Solved

Active Directory:  Group Security Mapping

Posted on 2012-04-04
12
374 Views
Last Modified: 2012-08-14
I've got a great .HTA application that was written by Rob Sampson here on EE.  This little application has truly turned into gem for me. The code attached basically queries AD and then provides a list of members who belong to each group.  This is great, however business needs have changed since first using this, and with sOX being so privalant, I realized just how much more powerful this utility could be if it could also provide the "Managed by" person for each Group and his or her email address.  This would be a HUGE HELP!  It already has an Export function to .txt which is fine because I can copy the results into a spreadsheet.

Right now the application is static, meaning you can only search ONE group at a time, so it's time consuming.

In a "perfect world", if I were to be able to just click a button and have it cycle through every group in AD, providing member names that belong to each group as well as the managed by name and their email address, and then when finished if it allow me to just export the whole thing to a spreadsheet (.CSV) that would be AWESOME!

Any help with this is GREATLY APPRECIATED!
HTA-APPLICATION.TXT
0
Comment
Question by:itsmevic
  • 6
  • 6
12 Comments
 
LVL 42

Expert Comment

by:sedgwick
ID: 37811823
basically is doing something like:

Set objGroup = GetObject _
  ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
 
strManagedBy = objGroup.Get("managedBy")
 

check http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/usersgroups/groups/#ReturnManaged.htm
0
 
LVL 42

Expert Comment

by:sedgwick
ID: 37811870
to cover groups with no managedby attribute do something like that:

Set objGroup = GetObject("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
			On Error Resume Next
			strManagedBy = objGroup.Get("managedBy")
			Err.Clear
			On Error GoTo 0
			
			
			If IsEmpty(strManagedBy) = TRUE Then
			  WScript.Echo "No user account is assigned to manage " & _
				"this group."
			else
			WScript.Echo strManagedBy
			end if

Open in new window

0
 

Author Comment

by:itsmevic
ID: 37813775
Does the suggestion you provided below generate the results within the HTA applicatoni or will it just echo out onto the screen?  Where would I need to place this within the existing code?

Set objGroup = GetObject("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
                  On Error Resume Next
                  strManagedBy = objGroup.Get("managedBy")
                  Err.Clear
                  On Error GoTo 0
                  
                  
                  If IsEmpty(strManagedBy) = TRUE Then
                    WScript.Echo "No user account is assigned to manage " & _
                        "this group."
                  else
                  WScript.Echo strManagedBy
                  end if
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 42

Expert Comment

by:sedgwick
ID: 37813988
do u use the HTA as is? or did u modify it?
where do you wanna put this information (managed by and email)?
0
 

Author Comment

by:itsmevic
ID: 37814399
Hi SeD!

     Right now I'm using the .HTA as is but would like to add the "Managed by" attribute and the Managed by "Email Address."  We could put it anywhere in the .HTA, it doesn't matter.  Hope that helps.

Thanks.
0
 
LVL 42

Expert Comment

by:sedgwick
ID: 37820718
the script uses the group name and value in the option list so where/how do u wish to display the managedBy and email attribute of the group?
i've added the code to retrieve the managedBy user of the group and its email address (lines 59-70).


<Html>
<Head>
<Title>List Group Members</Title>
 
<HTA:Application
Caption = Yes
Border = Thick
ShowInTaskBar = Yes
SingleInstance = Yes
MaximizeButton = Yes
MinimizeButton = Yes>
 
<script Language = VBScript>
 
	Sub Window_OnLoad
		intWidth = 800
		intHeight = 600
		Me.ResizeTo intWidth, intHeight
		Me.MoveTo ((Screen.Width / 2) - (intWidth / 2)),((Screen.Height / 2) - (intHeight / 2))
		lst_members.Style.Width = 500
    	Set objRootDSE = GetObject("LDAP://RootDSE")
    	strBaseConnString = objRootDSE.Get("defaultNamingContext")
		Set objOULevel = GetObject("LDAP://" & strBaseConnString)
		EnumerateGroups strBaseConnString
		Show_Group_Selection
	End Sub
 
	Sub Clear_Members
		For intListProgress = 1 To lst_members.Length
	   		lst_members.Remove 0
	   	Next
	End Sub
 
