How do I add users to Groups in AD when the users are in one domain and the goup is in another domain in a VB script?

I am new to scripting LDAP in VB and I am currently spinning my wheels on a particular item.  I've attached the VB script below for reference.  So, here's the situation in a nutshell: I want to add Users from an OU in one domain (DN: qahbank.emogc.net) in our forest (adrootqa.emogc.net) into a Group in another domain (DN: nbitqa.ca) in our forest.

When I run the script while logged in to "qahbank.emogc.net", for example, the OU containing the users can be located via LDAP but it cannot locate the Group that exists in domain "nbitqa.ca".  Conversely, when I run the script while logged in as an Enterprise Admin in "nbitqa.ca", the LDAP query locates the Group but cannot locate the Users in "qahbank.emogc.net".  I'm fairly sure that the "general" LDAP:// or GC:// queries in the script aren't spanning across the domains

So, my question is thus: how can I hard-code or force the two queries to use a specific domain or even Domain Controller so neither of the queries fail or should I specify the separate domains GC's in the opening arguments / strings?  What is the syntax for using specific GC's or domain's in an LDAP query in a VB script?

Apologies for the long-winded message and I hope I managed to convey the gist of this.

Thanks!


' AddToGroup2.vbs
' VBScript program to add users in a text file to a group.
'
' This program reads user names (Distinguished Names) from a text file
' and adds the users to a group. The name of the text file and the group
' sAMAccountName are passed to the program as parameters. The program
' uses the LDAP provider to bind to the group and user objects.
 
Option Explicit
 
Dim objFile, objGroup, objFSO, strFile, strGroup, strUserPath, objUser
Dim intCount, objRootDSE, objTrans, strNetBIOSDomain, strGroupPath
Dim strDNSDomain
 
Const ForReading = 1
 
' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
 
' Check for required arguments.
If (Wscript.Arguments.Count < 2) Then
    Wscript.Echo "Required Argument Missing" & vbCrLf _
        & "Syntax:  cscript AddToGroup2.vbs UserList.txt GroupName"
    Wscript.Quit(0)
End If
 
strFile = Wscript.Arguments(0)
strGroup = Wscript.Arguments(1)
 
' Open the text file of user names.
Set objFSO = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
Set objFile = objFSO.OpenTextFile(strFile, ForReading)
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "Unable to open file " & strFile
    Set objFSO = Nothing
    Wscript.Quit(1)
End If
On Error GoTo 0
 
' Use the NameTranslate object to get the NetBIOS domain name
' and the Distinguished Name of the group.
Set objRootDSE = GetObject("LDAP://RootDSE")
Set objTrans = CreateObject("NameTranslate")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' Initialize NameTranslate by locating the Global Catalog.
objTrans.Init ADS_NAME_INITTYPE_GC, ""
objTrans.Set ADS_NAME_TYPE_1779, strDNSDomain
strNetBIOSDomain = objTrans.Get(ADS_NAME_TYPE_NT4)
' Remove trailing backslash.
strNetBIOSDomain = Left(strNetBIOSDomain, Len(strNetBIOSDomain) - 1)
 
' Use the Set method to specify the NT format of group name.
On Error Resume Next
objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & "\" & strGroup
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "Unable to find group " & strGroup
    objFile.Close
    Set objFSO = Nothing
    Set objFile= Nothing
    Set objRootDSE = Nothing
    Set objTrans = Nothing
    Wscript.Quit(1)
End If
 
' Use Get method to retrieve group Distingished Name.
strGroupPath = objTrans.Get(ADS_NAME_TYPE_1779)
 
' Escape any forward slash characters, "/", with the backslash
' escape character. All other characters that should be escaped are.
strGroupPath = Replace(strGroupPath, "/", "\/")
 
' Bind to group object.
Set objGroup = GetObject("LDAP://" & strGroupPath)
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "Unable to bind to group" & vbCrLf & strGroupPath
    objFile.Close
    Set objFSO = Nothing
    Set objFile= Nothing
    Set objRootDSE = Nothing
    Set objTrans = Nothing
    Wscript.Quit(1)
End If
On Error GoTo 0
 
' Read names from the text file, bind to the users, and add them to the
' group. intCount is the number of users added to the group.
intCount = 0
Do Until objFile.AtEndOfStream
    strUserPath = Trim(objFile.ReadLine)
    If (strUserPath <> "") Then
        On Error Resume Next
        Set objUser = GetObject("LDAP://" & strUserPath)
        If (Err.Number <> 0) Then
            On Error GoTo 0
            Wscript.Echo "User " & strUserPath & " not found"
        Else
            objGroup.Add(objUser.AdsPath)
            If (Err.Number <> 0) Then
                On Error GoTo 0
                Wscript.Echo "Error adding user " & objUser.sAMAccountName _
                    & " to group " & strGroup
            Else
                On Error GoTo 0
                intCount = intCount + 1
            End If
        End If
    End If
Loop
 
Wscript.Echo CStr(intCount) & " members added to group " & strGroup
 
' Clean up.
objFile.Close
Set objFile = Nothing
Set objFSO = Nothing
Set objGroup = Nothing
Set objUser = Nothing
Set objRootDSE = Nothing
Set objTrans = Nothing

Open in new window

mawatsonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LauraEHunterMVPCommented:
Use a GC for your query: GC://dc=domain,dc=com

Keep in mind that there are certain contraints with AD groups where specific types of groups can only contain a specific scope of members. For example, global groups can only contain users from within the same AD domain - if you try to add a user from another domain into a global group, your VBScript could be perfect and it would still throw a contraint violation.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mawatsonAuthor Commented:
Hi Laura.  Thank you very much for your post.

As for the syntax, I've taken your advice and hardcoded the LDAP search query to say:
Line 64:       Set objRootDSE = GetObject("GC://dc=nbitqa,dc=ca")
Is this syntax correct?  When I next run the script, I receive a "The directory property could not be found in the cache" error.  

I've taken a script written by an anonymous source and attempted to tailor it for myself so I'm not certain about the syntax nor am I certain about how well the syntax change will fit into the context of the entire script.

Also, I am attempting to place these Users in a Universal Security Group and not a GG so I'm pretty sure the failure won't be an AD constraint issue.

I hope I'm providing the right feedback!

Thanks,
Matt
0
LauraEHunterMVPCommented:
RootDSE is not domain-specific, it will connect to whatever domain you are authenticated against.

Take a look at the VBScript in Recipe 4.9 at the following URL for an example of connecting to the Global Catalog: http://techtasks.com/code/viewbook/2
0
RobSampsonCommented:
Hey Laura, I am having the same issue, and would like your opinion.  Here's an example script I am trying to use to add a user from my current domain, to a Domain Local group on another domain.  I can do this manually via the ADUC console, but cannot get it automated.

'==============
Set objGroup = GetObject("GC://CN=TestOldDom_Local,OU=TestOU,DC=other,DC=domain,DC=com")
Set objNewUser = GetObject("GC://CN=Test User 8,OU=Users,OU=TestOU,DC=current,DC=domain,DC=com")
objGroup.Add objNewUser.ADsPath
'==============

but it's not working, I've also tried using the NewUser SID and
objGroup.Add "GC://<SID=" & strSidDec & ">"

but it gives me this error:
Error: The server is unwilling to process the request.
Code: 80072035
Source: (null)

Can you help?

Regards,

Rob.
0
RobSampsonCommented:
Hi Laura, are you able to shed light on this issue?

Thanks,

Rob.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Visual Basic Classic

From novice to tech pro — start learning today.