Omitting members of an AD group from script that populates "jpegPhoto" attribute for Outlook photos

Posted on 2011-03-08
Medium Priority
Last Modified: 2012-05-11
Greetings all,

I have a VB Script that takes images in a folder, converts them, and populates the jpegPhoto, thumbnailPhoto, and thumbnailLogo properties of our Active Directory users. We have a few users that have opted out of having their photos populated and visible in Outlook and I have put them in a security group in AD named Picture Opt Out. I have attempted to ignore these users based on the membership of this group by editing the script but it isn't working. I would greatly appreciate any of you taking a look at my script and trying to find where I'm going wrong.

Const ForReading = 1
Dim objGroupList, strGroup,objUser,strOptOutGroup

strOptOutGroup = "Picture Opt Out"
InDir = "C:\temp\Staff Photos"
Set fso = CreateObject("Scripting.FileSystemObject")
set oIADS = GetObject("LDAP://RootDSE")
strDefaultNC = oIADS.Get("defaultnamingcontext")
Set theConn = CreateObject("ADODB.Connection")
theConn.Provider = "ADsDSOObject"
theConn.Open "ADs Provider"
Set theCmd  = CreateObject("ADODB.Command")
theCmd.ActiveConnection = theConn
Set objRecordSet = CreateObject("ADODB.Recordset")

FlowCount = 1
For Each tFile In fso.GetFolder(InDir).Files
'If FlowCount > 1 then exit For 'Comment out this line if you want to run on all records
    'If not tName = "5000092182.jpg" then

    tName = tFile.Name
    'Gets the persons Name from the file by stripping the extention.
    tName = Left(tName, InStrRev(tName,".")-1)
    'You may need to tweak this bit depending on your naming conventions.
    strQuery = "<LDAP://" & strDefaultNC & ">;" & _
                              "(&(objectClass=user)(extensionAttribute2=" & tName & "));name,adspath;subtree"
    theCmd.CommandText = strQuery
    Set objRS = theCmd.Execute
    If objRS.RecordCount = 0 Then
      MsgBox "Can't find account for " & tName

	Set objUser = GetObject(objRS("adspath"))
	'msgbox objrs("adspath")
	If not IsMember(strOptOutGroup) Then
	      ObjUser.Put "jpegPhoto", ReadByteArray(tFile.Path)
	      ObjUser.Put "thumbnailPhoto", ReadByteArray(tFile.Path)
	      ObjUser.Put "thumbnailLogo", ReadByteArray(tFile.Path)
              'msgbox "I Ran"
	End If
    End If
    'End If

FlowCount = Flowcount + 1

Function ReadByteArray(strFileName)
    Const adTypeBinary = 1
    Dim bin
    Set bin = CreateObject("ADODB.Stream")
    bin.Type = adTypeBinary
    bin.LoadFromFile strFileName
    ReadByteArray = bin.Read
End Function

Function IsMember(strGroup)
' Function to test for user group membership.
' strGroup is the NT name (sAMAccountName) of the group to test.
' objGroupList is a dictionary object, with global scope.
' Returns True if the user is a member of the group.

  Call LoadGroups
  IsMember = objGroupList.Exists(strGroup)
End Function

Sub LoadGroups
' Subroutine to populate dictionary object with group memberships.
' objUser is the user object, with global scope.
' objGroupList is a dictionary object, with global scope.

  Dim objGroup
  Set objGroupList = Nothing
  Set objGroupList = CreateObject("Scripting.Dictionary")
  objGroupList.CompareMode = vbTextCompare
  For Each objGroup In objUser.Groups
    objGroupList(objGroup.name) = True
  Set objGroup = Nothing
End Sub

Open in new window

Question by:robbie_woodley
  • 2
  • 2
LVL 25

Expert Comment

by:Ron Malmstead
ID: 35074660
The way to do this would be to exampt them from the group policy object that applies this script.

Put the script in a GPO by itself, then use group policy management console,  to filter out that group from applying the object.

Author Comment

ID: 35074758
Never done that before...any tips on putting the script on a GPO?
LVL 25

Expert Comment

by:Ron Malmstead
ID: 35074931


First...install GPMC (group policy management console)

Download it from Microsoft.

Open it...

Look here > http://www.youtube.com/watch?v=KgxhrNjx2QI
That video will show you how to create a policy...add the script and assign it to an OU in AD.

Next... add "authenticated Users"...to the security filtering section in GPMC console
Then add your "group to exclude" ...to the security filtering section in GPMC console

Click on the Delegation tab....at the bottom there is an "advanced" button.  click it.
Select the group that you want to filter out, ....where it says "apply group policy" select DENY...
LVL 65

Accepted Solution

RobSampson earned 2000 total points
ID: 35075355
Hi, change this bit in your LoadGroups function:
  For Each objGroup In objUser.Groups
    objGroupList(objGroup.name) = True

to this
  For Each objGroup In objUser.Groups
    objGroupList(Mid(objGroup.name, 4)) = True

That's all.  The original line was loading the group names as
CN=Opt Out Group



Author Closing Comment

ID: 35087696
Perfect solution, simple implementation. Thanks!

Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Upgrading from older Exchange server to the latest Exchange server can be tiresome, error-prone and risky, without being a seasoned exchange server administrators. It can become even problematic if you're an organization that runs on tight timeline…
Configure external lookups on for external mail flow on Exchange 2013 and Exchange 2016.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video discusses moving either the default database or any database to a new volume.

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question