We help IT Professionals succeed at work.

Script to add 1 user to all Distribution/Security groups that are mailed enabled in thre Managed tab.

Hi,

Script to add 1 user to all Distribution/Security groups that are mailed enabled in thre Managed tab.
I want one user  to be able to change the user membership from outlook. So need to add that user and check the box where it states. "Manager can update membership list"

Can anyone help with this addition.

REgards
Sharath
Comment
Watch Question

Meir RivkinFull stack Software Engineer

Commented:
to check/uncheck "Manager can update membership list" option for user/group or all groups under specific OU, use the following script:
http://www.codeproject.com/KB/vbscript/MngChkBox.aspx
Meir RivkinFull stack Software Engineer

Commented:
it seems that MailEnable property only works for Exchange 2003 because of CDOEXM. For 2007 it's generally better to use the PowerShell CmdLets provided with Exchange 2007, in part because they're much easier to work with and in part because they'll be properly supported for this kind of automation.
Meir RivkinFull stack Software Engineer

Commented:

Author

Commented:
Thanks
But each group i want a different manager to be placed...
I will have the input gile as

Groupname;paul
Groupname2;Albert
Most Valuable Expert 2012
Top Expert 2014
Commented:
Sharath, try this. I think it's something I did for you a long time ago, reading from a file called Groups_For_Users_To_Manage.txt

Regards.

Rob.
strInputFile = "Groups_For_Users_To_Manage.txt"

If Right(LCase(WScript.FullName), 11) = "wscript.exe" Then
	Set objShell = CreateObject("WScript.Shell")
	objShell.Run "cmd /k cscript """ & WScript.ScriptFullName & """", 1, False
	Set objShell = Nothing
	WScript.Quit
End If

Set objFSO = CreateObject("Scripting.FileSystemObject")
Const intForReading = 1

WScript.Echo ""

Set objInputFile = objFSO.OpenTextFile(strInputFile, intForReading, False)
While Not objInputFile.AtEndOfStream
	strLine = objInputFile.ReadLine
	If Trim(strLine) <> "" And InStr(strLine, ";") > 0 Then
		strUserName = Left(strLine, InStr(strLine, ";") - 1)
		arrGroups = Split(Mid(strLine, InStr(strLine, ";") + 1), ";")
		
		For Each strGroupName In arrGroups
			strGroupAdsPath = Get_LDAP_User_Properties("Group", "cn", strGroupName, "adsPath")
			If Trim(strGroupAdsPath) <> "" Then
				Set objGroup = GetObject(strGroupAdsPath)
				
				Set objSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")
				Set objDACL = objSecurityDescriptor.DiscretionaryACL
				
				On Error Resume Next
				Set objUser = GetObject("LDAP://" & objGroup.Get("managedBy"))
				If Err.Number = 0 Then
					On Error GoTo 0
					boolSetACE = True
					For Each objACE in objDACL
					      If InStr(LCase(objACE.Trustee), LCase(strUserName)) > 0 Then
					            ' Just to demonstrate Enumeration of the ACE and to stop it adding it a second time
					            'WScript.Echo objACE.Trustee
					            'WScript.Echo objACE.AccessMask
					            'WScript.Echo objACE.AceFlags
					            'WScript.Echo objACE.AceType
					            boolSetACE = False
					      End If
					Next
					If boolSetACE = False Then
					      WScript.Echo "User " & strUserName & " is already the manager of group " & strGroupName
					Else
						' Need to clear the existing manager
						Const ADS_PROPERTY_CLEAR = 1
						WScript.Echo "Clearing " & objUser.Get("sAMAccountName") & " from the ManagedBy list of " & objGroup.cn
						objGroup.PutEx ADS_PROPERTY_CLEAR, "managedBy", 0
						objGroup.SetInfo
						strUserAdsPath = Get_LDAP_User_Properties("User", "samAccountName", strUserName, "adsPath")
						If Trim(strUserAdsPath) <> "" Then
							Set objUser = GetObject(strUserAdsPath)
							AddACE objGroup, objUser, objSecurityDescriptor, objDACL
						Else
							WScript.Echo "The path for the user " & strUserName & " could not be found. Can not add user to group " & strGroupName
						End If
					End If
				ElseIf Err.Number = -2147463155 Then
					Err.Clear
					On Error GoTo 0
					Set objUser = GetObject(Get_LDAP_User_Properties("User", "samAccountName", strUserName, "adsPath"))
					AddACE objGroup, objUser, objSecurityDescriptor, objDACL
				Else
					WScript.Echo Err.Number & ": " & Err.Description
					Err.Clear
					On Error GoTo 0
				End If
			Else
				WScript.Echo "The path for the group " & strGroupName & " could not be found. User " & strUserName & " could not be added."
			End If
		Next
	End If
Wend

WScript.Echo ""
WScript.Echo "Finished adding managers to groups."
MsgBox "Done"

