Add User to group through comparison to other user's memberships

[SecurityGuy]

I have a "New User" script which is very complex and handles adding most AD properties upon creation, address tab, phones, profile tab, organisation tab, etc. It also will use any existing user as a template for group membership addition. I was using the WinNT method in this script, and am now changing that to the LDAP method since the WinNT method doesn't pick up distribution groups. However, I am now getting a "bad path" error when I try to add the groups to the new user. Can someone assist me here please. I will paste the pertinent section in here, as the original script is nearly 1000 lines of code

I have added a comment where the error is occurring

Here is the section of script that I am struggling with:



Function DuplicateUser()

strUsr2Duplicate = inputbox("What is the username you wish to duplicate the membership of? " & vbCrLf & vbCrLf & "Enter the LOGIN ID of the required user, using the First Initial + Lastname format as in the below example:" & vbCrLf & vbCrLf & "Joe User would be" & vbCrLf & vbCrLf & "juser" & vbCrLf, "Group Membership Duplication process")
strDomain = "MyDomain"

if strUsr2Duplicate = "" then
msgbox "No user requested - No group memberships will be duplicated"
else
call LocateUser
End if
End Function

Function LocateUser()
'On Error Resume Next
Set ObjUser1 = Getobject("WinNT://" & strDomain & "/" & strUsr2Duplicate & ",user")
if err.number<>0 then
Call BadUserName
Else
Call DuplicateUserFinish
End if
End Function

Function BadUserName()
MsgBox "You've chosen a username which does not exist"
intAnswer = _
Msgbox("Do you wish to choose another username for Group Membership duplication?", _
vbYesNo, "Copy User Membership?")
If intAnswer = vbYes Then
Call DuplicateUser
Else
Msgbox "No user requested - No group memberships will be duplicated"
End if
End Function

Function DuplicateUserFinish()
' Use the NameTranslate object to convert the NT user name to the
' Distinguished Name required for the LDAP provider.
Set objTrans = CreateObject("NameTranslate")
' Initialize NameTranslate by locating the Global Catalog.
objTrans.Init ADS_NAME_INITTYPE_GC, ""
' Use the Set method to specify the NT format of the object name.
' Trap the error if the user does not exist.
'On Error Resume Next
objTrans.Set ADS_NAME_TYPE_NT4, strNTName
If (Err.Number <> 0) Then
Wscript.Echo "User " & strUsrName & " not found."
Wscript.Quit
End If
On Error GoTo 0
strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)

' Bind to the user object in Active Directory with the LDAP provider.
Set objUser2 = GetObject("LDAP://" & strUserDN)
' Enumerate groups that first user belongs to.
For Each objGroup In objUser1.Groups
' Check if second user belongs.
If (objGroup.IsMember(objUser2.AdsPath) = False) Then
' Add the second user to the group.

' HERE IS WHERE I GET THE ERROR
objGroup.Add(objUser2.AdsPath)
End if
Next

Wscript.Echo "Success " & strUsr2Duplicate & "'s Group Memberships have been duplicated for " & strSAm
End function

SecurityGuy wrote:

> I have a "New User" script which is very complex and handles adding most
> AD properties upon creation, address tab, phones, profile tab,
> organisation tab, etc. It also will use any existing user as a template
> for group membership addition. I was using the WinNT method in this
> script, and am now changing that to the LDAP method since the WinNT
> method doesn't pick up distribution groups. However, I am now getting a
> "bad path" error when I try to add the groups to the new user. Can
> someone assist me here please. I will paste the pertinent section in
> here, as the original script is nearly 1000 lines of code
>
> I have added a comment where the error is occurring
>
> Here is the section of script that I am struggling with:
>
>
>
> Function DuplicateUser()
>
> strUsr2Duplicate = inputbox("What is the username you wish to duplicate
> the membership of? " & vbCrLf & vbCrLf & "Enter the LOGIN ID of the
> required user, using the First Initial + Lastname format as in the below
> example:" & vbCrLf & vbCrLf & "Joe User would be" & vbCrLf & vbCrLf &
> "juser" & vbCrLf, "Group Membership Duplication process")
> strDomain = "MyDomain"
>
> if strUsr2Duplicate = "" then
> msgbox "No user requested - No group memberships will be duplicated"
> else
> call LocateUser
> End if
> End Function
>
> Function LocateUser()
> 'On Error Resume Next
> Set ObjUser1 = Getobject("WinNT://" & strDomain & "/" &
> strUsr2Duplicate & ",user")
> if err.number<>0 then
> Call BadUserName
> Else
> Call DuplicateUserFinish
> End if
> End Function
>
> Function BadUserName()
> MsgBox "You've chosen a username which does not exist"
> intAnswer = _
> Msgbox("Do you wish to choose another username for Group
> Membership duplication?", _
> vbYesNo, "Copy User Membership?")
> If intAnswer = vbYes Then
> Call DuplicateUser
> Else
> Msgbox "No user requested - No group memberships will be
> duplicated"
> End if
> End Function
>
> Function DuplicateUserFinish()
> ' Use the NameTranslate object to convert the NT user name to the
> ' Distinguished Name required for the LDAP provider.
> Set objTrans = CreateObject("NameTranslate")
> ' Initialize NameTranslate by locating the Global Catalog.
> objTrans.Init ADS_NAME_INITTYPE_GC, ""
> ' Use the Set method to specify the NT format of the object name.
> ' Trap the error if the user does not exist.
> 'On Error Resume Next
> objTrans.Set ADS_NAME_TYPE_NT4, strNTName
> If (Err.Number <> 0) Then
> Wscript.Echo "User " & strUsrName & " not found."
> Wscript.Quit
> End If
> On Error GoTo 0
> strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
>
> ' Bind to the user object in Active Directory with the LDAP provider.
> Set objUser2 = GetObject("LDAP://" & strUserDN)
> ' Enumerate groups that first user belongs to.
> For Each objGroup In objUser1.Groups
> ' Check if second user belongs.
> If (objGroup.IsMember(objUser2.AdsPath) = False) Then
> ' Add the second user to the group.
>
> ' HERE IS WHERE I GET THE ERROR
> objGroup.Add(objUser2.AdsPath)
> End if
> Next
>
> Wscript.Echo "Success " & strUsr2Duplicate & "'s Group Memberships have
> been duplicated for " & strSAm
> End function
>

