Link to home
Start Free TrialLog in
Avatar of mawatson
mawatson

asked on

How do I add users to Groups in AD when the users are in one domain and the goup is in another domain in a VB script?

I am new to scripting LDAP in VB and I am currently spinning my wheels on a particular item.  I've attached the VB script below for reference.  So, here's the situation in a nutshell: I want to add Users from an OU in one domain (DN: qahbank.emogc.net) in our forest (adrootqa.emogc.net) into a Group in another domain (DN: nbitqa.ca) in our forest.

When I run the script while logged in to "qahbank.emogc.net", for example, the OU containing the users can be located via LDAP but it cannot locate the Group that exists in domain "nbitqa.ca".  Conversely, when I run the script while logged in as an Enterprise Admin in "nbitqa.ca", the LDAP query locates the Group but cannot locate the Users in "qahbank.emogc.net".  I'm fairly sure that the "general" LDAP:// or GC:// queries in the script aren't spanning across the domains

So, my question is thus: how can I hard-code or force the two queries to use a specific domain or even Domain Controller so neither of the queries fail or should I specify the separate domains GC's in the opening arguments / strings?  What is the syntax for using specific GC's or domain's in an LDAP query in a VB script?

Apologies for the long-winded message and I hope I managed to convey the gist of this.

Thanks!


' AddToGroup2.vbs
' VBScript program to add users in a text file to a group.
'
' This program reads user names (Distinguished Names) from a text file
' and adds the users to a group. The name of the text file and the group
' sAMAccountName are passed to the program as parameters. The program
' uses the LDAP provider to bind to the group and user objects.
 
Option Explicit
 
Dim objFile, objGroup, objFSO, strFile, strGroup, strUserPath, objUser
Dim intCount, objRootDSE, objTrans, strNetBIOSDomain, strGroupPath
Dim strDNSDomain
 
Const ForReading = 1
 
' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
 
' Check for required arguments.
If (Wscript.Arguments.Count < 2) Then
    Wscript.Echo "Required Argument Missing" & vbCrLf _
        & "Syntax:  cscript AddToGroup2.vbs UserList.txt GroupName"
    Wscript.Quit(0)
End If
 
strFile = Wscript.Arguments(0)
strGroup = Wscript.Arguments(1)
 
' Open the text file of user names.
Set objFSO = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
Set objFile = objFSO.OpenTextFile(strFile, ForReading)
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "Unable to open file " & strFile
    Set objFSO = Nothing
    Wscript.Quit(1)
End If
On Error GoTo 0
 
' Use the NameTranslate object to get the NetBIOS domain name
' and the Distinguished Name of the group.
Set objRootDSE = GetObject("LDAP://RootDSE")
Set objTrans = CreateObject("NameTranslate")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' Initialize NameTranslate by locating the Global Catalog.
objTrans.Init ADS_NAME_INITTYPE_GC, ""
objTrans.Set ADS_NAME_TYPE_1779, strDNSDomain
strNetBIOSDomain = objTrans.Get(ADS_NAME_TYPE_NT4)
' Remove trailing backslash.
strNetBIOSDomain = Left(strNetBIOSDomain, Len(strNetBIOSDomain) - 1)
 
' Use the Set method to specify the NT format of group name.
On Error Resume Next
objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & "\" & strGroup
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "Unable to find group " & strGroup
    objFile.Close
    Set objFSO = Nothing
    Set objFile= Nothing
    Set objRootDSE = Nothing
    Set objTrans = Nothing
    Wscript.Quit(1)
End If
 
' Use Get method to retrieve group Distingished Name.
strGroupPath = objTrans.Get(ADS_NAME_TYPE_1779)
 
' Escape any forward slash characters, "/", with the backslash
' escape character. All other characters that should be escaped are.
strGroupPath = Replace(strGroupPath, "/", "\/")
 
' Bind to group object.
Set objGroup = GetObject("LDAP://" & strGroupPath)
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "Unable to bind to group" & vbCrLf & strGroupPath
    objFile.Close
    Set objFSO = Nothing
    Set objFile= Nothing
    Set objRootDSE = Nothing
    Set objTrans = Nothing
    Wscript.Quit(1)
End If
On Error GoTo 0
 
' Read names from the text file, bind to the users, and add them to the
' group. intCount is the number of users added to the group.
intCount = 0
Do Until objFile.AtEndOfStream
    strUserPath = Trim(objFile.ReadLine)
    If (strUserPath <> "") Then
        On Error Resume Next
        Set objUser = GetObject("LDAP://" & strUserPath)
        If (Err.Number <> 0) Then
            On Error GoTo 0
            Wscript.Echo "User " & strUserPath & " not found"
        Else
            objGroup.Add(objUser.AdsPath)
            If (Err.Number <> 0) Then
                On Error GoTo 0
                Wscript.Echo "Error adding user " & objUser.sAMAccountName _
                    & " to group " & strGroup
            Else
                On Error GoTo 0
                intCount = intCount + 1
            End If
        End If
    End If
Loop
 
Wscript.Echo CStr(intCount) & " members added to group " & strGroup
 
' Clean up.
objFile.Close
Set objFile = Nothing
Set objFSO = Nothing
Set objGroup = Nothing
Set objUser = Nothing
Set objRootDSE = Nothing
Set objTrans = Nothing

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of LauraEHunterMVP
LauraEHunterMVP
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mawatson
mawatson

ASKER

Hi Laura.  Thank you very much for your post.

As for the syntax, I've taken your advice and hardcoded the LDAP search query to say:
Line 64:       Set objRootDSE = GetObject("GC://dc=nbitqa,dc=ca")
Is this syntax correct?  When I next run the script, I receive a "The directory property could not be found in the cache" error.  

I've taken a script written by an anonymous source and attempted to tailor it for myself so I'm not certain about the syntax nor am I certain about how well the syntax change will fit into the context of the entire script.

Also, I am attempting to place these Users in a Universal Security Group and not a GG so I'm pretty sure the failure won't be an AD constraint issue.

I hope I'm providing the right feedback!

Thanks,
Matt
Avatar of LauraEHunterMVP
LauraEHunterMVP
Flag of United States of America image
RootDSE is not domain-specific, it will connect to whatever domain you are authenticated against.

Take a look at the VBScript in Recipe 4.9 at the following URL for an example of connecting to the Global Catalog: http://techtasks.com/code/viewbook/2
Avatar of RobSampson
RobSampson
Flag of Australia image
Hey Laura, I am having the same issue, and would like your opinion.  Here's an example script I am trying to use to add a user from my current domain, to a Domain Local group on another domain.  I can do this manually via the ADUC console, but cannot get it automated.

'==============
Set objGroup = GetObject("GC://CN=TestOldDom_Local,OU=TestOU,DC=other,DC=domain,DC=com")
Set objNewUser = GetObject("GC://CN=Test User 8,OU=Users,OU=TestOU,DC=current,DC=domain,DC=com")
objGroup.Add objNewUser.ADsPath
'==============

but it's not working, I've also tried using the NewUser SID and
objGroup.Add "GC://<SID=" & strSidDec & ">"

but it gives me this error:
Error: The server is unwilling to process the request.
Code: 80072035
Source: (null)

Can you help?

Regards,

Rob.
Avatar of RobSampson
RobSampson
Flag of Australia image
Hi Laura, are you able to shed light on this issue?

Thanks,

Rob.