	Sub EnumerateGroups(strDNSDomain)
		Const ADS_SCOPE_SUBTREE = 2
		Const adVarChar = 200
		Const MaxCharacters = 255
		
		Set objConnection = CreateObject("ADODB.Connection")
		Set objCommand =   CreateObject("ADODB.Command")
		objConnection.Provider = "ADsDSOObject"
		objConnection.Open "Active Directory Provider"
		Set objCommand.ActiveConnection = objConnection
		
		objCommand.Properties("Page Size") = 1000
		objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
		
		objCommand.CommandText = "SELECT Name, distinguishedName FROM 'LDAP://" & strDNSDomain & "' WHERE objectClass='group'"
		Set objRecordSet = objCommand.Execute
		
		Set objDataList = CreateObject("ADOR.Recordset")
		objDataList.Fields.Append "name", adVarChar, MaxCharacters
		objDataList.Fields.Append "distinguishedName", adVarChar, MaxCharacters
		objDataList.Open
		
		While Not objRecordSet.EOF
		    objDataList.AddNew
			
			''get managedBy user
			If IsNull(objRecordSet.Fields("managedBy")) then
				WScript.Echo "No user account is assigned to manage group " & objRecordSet.Fields("name").Value
			else
				objDataList("managedBy") = objRecordSet.Fields("managedBy").Value
			end if 

			''get email of managedBy user
			On Error Resume Next
			Set objUser = GetObject("LDAP://" & objRecordSet.Fields("name").Value)
			objUser.GetInfo
			objDataList("email") = objUser.Get("mail")
			
			
		    objDataList("name") = objRecordSet.Fields("name").Value
		    objDataList("distinguishedName") = objRecordSet.Fields("distinguishedName").Value
		    objDataList.Update
			objRecordSet.MoveNext
		Wend
		objRecordSet.Close
		objDataList.Sort = "name"
		objDataList.MoveFirst
		While Not objDataList.EOF
			Set objActiveOption = Document.CreateElement("OPTION")
    		objActiveOption.Text = objDataList.Fields("name").Value
	    	objActiveOption.Value = objDataList.Fields("distinguishedName").Value
	    	lst_GroupFilter.Add objActiveOption
	    	objDataList.MoveNext
		Wend
		objDataList.Close
	End Sub
 
	Sub Show_Group_Selection
		span_GroupFilter.InnerHTML = lst_GroupFilter.Value
	End Sub
 
	Sub Default_Buttons
		If Window.Event.KeyCode = 13 Then
			btn_run.Click
		End If
	End Sub
 
	Sub Exit_HTA
		Window.Close
	End Sub
 
	Sub Get_Members
		Const adVarChar = 200
		Const MaxCharacters = 255

		Clear_Members

		Set objGroup = GetObject("LDAP://" & lst_groupfilter.Value)
		Set objDataList = CreateObject("ADOR.Recordset")
		objDataList.Fields.Append "name", adVarChar, MaxCharacters
		objDataList.Fields.Append "distinguishedName", adVarChar, MaxCharacters
		objDataList.Open
		
		For Each objObject In objGroup.Members
		    objDataList.AddNew
		    objDataList("name") = objObject.cn
		    objDataList("distinguishedName") = objObject.distinguishedName
		    objDataList.Update
		Next
		objDataList.Sort = "name"
		If Not objDataList.BOF Then objDataList.MoveFirst
		While Not objDataList.EOF
			Set objMember = Document.CreateElement("OPTION")
    		objMember.Text = objDataList.Fields("name").Value
	    	objMember.Value = objDataList.Fields("distinguishedName").Value
	    	lst_members.Add objMember
	    	objDataList.MoveNext
		Wend
		objDataList.Close
	End Sub
	
