Link to home
Start Free TrialLog in
Avatar of Eric
EricFlag for Canada

asked on

script for SID cleaning

Hi,

the following script is used for cleaining sid history for users in specific OU. how can i modifythe script to do same job for groups in specific OU. ( you can also find the script as attached file sid.txt )

Thanks

 Option Explicit

Dim objRootDSE, strDNSDomain
Dim adoConnection, adoCommand, adoRecordset
Dim strOU, strBase, strFilter, strAttributes, strQuery
Dim strUserDN, objUser, arrSidHistory, strSid

Const ADS_PROPERTY_DELETE = 4

' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"

Set adoCommand = CreateObject("ADODB.Command")
adoCommand.ActiveConnection = adoConnection

' Search specified OU.
strOU = "ou=East"
strBase = "<LDAP://" & strOU & "," & strDNSDomain & ">"

' Filter on all user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sIDHistory"

' Construct the LDAP query.
' Set search scope to "oneLevel", which means child
' containers are not searched.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";oneLevel"

' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute

' Enumerate the recordset.
Do Until adoRecordset.EOF
' Check if sIDHistory attribute has values.
If Not IsNull(adoRecordset.Fields("sIDHistory").Value) Then
' Bind to user object with Distinguished Name
strUserDN = adoRecordset.Fields("distinguishedName").Value
strUserDN = Replace(strUserDN, "/", "\/")
Set objUser = GetObject("LDAP://" & strUserDN)
' Retrieve sIDHistory attribute values.
arrSidHistory = objUser.GetEx("sIDHistory")
' Delete sIDHistory.
For Each strSid In arrSidHistory
objUser.PutEx ADS_PROPERTY_DELETE, "sIDHistory", array(strSid)
objUser.SetInfo
Next
End If
adoRecordset.MoveNext
Loop
adoRecordset.Close
adoConnection.Close

SID.txt
Avatar of tigermatt
tigermatt
Flag of United Kingdom of Great Britain and Northern Ireland image

Hi there,

See if the change I've made below does the trick.

-tigermatt 
Option Explicit
 
Dim objRootDSE, strDNSDomain
Dim adoConnection, adoCommand, adoRecordset
Dim strOU, strBase, strFilter, strAttributes, strQuery
Dim strUserDN, objUser, arrSidHistory, strSid
 
Const ADS_PROPERTY_DELETE = 4
 
' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
 
' Use ADO to search Active Directory.
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
 
Set adoCommand = CreateObject("ADODB.Command")
adoCommand.ActiveConnection = adoConnection
 
' Search specified OU.
strOU = "ou=East"
strBase = "<LDAP://" & strOU & "," & strDNSDomain & ">"
 
' Filter on all user objects.
strFilter = "(&(objectCategory=person)(objectClass=group))"
 
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sIDHistory"
 
' Construct the LDAP query.
' Set search scope to "oneLevel", which means child
' containers are not searched.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";oneLevel"
 
' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute
 
' Enumerate the recordset.
Do Until adoRecordset.EOF
' Check if sIDHistory attribute has values.
If Not IsNull(adoRecordset.Fields("sIDHistory").Value) Then
' Bind to user object with Distinguished Name
strUserDN = adoRecordset.Fields("distinguishedName").Value
strUserDN = Replace(strUserDN, "/", "\/")
Set objUser = GetObject("LDAP://" & strUserDN)
' Retrieve sIDHistory attribute values.
arrSidHistory = objUser.GetEx("sIDHistory")
' Delete sIDHistory.
For Each strSid In arrSidHistory
objUser.PutEx ADS_PROPERTY_DELETE, "sIDHistory", array(strSid)
objUser.SetInfo
Next
End If
adoRecordset.MoveNext
Loop
adoRecordset.Close
adoConnection.Close

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of tigermatt
tigermatt
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Eric
Eric
Flag of Canada image

ASKER

Thank you very much. Second one as you said, it worked.  here is the scren shot i copied from adsiedit. There is no SIDhistory value, whihc used to be there before running the script.
OU-Sid.doc
Avatar of Eric
Eric
Flag of Canada image

ASKER

i did accept this solution. still seeing here.
Avatar of tigermatt
tigermatt
Flag of United Kingdom of Great Britain and Northern Ireland image

So that's it working? Good!

Feel free to try and accept the solution again, as it looks like it hasn't accepted for some reason.

-Matt
Avatar of talk23123
talk23123
Flag of United Kingdom of Great Britain and Northern Ireland image
Hi

I've copied and ran your script (the original one in the post) to delete the sid history of a specific user but it's not deleting any sid history. I'm not an expert or familiar with VB Scripts so please tell me the exact syntax.

user = TestStaff1  and it's under OU=Users,OU=Testing

CN=TestStaff1,OU=Users,OU=Testing

thanks
Avatar of quickslvr
quickslvr
Flag of Switzerland image
does this script need to be runned on a DC or can it be done from a client?