[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 708
  • Last Modified:

script for SID cleaning

Hi,

the following script is used for cleaining sid history for users in specific OU. how can i modifythe script to do same job for groups in specific OU. ( you can also find the script as attached file sid.txt )

Thanks

 Option Explicit

Dim objRootDSE, strDNSDomain
Dim adoConnection, adoCommand, adoRecordset
Dim strOU, strBase, strFilter, strAttributes, strQuery
Dim strUserDN, objUser, arrSidHistory, strSid

Const ADS_PROPERTY_DELETE = 4

' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"

Set adoCommand = CreateObject("ADODB.Command")
adoCommand.ActiveConnection = adoConnection

' Search specified OU.
strOU = "ou=East"
strBase = "<LDAP://" & strOU & "," & strDNSDomain & ">"

' Filter on all user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sIDHistory"

' Construct the LDAP query.
' Set search scope to "oneLevel", which means child
' containers are not searched.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";oneLevel"

' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute

' Enumerate the recordset.
Do Until adoRecordset.EOF
' Check if sIDHistory attribute has values.
If Not IsNull(adoRecordset.Fields("sIDHistory").Value) Then
' Bind to user object with Distinguished Name
strUserDN = adoRecordset.Fields("distinguishedName").Value
strUserDN = Replace(strUserDN, "/", "\/")
Set objUser = GetObject("LDAP://" & strUserDN)
' Retrieve sIDHistory attribute values.
arrSidHistory = objUser.GetEx("sIDHistory")
' Delete sIDHistory.
For Each strSid In arrSidHistory
objUser.PutEx ADS_PROPERTY_DELETE, "sIDHistory", array(strSid)
objUser.SetInfo
Next
End If
adoRecordset.MoveNext
Loop
adoRecordset.Close
adoConnection.Close

SID.txt
0
toronto2456
Asked:
toronto2456
1 Solution
 
tigermattCommented:

Hi there,

See if the change I've made below does the trick.

-tigermatt
Option Explicit
 
Dim objRootDSE, strDNSDomain
Dim adoConnection, adoCommand, adoRecordset
Dim strOU, strBase, strFilter, strAttributes, strQuery
Dim strUserDN, objUser, arrSidHistory, strSid
 
Const ADS_PROPERTY_DELETE = 4
 
' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
 
' Use ADO to search Active Directory.
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
 
Set adoCommand = CreateObject("ADODB.Command")
adoCommand.ActiveConnection = adoConnection
 
' Search specified OU.
strOU = "ou=East"
strBase = "<LDAP://" & strOU & "," & strDNSDomain & ">"
 
' Filter on all user objects.
strFilter = "(&(objectCategory=person)(objectClass=group))"
 
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sIDHistory"
 
' Construct the LDAP query.
' Set search scope to "oneLevel", which means child
' containers are not searched.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";oneLevel"
 
' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute
 
' Enumerate the recordset.
Do Until adoRecordset.EOF
' Check if sIDHistory attribute has values.
If Not IsNull(adoRecordset.Fields("sIDHistory").Value) Then
' Bind to user object with Distinguished Name
strUserDN = adoRecordset.Fields("distinguishedName").Value
strUserDN = Replace(strUserDN, "/", "\/")
Set objUser = GetObject("LDAP://" & strUserDN)
' Retrieve sIDHistory attribute values.
arrSidHistory = objUser.GetEx("sIDHistory")
' Delete sIDHistory.
For Each strSid In arrSidHistory
objUser.PutEx ADS_PROPERTY_DELETE, "sIDHistory", array(strSid)
objUser.SetInfo
Next
End If
adoRecordset.MoveNext
Loop
adoRecordset.Close
adoConnection.Close

Open in new window

0
 
tigermattCommented:

Sorry, please use the one below instead.

-tigermatt
Option Explicit
 
Dim objRootDSE, strDNSDomain
Dim adoConnection, adoCommand, adoRecordset
Dim strOU, strBase, strFilter, strAttributes, strQuery
Dim strUserDN, objUser, arrSidHistory, strSid
 
Const ADS_PROPERTY_DELETE = 4
 
' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
 
' Use ADO to search Active Directory.
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
 
Set adoCommand = CreateObject("ADODB.Command")
adoCommand.ActiveConnection = adoConnection
 
' Search specified OU.
strOU = "ou=East"
strBase = "<LDAP://" & strOU & "," & strDNSDomain & ">"
 
' Filter on all user objects.
strFilter = "(objectClass=group)"
 
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sIDHistory"
 
' Construct the LDAP query.
' Set search scope to "oneLevel", which means child
' containers are not searched.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";oneLevel"
 
' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute
 
' Enumerate the recordset.
Do Until adoRecordset.EOF
' Check if sIDHistory attribute has values.
If Not IsNull(adoRecordset.Fields("sIDHistory").Value) Then
' Bind to user object with Distinguished Name
strUserDN = adoRecordset.Fields("distinguishedName").Value
strUserDN = Replace(strUserDN, "/", "\/")
Set objUser = GetObject("LDAP://" & strUserDN)
' Retrieve sIDHistory attribute values.
arrSidHistory = objUser.GetEx("sIDHistory")
' Delete sIDHistory.
For Each strSid In arrSidHistory
objUser.PutEx ADS_PROPERTY_DELETE, "sIDHistory", array(strSid)
objUser.SetInfo
Next
End If
adoRecordset.MoveNext
Loop
adoRecordset.Close
adoConnection.Close

Open in new window

0
 
toronto2456Author Commented:
Thank you very much. Second one as you said, it worked.  here is the scren shot i copied from adsiedit. There is no SIDhistory value, whihc used to be there before running the script.
OU-Sid.doc
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
toronto2456Author Commented:
i did accept this solution. still seeing here.
0
 
tigermattCommented:

So that's it working? Good!

Feel free to try and accept the solution again, as it looks like it hasn't accepted for some reason.

-Matt
0
 
talk23123Commented:
Hi

I've copied and ran your script (the original one in the post) to delete the sid history of a specific user but it's not deleting any sid history. I'm not an expert or familiar with VB Scripts so please tell me the exact syntax.

user = TestStaff1  and it's under OU=Users,OU=Testing

CN=TestStaff1,OU=Users,OU=Testing

thanks
0
 
quickslvrCommented:
does this script need to be runned on a DC or can it be done from a client?
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now