mawatson
asked on
How do I add users to Groups in AD when the users are in one domain and the goup is in another domain in a VB script?
I am new to scripting LDAP in VB and I am currently spinning my wheels on a particular item. I've attached the VB script below for reference. So, here's the situation in a nutshell: I want to add Users from an OU in one domain (DN: qahbank.emogc.net) in our forest (adrootqa.emogc.net) into a Group in another domain (DN: nbitqa.ca) in our forest.
When I run the script while logged in to "qahbank.emogc.net", for example, the OU containing the users can be located via LDAP but it cannot locate the Group that exists in domain "nbitqa.ca". Conversely, when I run the script while logged in as an Enterprise Admin in "nbitqa.ca", the LDAP query locates the Group but cannot locate the Users in "qahbank.emogc.net". I'm fairly sure that the "general" LDAP:// or GC:// queries in the script aren't spanning across the domains
So, my question is thus: how can I hard-code or force the two queries to use a specific domain or even Domain Controller so neither of the queries fail or should I specify the separate domains GC's in the opening arguments / strings? What is the syntax for using specific GC's or domain's in an LDAP query in a VB script?
Apologies for the long-winded message and I hope I managed to convey the gist of this.
Thanks!
When I run the script while logged in to "qahbank.emogc.net", for example, the OU containing the users can be located via LDAP but it cannot locate the Group that exists in domain "nbitqa.ca". Conversely, when I run the script while logged in as an Enterprise Admin in "nbitqa.ca", the LDAP query locates the Group but cannot locate the Users in "qahbank.emogc.net". I'm fairly sure that the "general" LDAP:// or GC:// queries in the script aren't spanning across the domains
So, my question is thus: how can I hard-code or force the two queries to use a specific domain or even Domain Controller so neither of the queries fail or should I specify the separate domains GC's in the opening arguments / strings? What is the syntax for using specific GC's or domain's in an LDAP query in a VB script?
Apologies for the long-winded message and I hope I managed to convey the gist of this.
Thanks!
' AddToGroup2.vbs
' VBScript program to add users in a text file to a group.
'
' This program reads user names (Distinguished Names) from a text file
' and adds the users to a group. The name of the text file and the group
' sAMAccountName are passed to the program as parameters. The program
' uses the LDAP provider to bind to the group and user objects.
Option Explicit
Dim objFile, objGroup, objFSO, strFile, strGroup, strUserPath, objUser
Dim intCount, objRootDSE, objTrans, strNetBIOSDomain, strGroupPath
Dim strDNSDomain
Const ForReading = 1
' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
' Check for required arguments.
If (Wscript.Arguments.Count < 2) Then
Wscript.Echo "Required Argument Missing" & vbCrLf _
& "Syntax: cscript AddToGroup2.vbs UserList.txt GroupName"
Wscript.Quit(0)
End If
strFile = Wscript.Arguments(0)
strGroup = Wscript.Arguments(1)
' Open the text file of user names.
Set objFSO = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
Set objFile = objFSO.OpenTextFile(strFile, ForReading)
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "Unable to open file " & strFile
Set objFSO = Nothing
Wscript.Quit(1)
End If
On Error GoTo 0
' Use the NameTranslate object to get the NetBIOS domain name
' and the Distinguished Name of the group.
Set objRootDSE = GetObject("LDAP://RootDSE")
Set objTrans = CreateObject("NameTranslate")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' Initialize NameTranslate by locating the Global Catalog.
objTrans.Init ADS_NAME_INITTYPE_GC, ""
objTrans.Set ADS_NAME_TYPE_1779, strDNSDomain
strNetBIOSDomain = objTrans.Get(ADS_NAME_TYPE_NT4)
' Remove trailing backslash.
strNetBIOSDomain = Left(strNetBIOSDomain, Len(strNetBIOSDomain) - 1)
' Use the Set method to specify the NT format of group name.
