script for SID cleaning

Hi,

the following script is used for cleaining sid history for users in specific OU. how can i modifythe script to do same job for groups in specific OU. ( you can also find the script as attached file sid.txt )

Thanks

 Option Explicit

Dim objRootDSE, strDNSDomain
Dim adoConnection, adoCommand, adoRecordset
Dim strOU, strBase, strFilter, strAttributes, strQuery
Dim strUserDN, objUser, arrSidHistory, strSid

Const ADS_PROPERTY_DELETE = 4

' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"

Set adoCommand = CreateObject("ADODB.Command")
adoCommand.ActiveConnection = adoConnection

' Search specified OU.
strOU = "ou=East"
strBase = "<LDAP://" & strOU & "," & strDNSDomain & ">"

' Filter on all user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sIDHistory"

' Construct the LDAP query.
' Set search scope to "oneLevel", which means child
' containers are not searched.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";oneLevel"

' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute

' Enumerate the recordset.
Do Until adoRecordset.EOF
' Check if sIDHistory attribute has values.
If Not IsNull(adoRecordset.Fields("sIDHistory").Value) Then
' Bind to user object with Distinguished Name
strUserDN = adoRecordset.Fields("distinguishedName").Value
strUserDN = Replace(strUserDN, "/", "\/")
Set objUser = GetObject("LDAP://" & strUserDN)
' Retrieve sIDHistory attribute values.
arrSidHistory = objUser.GetEx("sIDHistory")
' Delete sIDHistory.
For Each strSid In arrSidHistory
objUser.PutEx ADS_PROPERTY_DELETE, "sIDHistory", array(strSid)
objUser.SetInfo
Next
End If
adoRecordset.MoveNext
Loop
adoRecordset.Close
adoConnection.Close

SID.txt
toronto2456Asked:
Who is Participating?
 
tigermattConnect With a Mentor Commented:

Sorry, please use the one below instead.

-tigermatt
Option Explicit
 
Dim objRootDSE, strDNSDomain
Dim adoConnection, adoCommand, adoRecordset
Dim strOU, strBase, strFilter, strAttributes, strQuery
Dim strUserDN, objUser, arrSidHistory, strSid
 
Const ADS_PROPERTY_DELETE = 4
 
' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
 
' Use ADO to search Active Directory.
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
 
Set adoCommand = CreateObject("ADODB.Command")
adoCommand.ActiveConnection = adoConnection
 
' Search specified OU.
strOU = "ou=East"
strBase = "<LDAP://" & strOU & "," & strDNSDomain & ">"
 
' Filter on all user objects.
strFilter = "(objectClass=group)"
 
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sIDHistory"
 
' Construct the LDAP query.
' Set search scope to "oneLevel", which means child
' containers are not searched.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";oneLevel"
 
' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute
 
' Enumerate the recordset.
Do Until adoRecordset.EOF
' Check if sIDHistory attribute has values.
If Not IsNull(adoRecordset.Fields("sIDHistory").Value) Then
' Bind to user object with Distinguished Name
strUserDN = adoRecordset.Fields("distinguishedName").Value
strUserDN = Replace(strUserDN, "/", "\/")
Set objUser = GetObject("LDAP://" & strUserDN)
' Retrieve sIDHistory attribute values.
arrSidHistory = objUser.GetEx("sIDHistory")
' Delete sIDHistory.
For Each strSid In arrSidHistory
objUser.PutEx ADS_PROPERTY_DELETE, "sIDHistory", array(strSid)
objUser.SetInfo
Next
End If
adoRecordset.MoveNext
Loop
adoRecordset.Close
adoConnection.Close

Open in new window

0
 
tigermattCommented:

Hi there,

See if the change I've made below does the trick.

-tigermatt
Option Explicit
 
Dim objRootDSE, strDNSDomain
Dim adoConnection, adoCommand, adoRecordset
Dim strOU, strBase, strFilter, strAttributes, strQuery
Dim strUserDN, objUser, arrSidHistory, strSid
 
Const ADS_PROPERTY_DELETE = 4
 
' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
 
' Use ADO to search Active Directory.
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
 
Set adoCommand = CreateObject("ADODB.Command")
adoCommand.ActiveConnection = adoConnection
 
' Search specified OU.
strOU = "ou=East"
strBase = "<LDAP://" & strOU & "," & strDNSDomain & ">"
 
' Filter on all user objects.
strFilter = "(&(objectCategory=person)(objectClass=group))"
 
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sIDHistory"
 
' Construct the LDAP query.
' Set search scope to "oneLevel", which means child
' containers are not searched.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";oneLevel"
 
' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute
 
' Enumerate the recordset.
Do Until adoRecordset.EOF
' Check if sIDHistory attribute has values.
If Not IsNull(adoRecordset.Fields("sIDHistory").Value) Then
' Bind to user object with Distinguished Name
strUserDN = adoRecordset.Fields("distinguishedName").Value
strUserDN = Replace(strUserDN, "/", "\/")
Set objUser = GetObject("LDAP://" & strUserDN)
' Retrieve sIDHistory attribute values.
arrSidHistory = objUser.GetEx("sIDHistory")
' Delete sIDHistory.
For Each strSid In arrSidHistory
objUser.PutEx ADS_PROPERTY_DELETE, "sIDHistory", array(strSid)
objUser.SetInfo
Next
End If
adoRecordset.MoveNext
Loop
adoRecordset.Close
adoConnection.Close

Open in new window

0
 
toronto2456Author Commented:
Thank you very much. Second one as you said, it worked.  here is the scren shot i copied from adsiedit. There is no SIDhistory value, whihc used to be there before running the script.
OU-Sid.doc
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
toronto2456Author Commented:
i did accept this solution. still seeing here.
0
 
tigermattCommented:

So that's it working? Good!

Feel free to try and accept the solution again, as it looks like it hasn't accepted for some reason.

-Matt
0
 
talk23123Commented:
Hi

I've copied and ran your script (the original one in the post) to delete the sid history of a specific user but it's not deleting any sid history. I'm not an expert or familiar with VB Scripts so please tell me the exact syntax.

user = TestStaff1  and it's under OU=Users,OU=Testing

CN=TestStaff1,OU=Users,OU=Testing

thanks
0
 
quickslvrCommented:
does this script need to be runned on a DC or can it be done from a client?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.