Eric
asked on
script for SID cleaning
Hi,
the following script is used for cleaining sid history for users in specific OU. how can i modifythe script to do same job for groups in specific OU. ( you can also find the script as attached file sid.txt )
Thanks
Option Explicit
Dim objRootDSE, strDNSDomain
Dim adoConnection, adoCommand, adoRecordset
Dim strOU, strBase, strFilter, strAttributes, strQuery
Dim strUserDN, objUser, arrSidHistory, strSid
Const ADS_PROPERTY_DELETE = 4
' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE" )
strDNSDomain = objRootDSE.Get("defaultNam ingContext ")
' Use ADO to search Active Directory.
Set adoConnection = CreateObject("ADODB.Connec tion")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand = CreateObject("ADODB.Comman d")
adoCommand.ActiveConnectio n = adoConnection
' Search specified OU.
strOU = "ou=East"
strBase = "<LDAP://" & strOU & "," & strDNSDomain & ">"
' Filter on all user objects.
strFilter = "(&(objectCategory=person) (objectCla ss=user))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sIDHist ory"
' Construct the LDAP query.
' Set search scope to "oneLevel", which means child
' containers are not searched.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";oneLevel"
' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Pag e Size") = 100
adoCommand.Properties("Tim eout") = 30
adoCommand.Properties("Cac he Results") = False
Set adoRecordset = adoCommand.Execute
' Enumerate the recordset.
Do Until adoRecordset.EOF
' Check if sIDHistory attribute has values.
If Not IsNull(adoRecordset.Fields ("sIDHisto ry").Value ) Then
' Bind to user object with Distinguished Name
strUserDN = adoRecordset.Fields("disti nguishedNa me").Value
strUserDN = Replace(strUserDN, "/", "\/")
Set objUser = GetObject("LDAP://" & strUserDN)
' Retrieve sIDHistory attribute values.
arrSidHistory = objUser.GetEx("sIDHistory" )
' Delete sIDHistory.
For Each strSid In arrSidHistory
objUser.PutEx ADS_PROPERTY_DELETE, "sIDHistory", array(strSid)
objUser.SetInfo
Next
End If
adoRecordset.MoveNext
Loop
adoRecordset.Close
adoConnection.Close
SID.txt
the following script is used for cleaining sid history for users in specific OU. how can i modifythe script to do same job for groups in specific OU. ( you can also find the script as attached file sid.txt )
Thanks
Option Explicit
Dim objRootDSE, strDNSDomain
Dim adoConnection, adoCommand, adoRecordset
Dim strOU, strBase, strFilter, strAttributes, strQuery
Dim strUserDN, objUser, arrSidHistory, strSid
Const ADS_PROPERTY_DELETE = 4
' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE"
strDNSDomain = objRootDSE.Get("defaultNam
' Use ADO to search Active Directory.
Set adoConnection = CreateObject("ADODB.Connec
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand = CreateObject("ADODB.Comman
adoCommand.ActiveConnectio
' Search specified OU.
strOU = "ou=East"
strBase = "<LDAP://" & strOU & "," & strDNSDomain & ">"
' Filter on all user objects.
strFilter = "(&(objectCategory=person)
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sIDHist
' Construct the LDAP query.
' Set search scope to "oneLevel", which means child
' containers are not searched.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";oneLevel"
' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Pag
adoCommand.Properties("Tim
adoCommand.Properties("Cac
Set adoRecordset = adoCommand.Execute
' Enumerate the recordset.
Do Until adoRecordset.EOF
' Check if sIDHistory attribute has values.
If Not IsNull(adoRecordset.Fields
' Bind to user object with Distinguished Name
strUserDN = adoRecordset.Fields("disti
strUserDN = Replace(strUserDN, "/", "\/")
Set objUser = GetObject("LDAP://" & strUserDN)
' Retrieve sIDHistory attribute values.
arrSidHistory = objUser.GetEx("sIDHistory"
' Delete sIDHistory.
For Each strSid In arrSidHistory
objUser.PutEx ADS_PROPERTY_DELETE, "sIDHistory", array(strSid)
objUser.SetInfo
Next
End If
adoRecordset.MoveNext
Loop
adoRecordset.Close
adoConnection.Close
SID.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you very much. Second one as you said, it worked. here is the scren shot i copied from adsiedit. There is no SIDhistory value, whihc used to be there before running the script.
OU-Sid.doc
OU-Sid.doc
ASKER
i did accept this solution. still seeing here.
So that's it working? Good!
Feel free to try and accept the solution again, as it looks like it hasn't accepted for some reason.
-Matt
Hi
I've copied and ran your script (the original one in the post) to delete the sid history of a specific user but it's not deleting any sid history. I'm not an expert or familiar with VB Scripts so please tell me the exact syntax.
user = TestStaff1 and it's under OU=Users,OU=Testing
CN=TestStaff1,OU=Users,OU= Testing
thanks
I've copied and ran your script (the original one in the post) to delete the sid history of a specific user but it's not deleting any sid history. I'm not an expert or familiar with VB Scripts so please tell me the exact syntax.
user = TestStaff1 and it's under OU=Users,OU=Testing
CN=TestStaff1,OU=Users,OU=
thanks
does this script need to be runned on a DC or can it be done from a client?
Hi there,
See if the change I've made below does the trick.
-tigermatt
Open in new window