On Error Resume Next
objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & "\" & strGroup
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "Unable to find group " & strGroup
objFile.Close
Set objFSO = Nothing
Set objFile= Nothing
Set objRootDSE = Nothing
Set objTrans = Nothing
Wscript.Quit(1)
End If
' Use Get method to retrieve group Distingished Name.
strGroupPath = objTrans.Get(ADS_NAME_TYPE_1779)
' Escape any forward slash characters, "/", with the backslash
' escape character. All other characters that should be escaped are.
strGroupPath = Replace(strGroupPath, "/", "\/")
' Bind to group object.
Set objGroup = GetObject("LDAP://" & strGroupPath)
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "Unable to bind to group" & vbCrLf & strGroupPath
objFile.Close
Set objFSO = Nothing
Set objFile= Nothing
Set objRootDSE = Nothing
Set objTrans = Nothing
Wscript.Quit(1)
End If
On Error GoTo 0
' Read names from the text file, bind to the users, and add them to the
' group. intCount is the number of users added to the group.
intCount = 0
Do Until objFile.AtEndOfStream
strUserPath = Trim(objFile.ReadLine)
If (strUserPath <> "") Then
On Error Resume Next
Set objUser = GetObject("LDAP://" & strUserPath)
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "User " & strUserPath & " not found"
Else
objGroup.Add(objUser.AdsPath)
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "Error adding user " & objUser.sAMAccountName _
& " to group " & strGroup
Else
On Error GoTo 0
intCount = intCount + 1
End If
End If
End If
Loop
Wscript.Echo CStr(intCount) & " members added to group " & strGroup
' Clean up.
objFile.Close
Set objFile = Nothing
Set objFSO = Nothing
Set objGroup = Nothing
Set objUser = Nothing
Set objRootDSE = Nothing
Set objTrans = Nothing
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
RootDSE is not domain-specific, it will connect to whatever domain you are authenticated against.
Take a look at the VBScript in Recipe 4.9 at the following URL for an example of connecting to the Global Catalog: http://techtasks.com/code/viewbook/2
Take a look at the VBScript in Recipe 4.9 at the following URL for an example of connecting to the Global Catalog: http://techtasks.com/code/viewbook/2
Hey Laura, I am having the same issue, and would like your opinion. Here's an example script I am trying to use to add a user from my current domain, to a Domain Local group on another domain. I can do this manually via the ADUC console, but cannot get it automated.
'==============
Set objGroup = GetObject("GC://CN=TestOld Dom_Local, OU=TestOU, DC=other,D C=domain,D C=com")
Set objNewUser = GetObject("GC://CN=Test User 8,OU=Users,OU=TestOU,DC=cu rrent,DC=d omain,DC=c om")
objGroup.Add objNewUser.ADsPath
'==============
but it's not working, I've also tried using the NewUser SID and
objGroup.Add "GC://<SID=" & strSidDec & ">"
but it gives me this error:
Error: The server is unwilling to process the request.
Code: 80072035
Source: (null)
Can you help?
Regards,
Rob.
'==============
Set objGroup = GetObject("GC://CN=TestOld
Set objNewUser = GetObject("GC://CN=Test User 8,OU=Users,OU=TestOU,DC=cu
objGroup.Add objNewUser.ADsPath
'==============
but it's not working, I've also tried using the NewUser SID and
objGroup.Add "GC://<SID=" & strSidDec & ">"
but it gives me this error:
Error: The server is unwilling to process the request.
Code: 80072035
Source: (null)
Can you help?
Regards,
Rob.
Hi Laura, are you able to shed light on this issue?
Thanks,
Rob.
Thanks,
Rob.
ASKER
As for the syntax, I've taken your advice and hardcoded the LDAP search query to say:
Line 64: Set objRootDSE = GetObject("GC://dc=nbitqa,
Is this syntax correct? When I next run the script, I receive a "The directory property could not be found in the cache" error.
I've taken a script written by an anonymous source and attempted to tailor it for myself so I'm not certain about the syntax nor am I certain about how well the syntax change will fit into the context of the entire script.
Also, I am attempting to place these Users in a Universal Security Group and not a GG so I'm pretty sure the failure won't be an AD constraint issue.
I hope I'm providing the right feedback!
Thanks,
Matt