Sub AddACE(objGroup, objUser, objSecurityDescriptor, objDACL)
	' ACE Types
	Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
	Const ADS_OBJECT_WRITE_MEMBERS = "{BF9679C0-0DE6-11D0-A285-00AA003049E2}"
	Const ADS_ACEFLAG_INHERIT_ACE = &H00002
	Const ADS_ACEFLAG_DONT_INHERIT_ACE = &H0
	' Access Masks
	Const ADS_RIGHT_DS_WRITE_PROP = &H20
	' ACE Flags
	Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H01
	
	strDomainName = Replace(Replace(Mid(objUser.AdsPath, InStr(objUser.AdsPath, "DC")), "DC=", ""), ",", ".")
	strUserAccount = objUser.Get("sAMAccountName")
	'WScript.Echo objGroup.AdsPath & VbCrLf & strDomainNAme & VbCrLf & strUserAccount & VbCrLf & TypeName(objSecurityDescriptor) & VbCrLf & TypeName(objDACL)
	
	objgroup.ManagedBy = Replace(objUser.AdsPath, "LDAP://", "")
	On Error Resume Next
	objGroup.SetInfo
	If Err.Number <> 0 Then
		boolUserAdded = False
		WScript.Echo Err.Number & ": " & Err.Description & " - cannot add " & Replace(objUser.AdsPath, "LDAP://", "") & " to " & objGroup.adspath
		Err.Clear
		On Error GoTo 0
		Set objDomUser = GetObject("WinNT://" & strDomainName & "/" & strUserAccount & ",user")
		WScript.Echo "Trying: " & objDomUser.AdsPath
		objGroup.ManagedBy = objDomUser.AdsPath
		On Error Resume Next
		objGroup.SetInfo
		If Err.Number <> 0 Then
			boolUserAdded = False
			'WScript.Echo Err.Number & ": " & Err.Description & " - cannot add " & Replace(objDomUser.AdsPath, "WinNT://", "") & " to " & objGroup.adspath
			WScript.Echo Err.Number & ": " & Err.Description & " - cannot add " & objDomUser.AdsPath & " to " & objGroup.adspath
			Err.Clear
			On Error GoTo 0
		Else
			boolUserAdded = True
		End If
	Else
		boolUserAdded = True
	End If
	
	If boolUserAdded = True Then
		Set objACE = CreateObject("AccessControlEntry")
		
		objACE.Trustee = strDomainName & "\" & strUserAccount
		objACE.AccessMask = ADS_RIGHT_DS_WRITE_PROP
		objACE.AceFlags = ADS_ACEFLAG_DONT_INHERIT_ACE
		objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
		objACE.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
		objACE.objectType = ADS_OBJECT_WRITE_MEMBERS
		
		objDACL.AddAce(objACE)
		objSecurityDescriptor.DiscretionaryACL = objDACL
		objGroup.Put "ntSecurityDescriptor", Array(objSecurityDescriptor)
		objGroup.SetInfo
		
		WScript.Echo "User " & strUserName & " added as a manager of group " & strGroupName
	End If
End Sub

Function Get_LDAP_User_Properties(strObjectType, strSearchField, strObjectToGet, strCommaDelimProps)
	
	If InStr(strObjectToGet, "\") > 0 Then
		arrGroupBits = Split(strObjectToGet, "\")
		strDC = arrGroupBits(0)
		strDNSDomain = strDC & "/" & "DC=" & Replace(Mid(strDC, InStr(strDC, ".") + 1), ".", ",DC=")
		strObjectToGet = arrGroupBits(1)
	Else
		Set objRootDSE = GetObject("LDAP://RootDSE")
		strDNSDomain = objRootDSE.Get("defaultNamingContext")
	End If

	strBase = "<LDAP://" & strDNSDomain & ">"
	' Setup ADO objects.
	Set adoCommand = CreateObject("ADODB.Command")
	Set adoConnection = CreateObject("ADODB.Connection")
	adoConnection.Provider = "ADsDSOObject"
	adoConnection.Open "Active Directory Provider"
	adoCommand.ActiveConnection = adoConnection

 
	' Filter on user objects.
	'strFilter = "(&(objectCategory=person)(objectClass=user))"
	strFilter = "(&(objectClass=" & strObjectType & ")(" & strSearchField & "=" & strObjectToGet & "))"

	' Comma delimited list of attribute values to retrieve.
	strAttributes = strCommaDelimProps
	arrProperties = Split(strCommaDelimProps, ",")

	' Construct the LDAP syntax query.
	strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
	adoCommand.CommandText = strQuery
	adoCommand.Properties("Page Size") = 100
	adoCommand.Properties("Timeout") = 30
	adoCommand.Properties("Cache Results") = False

	WScript.Echo ""
	WScript.Echo "Executing " & strQuery
	' Run the query.
	Set adoRecordset = adoCommand.Execute
	' Enumerate the resulting recordset.
	Do Until adoRecordset.EOF
	    ' Retrieve values and display.    
	    For intCount = LBound(arrProperties) To UBound(arrProperties)
	    	If strDetails = "" Then
	    		strDetails = adoRecordset.Fields(intCount).Value
	    	Else
	    		strDetails = strDetails & VbCrLf & adoRecordset.Fields(intCount).Value
	    	End If
	    Next
	    ' Move to the next record in the recordset.
	    adoRecordset.MoveNext
	Loop

	' Clean up.
	adoRecordset.Close
	adoConnection.Close
	Get_LDAP_User_Properties = strDetails

End Function

Open in new window

Author

Commented:
Thanks Rob
Where should i mention the user names and groups is it like
Groupname;Username
Most Valuable Expert 2012
Top Expert 2014

Commented:
Yes, that should work fine.  It will add the "username" to the ManageBy tab of the "GroupName".

Rob.