Solved

Adding a user to an AD group via VBScript using alternate credentials

Posted on 2009-04-03
5
4,114 Views
Last Modified: 2012-05-06
I'm trying to create a vbscript that receives a parameter of samaccountname then have alternate credentials within the vbscript add that user to a group in Active Directory.  We run the script like this:

scriptname.vbs samaccountname

and it pulls in the info correctly, but I can't figure out the code to do the "add user to group" part under the alternate credentials i specified in the script.   The current code adds the user to the group with the credentials of the person running the script.  i tried

objUser2.add (objGroup.Add("LDAP://"& strUserDN)) but that didn't work either :(  all the examples I have found online have things like

objUser2.setPassword

but nothing like I want to do

' Constants for the NameTranslate object. 
Const ADS_NAME_INITTYPE_GC = 3 
Const ADS_NAME_TYPE_NT4 = 3 
Const ADS_NAME_TYPE_1779 = 1 
Set args = WScript.Arguments 
arg1 = args.Item(0) 
 
' Specify the NetBIOS name of the domain and the NT name of the user. 
strNTName = "domain\" & arg1 
 
Set objTrans = CreateObject("NameTranslate") 
' Initialize NameTranslate by locating the Global Catalog. 
objTrans.Init ADS_NAME_INITTYPE_GC, "" 
' Use the Set method to specify the NT format of the object name. 
objTrans.Set ADS_NAME_TYPE_NT4, strNTName 
' Use the Get method to retrieve the RPC 1779 Distinguished Name. 
strUserDN = objTrans.Get(ADS_NAME_TYPE_1779) 
 
' Escape any "/" characters with backslash escape character. 
' All other characters that need to be escaped will be escaped. 
strUserDN = Replace(strUserDN, "/", "\/") 
 
' Bind to the user object in Active Directory with the LDAP provider. 
Set objUser = GetObject("LDAP://" & strUserDN) 
strGroupDN = "CN=groupname,OU=ou1,OU=ou2,OU=ou3,OU=ou4,DC=domain,DC=net" 
Const ADS_SECURE_AUTHENTICATION = 1 
 
strUserDN2 = "domain\serviceaccount" 
strPassword2 = "serviceaccountpassword" 
 
Set objDSO = GetObject("LDAP:") 
Set objUser2 = objDSO.OpenDSObject("LDAP://DC=domain,DC=net", strUserDN2, strPassword2, ADS_SECURE_AUTHENTICATION) 
 
'in case user is already in group 
On Error Resume Next 
 
Set objGroup = GetObject("LDAP://"& strGroupDN) 
objGroup.Add("LDAP://"& strUserDN)

Open in new window

0
Comment
Question by:Joemonkey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24059542
You need to connect to the group object using the credentials also. At the moment, you're using GetObject, which will use the current session credentials.
MemberOf (user attribute) and member (group attribute) are linked attributes. The primary attribute is member (the group attribute), meaning that you change this attribute, not memberof. memberof will follow suit. Therefore you need to connect to the group object using OpenDSObject, as this is the object you are editing.
Instead of
Set objGroup = GetObject("LDAP://" & strGroupDN)
Use...
Set objGroup =  objDSO.OpenDSObject("LDAP://DC=domain,DC=net", strUserDN2, strPassword2, ADS_SECURE_AUTHENTICATION)
From looking at your code, I don't think you even need to connect to the user object as you're not editing it.
Please let me know if I have misunderstood.
0
 
LVL 1

Author Comment

by:Joemonkey
ID: 24059895
That makes sense, but now when I attempt the

objGroup.Add("LDAP://"& strUserDN)

I get the error that Object does not support this property or method "objGroup.Add"
0
 
LVL 1

Author Comment

by:Joemonkey
ID: 24059944
I hit Submit too soon, is there no way to edit a comment?  anyway...

Using Set objGroup =  objDSO.OpenDSObject("LDAP://DC=domain,DC=net", strUserDN2, strPassword2, ADS_SECURE_AUTHENTICATION)

how do i get the script the user and group AD information after binding this way?
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
ID: 24060925
Looking closer, the DN of the object isn't complete in your command.
You need to use the full DN of the group you want to connect to in OpenDSObject, e.g.
Set objGroup =  objDSO.OpenDSObject("LDAP://CN=MyGroup,OU=Groups,DC=domain,DC=net", strUserDN2, strPassword2, ADS_SECURE_AUTHENTICATION)
Then use the add method for objGroup to add the user. If it's objUser you want to add, use:
objGroup.Add(objUser.ADsPath)
Remember that if you want to use alternate credentials throughout the script, use OpenDSObject instead of all the GetObject commands.
 
0
 
LVL 1

Author Closing Comment

by:Joemonkey
ID: 31566217
Thanks!  I usually only use VBScript for installing things via SMS, querying AD isn't usually something I script.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
With User Account Control (UAC) enabled in Windows 7, one needs to open an elevated Command Prompt in order to run scripts under administrative privileges. Although the elevated Command Prompt accomplishes the task, the question How to run as script…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question