNewUser.PhoneGroups.value
                  Set objGroup = GetObject("LDAP://cn=phn_" & phngroup(count) & ",ou=GroupsPhone,ou=AdministrativeOU,dc=domain,dc=com")
                  objGroup.Add(objUser.ADsPath)
                  count = count +1
            next
            
            count2 = 0
            for each value in document.frmNewUser.SecurityGroups
                  document.frmNewUser.SecurityGroups.selectedIndex = count2
                  ReDim Preserve secgroup(count2)
                  secgroup(count2) = document.frmNewUser.SecurityGroups.value
                  Set objGroup = GetObject("LDAP://cn=" & secgroup(count2) & ",ou=GroupsAccess,ou=AdministrativeOU,dc=domain,dc=com")
                  objGroup.Add(objUser.ADsPath)
                  count2 = count2 +1
            next
            
            count3 = 0
            for each value in document.frmNewUser.DistributionGroups
                  document.frmNewUser.DistributionGroups.selectedIndex = count3
                  ReDim Preserve disgroup(count3)
                  disgroup(count3) = document.frmNewUser.DistributionGroups.value
                  Set objGroup = GetObject("LDAP://cn=" & disgroup(count3) & ",ou=GroupsDistribution,ou=AdministrativeOU,dc=domain,dc=com")
                  objGroup.Add(objUser.ADsPath)
                  count3 = count3 +1
            next

                  document.frmNewUser.reset()
      End Function
      
      Function aclupdate(folder,user)

             Set sec = CreateObject("ADsSecurity")
             Set sd = sec.GetSecurityDescriptor("FILE://" & folder)
             Set dacl = sd.DiscretionaryAcl
            
            
             Set ace = CreateObject("AccessControlEntry")
             ace.trustee = user
             ace.AccessMask = 2032127
             ace.AceType = 0
             ace.AceFlags = 3
             
             dacl.AddAce ace
             sd.DiscretionaryAcl = dacl
             sec.SetSecurityDescriptor sd
      End Function

==================================================================================================

This all seems to work very well, and if I compare a user created with this script to a user created with AD they are the same. They are also the same if I check them with ADSIEdit.

The problem is, that I have another HTA that the users view through outlook, which lists and searches for users their phone numbers and email addresses etc. Here is the query it uses.

===================================================================================================

Function members(group)
            
            'query the group that has been passed to the function, and place the
            'members in an array
            group = replace(group,"#"," ")
            Set objGroup = GetObject("LDAP://" & group)
            objGroup.GetInfo
            arrMemberOf = objGroup.GetEx("member")
            
            'create disconected recordset to hold the details of the array,
            'this is only done so we can properly sort the date in to alphanumeric order.
            Const adVarChar = 200
            Const MaxCharacters = 255
            Set DataList = CreateObject("ADOR.recordset")
            DataList.Fields.Append "UserName", adVarChar, MaxCharacters
            DataList.Fields.Append "Phone", adVarChar, MaxCharacters
            DataList.Fields.Append "Mobile", adVarChar, MaxCharacters
            DataList.Fields.Append "Mail", adVarChar, MaxCharacters
            DataList.Fields.Append "Office", adVarChar, MaxCharacters
            DataList.Fields.Append "SubDep", adVarChar, MaxCharacters
            DataList.open
                        
            'begin drawing the table to be placed on the lyrBody division
            strHTML = ""
            strHTML =  "<table border=2 bordercolor='#C0C0C0' cellspacing='0' bordercolorlight='#D8DAE2' bordercolordark='#C0C0C0' style='font-family: Century Gothic; font-size: 10pt; color: #000000'><tr><td><b>Name</b></td><td><b>Phone</b></td><td><b>Mobile</b>" & _
                  "</td><td><b>Email</b></td><td><b>Office</b></td><td><b>Department</b></td></tr>"
            'loop through the array containing the list of users, and return the users details to variables
            For Each strMember in arrMemberOf
                              
                  Set objUser = GetObject("LDAP://" & strMember)
                  intUAC=objUser.userAccountControl
                  If intUAC = 66048 Then
                                    
                                    
                        UserName = objUser.cn
                        If len(UserName) = 0 then UserName = "&nbsp;"
                        Phone = objUser.telephoneNumber
                        If len(Phone) = 0 then Phone = "&nbsp;"
                        Mobile = objUser.mobile
                        If len(Mobile) = 0 then Mobile = "&nbsp;"
                        Mail = objuser.mail
                        If len(Mail) = 0 then Mail = "&nbsp;"
                        Office = objUser.physicalDeliveryOfficeName
                        If len(Office) = 0 then Office = "&nbsp;"
                        SubDep = objUser.department
                        If len(SubDep) = 0 then SubDep = "&nbsp;"
                              
                        DataList.AddNew
                        DataList("UserName") = UserName
                        DataList("Phone") = Phone
                        DataList("Mobile") = Mobile
                        DataList("Mail") = Mail
                        DataList("Office") = Office
                        DataList("SubDep") = SubDep
                        DataList.Update
                              
                        End If
                              
                        
            'loop back and do the next user            
            Next
            DataList.Sort = "UserName"
            DataList.MoveFirst
            bgcolour = "#C0C0C0"
            Do until DataList.EOF
                  'append the users details the table
                  strHTML = strHTML + "<tr bgcolor='" & bgcolour & "'><td>" & DataList("UserName") & "</td><td>" & DataList("Phone") & "</td><td>" & DataList("Mobile") & _
                              "</td><td><a href='mailto:" & DataList("Mail") & "'>" & DataList("Mail") & "</td><td>" & DataList("Office") & "</td><td>" & DataList("SubDep") & "</td></tr>"
                        DataList.MoveNext
                        If bgcolour = "#C0C0C0" then
                              bgcolour = "#EBECF0"
                        Else
                              bgcolour = "#C0C0C0"
                        End If
                        Loop      
                        
                        'write out the table to the devision lyrBody
                        strHTML = strHTML + "</table>"
                        lyrBody.innerHTML = strHTML
                  End Function

=================================================================================

Again this works perfectly, however it will not list any user created by the user creation script. If I look in AD User and Computers, the user is in the correct group, but the user is not listed by the script when I list the members of that group.

As you can probably tell, I am no stranger to scripting, but this has me stumped. Can anyone shed any light on this? Oh and I will not except any answers that involve javascript.
ASKER CERTIFIED SOLUTION
dave_moats

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 5 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 5 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros