Solved

Active Directory:  Group Security Mapping

Posted on 2012-04-04
12
370 Views
Last Modified: 2012-08-14
I've got a great .HTA application that was written by Rob Sampson here on EE.  This little application has truly turned into gem for me. The code attached basically queries AD and then provides a list of members who belong to each group.  This is great, however business needs have changed since first using this, and with sOX being so privalant, I realized just how much more powerful this utility could be if it could also provide the "Managed by" person for each Group and his or her email address.  This would be a HUGE HELP!  It already has an Export function to .txt which is fine because I can copy the results into a spreadsheet.

Right now the application is static, meaning you can only search ONE group at a time, so it's time consuming.

In a "perfect world", if I were to be able to just click a button and have it cycle through every group in AD, providing member names that belong to each group as well as the managed by name and their email address, and then when finished if it allow me to just export the whole thing to a spreadsheet (.CSV) that would be AWESOME!

Any help with this is GREATLY APPRECIATED!
HTA-APPLICATION.TXT
0
Comment
Question by:itsmevic
  • 6
  • 6
12 Comments
 
LVL 42

Expert Comment

by:sedgwick
ID: 37811823
basically is doing something like:

Set objGroup = GetObject _
  ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
 
strManagedBy = objGroup.Get("managedBy")
 

check http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/usersgroups/groups/#ReturnManaged.htm
0
 
LVL 42

Expert Comment

by:sedgwick
ID: 37811870
to cover groups with no managedby attribute do something like that:

Set objGroup = GetObject("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
			On Error Resume Next
			strManagedBy = objGroup.Get("managedBy")
			Err.Clear
			On Error GoTo 0
			
			
			If IsEmpty(strManagedBy) = TRUE Then
			  WScript.Echo "No user account is assigned to manage " & _
				"this group."
			else
			WScript.Echo strManagedBy
			end if

Open in new window

0
 

Author Comment

by:itsmevic
ID: 37813775
Does the suggestion you provided below generate the results within the HTA applicatoni or will it just echo out onto the screen?  Where would I need to place this within the existing code?

Set objGroup = GetObject("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
                  On Error Resume Next
                  strManagedBy = objGroup.Get("managedBy")
                  Err.Clear
                  On Error GoTo 0
                  
                  
                  If IsEmpty(strManagedBy) = TRUE Then
                    WScript.Echo "No user account is assigned to manage " & _
                        "this group."
                  else
                  WScript.Echo strManagedBy
                  end if
0
 
LVL 42

Expert Comment

by:sedgwick
ID: 37813988
do u use the HTA as is? or did u modify it?
where do you wanna put this information (managed by and email)?
0
 

Author Comment

by:itsmevic
ID: 37814399
Hi SeD!

     Right now I'm using the .HTA as is but would like to add the "Managed by" attribute and the Managed by "Email Address."  We could put it anywhere in the .HTA, it doesn't matter.  Hope that helps.

Thanks.
0
 
LVL 42

Expert Comment

by:sedgwick
ID: 37820718
the script uses the group name and value in the option list so where/how do u wish to display the managedBy and email attribute of the group?
i've added the code to retrieve the managedBy user of the group and its email address (lines 59-70).


<Html>
<Head>
<Title>List Group Members</Title>
 
<HTA:Application
Caption = Yes
Border = Thick
ShowInTaskBar = Yes
SingleInstance = Yes
MaximizeButton = Yes
MinimizeButton = Yes>
 
<script Language = VBScript>
 
	Sub Window_OnLoad
		intWidth = 800
		intHeight = 600
		Me.ResizeTo intWidth, intHeight
		Me.MoveTo ((Screen.Width / 2) - (intWidth / 2)),((Screen.Height / 2) - (intHeight / 2))
		lst_members.Style.Width = 500
    	Set objRootDSE = GetObject("LDAP://RootDSE")
    	strBaseConnString = objRootDSE.Get("defaultNamingContext")
		Set objOULevel = GetObject("LDAP://" & strBaseConnString)
		EnumerateGroups strBaseConnString
		Show_Group_Selection
	End Sub
 
	Sub Clear_Members
		For intListProgress = 1 To lst_members.Length
	   		lst_members.Remove 0
	   	Next
	End Sub
 
	Sub EnumerateGroups(strDNSDomain)
		Const ADS_SCOPE_SUBTREE = 2
		Const adVarChar = 200
		Const MaxCharacters = 255
		
		Set objConnection = CreateObject("ADODB.Connection")
		Set objCommand =   CreateObject("ADODB.Command")
		objConnection.Provider = "ADsDSOObject"
		objConnection.Open "Active Directory Provider"
		Set objCommand.ActiveConnection = objConnection
		
		objCommand.Properties("Page Size") = 1000
		objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
		
		objCommand.CommandText = "SELECT Name, distinguishedName FROM 'LDAP://" & strDNSDomain & "' WHERE objectClass='group'"
		Set objRecordSet = objCommand.Execute
		
		Set objDataList = CreateObject("ADOR.Recordset")
		objDataList.Fields.Append "name", adVarChar, MaxCharacters
		objDataList.Fields.Append "distinguishedName", adVarChar, MaxCharacters
		objDataList.Open
		
		While Not objRecordSet.EOF
		    objDataList.AddNew
			
			''get managedBy user
			If IsNull(objRecordSet.Fields("managedBy")) then
				WScript.Echo "No user account is assigned to manage group " & objRecordSet.Fields("name").Value
			else
				objDataList("managedBy") = objRecordSet.Fields("managedBy").Value
			end if 

			''get email of managedBy user
			On Error Resume Next
			Set objUser = GetObject("LDAP://" & objRecordSet.Fields("name").Value)
			objUser.GetInfo
			objDataList("email") = objUser.Get("mail")
			
			
		    objDataList("name") = objRecordSet.Fields("name").Value
		    objDataList("distinguishedName") = objRecordSet.Fields("distinguishedName").Value
		    objDataList.Update
			objRecordSet.MoveNext
		Wend
		objRecordSet.Close
		objDataList.Sort = "name"
		objDataList.MoveFirst
		While Not objDataList.EOF
			Set objActiveOption = Document.CreateElement("OPTION")
    		objActiveOption.Text = objDataList.Fields("name").Value
	    	objActiveOption.Value = objDataList.Fields("distinguishedName").Value
	    	lst_GroupFilter.Add objActiveOption
	    	objDataList.MoveNext
		Wend
		objDataList.Close
	End Sub
 
	Sub Show_Group_Selection
		span_GroupFilter.InnerHTML = lst_GroupFilter.Value
	End Sub
 
	Sub Default_Buttons
		If Window.Event.KeyCode = 13 Then
			btn_run.Click
		End If
	End Sub
 
	Sub Exit_HTA
		Window.Close
	End Sub
 
	Sub Get_Members
		Const adVarChar = 200
		Const MaxCharacters = 255

		Clear_Members

		Set objGroup = GetObject("LDAP://" & lst_groupfilter.Value)
		Set objDataList = CreateObject("ADOR.Recordset")
		objDataList.Fields.Append "name", adVarChar, MaxCharacters
		objDataList.Fields.Append "distinguishedName", adVarChar, MaxCharacters
		objDataList.Open
		
		For Each objObject In objGroup.Members
		    objDataList.AddNew
		    objDataList("name") = objObject.cn
		    objDataList("distinguishedName") = objObject.distinguishedName
		    objDataList.Update
		Next
		objDataList.Sort = "name"
		If Not objDataList.BOF Then objDataList.MoveFirst
		While Not objDataList.EOF
			Set objMember = Document.CreateElement("OPTION")
    		objMember.Text = objDataList.Fields("name").Value
	    	objMember.Value = objDataList.Fields("distinguishedName").Value
	    	lst_members.Add objMember
	    	objDataList.MoveNext
		Wend
		objDataList.Close
	End Sub
	
	Sub ExporT_To_TXT
	    If Mid(document.location, 6, 3) = "///" Then
	    	strHTAPath = Mid(Replace(Replace(document.location, "%20", " "), "/", "\"), 9)
	    Else
	    	strHTAPath = Mid(Replace(Replace(document.location, "%20", " "), "/", "\"), 6)
	    End If
		strFileName = Left(strHTAPath, InStrRev(strHTAPath, "\")) & lst_GroupFilter.Item(lst_GroupFilter.SelectedIndex).Text & ".txt"
		strFileName = InputBox("Enter file name to save as:", "Save As", strFileName)
		If strFileName <> "" Then
			Set objFSO = CreateObject("Scripting.FileSystemObject")
			Set objFile = objFSO.CreateTextFile(strFileName, True)
			objFile.WriteLine "Group Distinguished Name: " & lst_groupfilter.Value
			For Each objOption In lst_members
				objFile.WriteLine objOption.Text
			Next
			objFile.Close
			MsgBox "File saved."
		End If
	End Sub
</script>
<body style="background-color:#B0C4DE;" onkeypress='vbs:Default_Buttons'>
	<table height="90%" width= "90%" border="0" align="center">
		<tr>
			<td align="center" colspan="2">
				<h2>List Group Members</h2>
			</td>
		</tr>
		<tr>
			<td>
				<b>Group Filter:</b>
			</td>
			<td>
			    <select size='1' name='lst_GroupFilter'  onChange='vbs:Show_Group_Selection'>
				</select>
			</td>
		</tr>
		<tr>
			<td colspan=2>
				<b>Group Selected:</b>&nbsp&nbsp&nbsp<span id='span_GroupFilter'></span>
			</td>
		</tr>		<tr>
			<td>
				<b>Members:</b>
			</td>
			<td>
			    <select size='8' name='lst_members'>
				</select>
			</td>
		</tr>
	</table>
	<table width= "90%" border="0" align="center">
		<tr align="center">
			<td>
				<button name="btn_run" id="btn_run" accessKey="G" onclick="vbs:Get_Members"><u>G</u>et Members</button>
			</td>
			<td>
				<button name="btn_export" id="btn_export" accessKey="E" onclick="vbs:Export_To_TXT"><u>E</u>xport to TXT</button>
			</td>
			<td>
				<button name="btn_exit" id="btn_exit" accessKey="x" onclick="vbs:Exit_HTA">E<u>x</u>it</button>
			</td>
		</tr>
	</table>
</body>
</head>
</html>

Open in new window

0
 

Author Comment

by:itsmevic
ID: 37825932
Hi SedWick,

    Where you have the fields are perfect.  The "Group Filter" field is a little skinny and may need more width.  Also, when executing the .HTA file I'm getting the following error:

Line: 60
Character: 4
Error:  "Item cannot be found in the Collection of corresponding to the requested name or ordinal."
Code:  0
0
 
LVL 42

Expert Comment

by:sedgwick
ID: 37826448
i forgot to add managedBy to the select query, so change line 48 to this one:
objCommand.CommandText = "SELECT Name, distinguishedName,ManagedBy FROM 'LDAP://" & strDNSDomain & "' WHERE objectClass='group'"
0
 

Author Comment

by:itsmevic
ID: 37828682
Hi Sedgwick,

    Thanks for the revision.  Looks like I'm getting this error now when launching:

Line:  61
Char:  5
Error:  Object required: 'WScript'
Code:  0

Thanks for your help!
0
 
LVL 42

Accepted Solution

by:
sedgwick earned 500 total points
ID: 37831223
VBS in IE or as an HTA does not support WScript object, i used it in my vbs just for testing so u don't really need that.
so instead of the lines below:
If IsNull(objRecordSet.Fields("managedBy")) then
				WScript.Echo "No user account is assigned to manage group " & objRecordSet.Fields("name").Value
			else
				objDataList("managedBy") = objRecordSet.Fields("managedBy").Value
			end if 

Open in new window


use this:
If Not IsNull(objRecordSet.Fields("managedBy")) then
				objDataList("managedBy") = objRecordSet.Fields("managedBy").Value
			end if 

Open in new window

0
 

Author Comment

by:itsmevic
ID: 37835616
Hi Sedgwick,

     No errors upon executing the script this time, however it doesn't appear to be launching into the GUI.  It will eventually hang and I'll get a "Not Responding" on the top of it's dialog box.  I went into the Task Manager and the Memory usage isn't increasing like it does in the original .HTA.   Interesting.
0
 

Author Closing Comment

by:itsmevic
ID: 37857089
Thank you.
0

Join & Write a Comment

This is a PowerShell web interface I use to manage some task as a network administrator. Clicking an action button on the left frame will display a form in the middle frame to input some data in textboxes, process this data in PowerShell and display…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In this tutorial viewers will learn how to code links for mobile sites that, once clicked, send a call or text to a specified number. For a telephone link (once clicked, calls a number), begin with a normal "<a href=" link tag. For the href, specify…
HTML5 has deprecated a few of the older ways of showing media as well as offering up a new way to create games and animations. Audio, video, and canvas are just a few of the adjustments made between XHTML and HTML5. As we learned in our last micr…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now