script for SID cleaning

Hi,

the following script is used for cleaining sid history for users in specific OU. how can i modifythe script to do same job for groups in specific OU. ( you can also find the script as attached file sid.txt )

Thanks

 Option Explicit

Dim objRootDSE, strDNSDomain
Dim adoConnection, adoCommand, adoRecordset
Dim strOU, strBase, strFilter, strAttributes, strQuery
Dim strUserDN, objUser, arrSidHistory, strSid

Const ADS_PROPERTY_DELETE = 4

' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"

Set adoCommand = CreateObject("ADODB.Command")
adoCommand.ActiveConnection = adoConnection

' Search specified OU.
strOU = "ou=East"
strBase = "<LDAP://" & strOU & "," & strDNSDomain & ">"

' Filter on all user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sIDHistory"

' Construct the LDAP query.
' Set search scope to "oneLevel", which means child
' containers are not searched.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";oneLevel"

' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute

' Enumerate the recordset.
Do Until adoRecordset.EOF
' Check if sIDHistory attribute has values.
If Not IsNull(adoRecordset.Fields("sIDHistory").Value) Then
' Bind to user object with Distinguished Name
strUserDN = adoRecordset.Fields("distinguishedName").Value
strUserDN = Replace(strUserDN, "/", "\/")
Set objUser = GetObject("LDAP://" & strUserDN)
' Retrieve sIDHistory attribute values.
arrSidHistory = objUser.GetEx("sIDHistory")
' Delete sIDHistory.
For Each strSid In arrSidHistory
objUser.PutEx ADS_PROPERTY_DELETE, "sIDHistory", array(strSid)
objUser.SetInfo
Next
End If
adoRecordset.MoveNext
Loop
adoRecordset.Close
adoConnection.Close

SID.txt
toronto2456Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tigermattCommented:

Hi there,

See if the change I've made below does the trick.

-tigermatt
Option Explicit
 
Dim objRootDSE, strDNSDomain
Dim adoConnection, adoCommand, adoRecordset
Dim strOU, strBase, strFilter, strAttributes, strQuery
Dim strUserDN, objUser, arrSidHistory, strSid
 
Const ADS_PROPERTY_DELETE = 4
 
' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
 
' Use ADO to search Active Directory.
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
 
Set adoCommand = CreateObject("ADODB.Command")
adoCommand.ActiveConnection = adoConnection
 
' Search specified OU.
strOU = "ou=East"
strBase = "<LDAP://" & strOU & "," & strDNSDomain & ">"
 
' Filter on all user objects.
strFilter = "(&(objectCategory=person)(objectClass=group))"
 
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sIDHistory"
 
' Construct the LDAP query.
' Set search scope to "oneLevel", which means child
' containers are not searched.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";oneLevel"
 
' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute
 
' Enumerate the recordset.
Do Until adoRecordset.EOF
' Check if sIDHistory attribute has values.
If Not IsNull(adoRecordset.Fields("sIDHistory").Value) Then
' Bind to user object with Distinguished Name
strUserDN = adoRecordset.Fields("distinguishedName").Value
strUserDN = Replace(strUserDN, "/", "\/")
Set objUser = GetObject("LDAP://" & strUserDN)
' Retrieve sIDHistory attribute values.
arrSidHistory = objUser.GetEx("sIDHistory")
' Delete sIDHistory.
For Each strSid In arrSidHistory
objUser.PutEx ADS_PROPERTY_DELETE, "sIDHistory", array(strSid)
objUser.SetInfo
Next
End If
adoRecordset.MoveNext
Loop
adoRecordset.Close
adoConnection.Close

Open in new window

0
tigermattCommented:

Sorry, please use the one below instead.

-tigermatt
Option Explicit
 
Dim objRootDSE, strDNSDomain
Dim adoConnection, adoCommand, adoRecordset
Dim strOU, strBase, strFilter, strAttributes, strQuery
Dim strUserDN, objUser, arrSidHistory, strSid
 
Const ADS_PROPERTY_DELETE = 4
 
' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
 
' Use ADO to search Active Directory.
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
 
Set adoCommand = CreateObject("ADODB.Command")
adoCommand.ActiveConnection = adoConnection
 
' Search specified OU.
strOU = "ou=East"
strBase = "<LDAP://" & strOU & "," & strDNSDomain & ">"
 
' Filter on all user objects.
strFilter = "(objectClass=group)"
 
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sIDHistory"
 
' Construct the LDAP query.
' Set search scope to "oneLevel", which means child
' containers are not searched.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";oneLevel"
 
' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute
 
' Enumerate the recordset.
Do Until adoRecordset.EOF
' Check if sIDHistory attribute has values.
If Not IsNull(adoRecordset.Fields("sIDHistory").Value) Then
' Bind to user object with Distinguished Name
strUserDN = adoRecordset.Fields("distinguishedName").Value
strUserDN = Replace(strUserDN, "/", "\/")
Set objUser = GetObject("LDAP://" & strUserDN)
' Retrieve sIDHistory attribute values.
arrSidHistory = objUser.GetEx("sIDHistory")
' Delete sIDHistory.
For Each strSid In arrSidHistory
objUser.PutEx ADS_PROPERTY_DELETE, "sIDHistory", array(strSid)
objUser.SetInfo
Next
End If
adoRecordset.MoveNext
Loop
adoRecordset.Close
adoConnection.Close

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
toronto2456Author Commented:
Thank you very much. Second one as you said, it worked.  here is the scren shot i copied from adsiedit. There is no SIDhistory value, whihc used to be there before running the script.
OU-Sid.doc
0
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

toronto2456Author Commented:
i did accept this solution. still seeing here.
0
tigermattCommented:

So that's it working? Good!

Feel free to try and accept the solution again, as it looks like it hasn't accepted for some reason.

-Matt
0
talk23123Commented:
Hi

I've copied and ran your script (the original one in the post) to delete the sid history of a specific user but it's not deleting any sid history. I'm not an expert or familiar with VB Scripts so please tell me the exact syntax.

user = TestStaff1  and it's under OU=Users,OU=Testing

CN=TestStaff1,OU=Users,OU=Testing

thanks
0
quickslvrCommented:
does this script need to be runned on a DC or can it be done from a client?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VB Script

From novice to tech pro — start learning today.