	Sub ExporT_To_TXT
	    If Mid(document.location, 6, 3) = "///" Then
	    	strHTAPath = Mid(Replace(Replace(document.location, "%20", " "), "/", "\"), 9)
	    Else
	    	strHTAPath = Mid(Replace(Replace(document.location, "%20", " "), "/", "\"), 6)
	    End If
		strFileName = Left(strHTAPath, InStrRev(strHTAPath, "\")) & lst_GroupFilter.Item(lst_GroupFilter.SelectedIndex).Text & ".txt"
		strFileName = InputBox("Enter file name to save as:", "Save As", strFileName)
		If strFileName <> "" Then
			Set objFSO = CreateObject("Scripting.FileSystemObject")
			Set objFile = objFSO.CreateTextFile(strFileName, True)
			objFile.WriteLine "Group Distinguished Name: " & lst_groupfilter.Value
			For Each objOption In lst_members
				objFile.WriteLine objOption.Text
			Next
			objFile.Close
			MsgBox "File saved."
		End If
	End Sub
</script>
<body style="background-color:#B0C4DE;" onkeypress='vbs:Default_Buttons'>
	<table height="90%" width= "90%" border="0" align="center">
		<tr>
			<td align="center" colspan="2">
				<h2>List Group Members</h2>
			</td>
		</tr>
		<tr>
			<td>
				<b>Group Filter:</b>
			</td>
			<td>
			    <select size='1' name='lst_GroupFilter'  onChange='vbs:Show_Group_Selection'>
				</select>
			</td>
		</tr>
		<tr>
			<td colspan=2>
				<b>Group Selected:</b>&nbsp&nbsp&nbsp<span id='span_GroupFilter'></span>
			</td>
		</tr>		<tr>
			<td>
				<b>Members:</b>
			</td>
			<td>
			    <select size='8' name='lst_members'>
				</select>
			</td>
		</tr>
	</table>
	<table width= "90%" border="0" align="center">
		<tr align="center">
			<td>
				<button name="btn_run" id="btn_run" accessKey="G" onclick="vbs:Get_Members"><u>G</u>et Members</button>
			</td>
			<td>
				<button name="btn_export" id="btn_export" accessKey="E" onclick="vbs:Export_To_TXT"><u>E</u>xport to TXT</button>
			</td>
			<td>
				<button name="btn_exit" id="btn_exit" accessKey="x" onclick="vbs:Exit_HTA">E<u>x</u>it</button>
			</td>
		</tr>
	</table>
</body>
</head>
</html>

Open in new window

0
 

Author Comment

by:itsmevic
ID: 37825932
Hi SedWick,

    Where you have the fields are perfect.  The "Group Filter" field is a little skinny and may need more width.  Also, when executing the .HTA file I'm getting the following error:

Line: 60
Character: 4
Error:  "Item cannot be found in the Collection of corresponding to the requested name or ordinal."
Code:  0
0
 
LVL 42

Expert Comment

by:sedgwick
ID: 37826448
i forgot to add managedBy to the select query, so change line 48 to this one:
objCommand.CommandText = "SELECT Name, distinguishedName,ManagedBy FROM 'LDAP://" & strDNSDomain & "' WHERE objectClass='group'"
0
 

Author Comment

by:itsmevic
ID: 37828682
Hi Sedgwick,

    Thanks for the revision.  Looks like I'm getting this error now when launching:

Line:  61
Char:  5
Error:  Object required: 'WScript'
Code:  0

Thanks for your help!
0
 
LVL 42

Accepted Solution

by:
sedgwick earned 500 total points
ID: 37831223
VBS in IE or as an HTA does not support WScript object, i used it in my vbs just for testing so u don't really need that.
so instead of the lines below:
If IsNull(objRecordSet.Fields("managedBy")) then
				WScript.Echo "No user account is assigned to manage group " & objRecordSet.Fields("name").Value
			else
				objDataList("managedBy") = objRecordSet.Fields("managedBy").Value
			end if 

Open in new window


use this:
If Not IsNull(objRecordSet.Fields("managedBy")) then
				objDataList("managedBy") = objRecordSet.Fields("managedBy").Value
			end if 

Open in new window

0
 

Author Comment

by:itsmevic
ID: 37835616
Hi Sedgwick,

     No errors upon executing the script this time, however it doesn't appear to be launching into the GUI.  It will eventually hang and I'll get a "Not Responding" on the top of it's dialog box.  I went into the Task Manager and the Memory usage isn't increasing like it does in the original .HTA.   Interesting.
0
 

Author Closing Comment

by:itsmevic
ID: 37857089
Thank you.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Finding original email is quite difficult due to their duplicates. From this article, you will come to know why multiple duplicates of same emails appear and how to delete duplicate emails from Outlook securely and instantly while vital emails remai…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question