The variable strNTName is never assigned a value. It is used when you invoke
the Set method of the NameTranslate object to assign the NT format of the
name. I think you want to use:

objTrans.Set ADS_NAME_TYPE_NT4, strDomain & "\" & strUsr2Duplicate

But now I'm getting objUser1 and objUser2 confused. objUser1, from what we
see, is this user bound with the WinNT provider, while objUser2 is the same
user bound with the LDAP provider. I think objUser1 should be the newly
created user and objUser2 the "template" user whose group memberships will
be copied over to objUser1. If so, do not use "Set objUser1" in the code to
bind with the WinNT provider (maybe use objUser3). If I assume that objUser1
was previously assigned as the object reference for the new user, then the
last part of Function DuplicateUserFinish should be:
==================
' Bind to the user object in Active Directory with the LDAP provider.
Set objUser2 = GetObject("LDAP://" & strUserDN)
' Enumerate groups the template user belongs to.
For Each objGroup In objUser2.Groups
' Check if new user belongs.
If (objGroup.IsMember(objUser1.AdsPath) = False) Then
' Add the new user to the group.
objGroup.Add(objUser1.AdsPath)
End if
Next
=============
Note in the "For Each" loop I switched objUser1 and objUser2, so the newly
created user is now added to the groups. I assume that objUser1 was bound
using the LDAP provider somewhere else in the program.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

[SecurityGuy]

Yes, you are correct in that objUser1 IS the newly created user and objUser2 is the "template" user I wish to copy the memberships of

I've changed my code as you suggested, and now I am getting the following Windows Scripting Host error

Script: CreateUser.vbs
Line: 1009
Char: 1
Error: 0x80005008
Code: 80005008
Source: (null)

Here is the code as it stands now


Function DuplicateUser()

strUsr2Duplicate = inputbox("What is the username you wish to duplicate the membership of? " & vbCrLf & vbCrLf & "Enter the LOGIN ID of the required user, using the First Initial + Lastname format as in the below example:" & vbCrLf & vbCrLf & "Joe User would be" & vbCrLf & vbCrLf & "juser" & vbCrLf, "Group Membership Duplication process")
strDomain = "chgfe"

if strUsr2Duplicate = "" then
msgbox "No user requested - No group memberships will be duplicated"
else
call LocateUser
End if
End Function

Function LocateUser()
'On Error Resume Next
Set ObjUser1 = Getobject("WinNT://" & strDomain & "/" & strUsr2Duplicate & ",user")
if err.number<0 then
Call BadUserName
Else
Call DuplicateUserFinish
End if
End Function

Function BadUserName()
MsgBox "You've chosen a username which does not exist"
intAnswer = _
Msgbox("Do you wish to choose another username for Group Membership duplication?", _
vbYesNo, "Copy User Membership?")
If intAnswer = vbYes Then
Call DuplicateUser
Else
Msgbox "No user requested - No group memberships will be duplicated"
End if
End Function

Function DuplicateUserFinish()
' Use the NameTranslate object to convert the NT user name to the
' Distinguished Name required for the LDAP provider.
Set objTrans = CreateObject("NameTranslate")
' Initialize NameTranslate by locating the Global Catalog.
objTrans.Init ADS_NAME_INITTYPE_GC, ""
' Use the Set method to specify the NT format of the object name.
' Trap the error if the user does not exist.
On Error Resume Next
objTrans.Set ADS_NAME_TYPE_NT4, strDomain & "\" & strUsr2Duplicate
If (Err.Number <0) Then
Wscript.Echo "User " & strUsrName & " not found."
Wscript.Quit
End If
On Error GoTo 0
strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)

' Bind to the user object in Active Directory with the LDAP provider.
Set objUser2 = GetObject("LDAP://" & strUserDN)
' Enumerate groups the template user belongs to.
For Each objGroup In objUser2.Groups
' Check if new user belongs.
If (objGroup.IsMember(objUser1.AdsPath) = False) Then
' Add the new user to the group.
objGroup.Add(objUser1.AdsPath)
End if
Next

Wscript.Echo "Success " & strUsr2Duplicate & "'s Group Memberships have been duplicated for " & strSAm
End function

"SecurityGuy" <SecurityGuy.3poknc@DoNotSpam.com> wrote in message
news:SecurityGuy.3poknc@DoNotSpam.com...
>
> Yes, you are correct in that objUser1 IS the newly created user and
> objUser2 is the "template" user I wish to copy the memberships of
>
> I've changed my code as you suggested, and now I am getting the
> following Windows Scripting Host error
>
> Script: CreateUser.vbs
> Line: 1009
> Char: 1
> Error: 0x80005008
> Code: 80005008
> Source: (null)
>
> Here is the code as it stands now
>
>
> Function DuplicateUser()
>
> strUsr2Duplicate = inputbox("What is the username you wish to duplicate
> the membership of? " & vbCrLf & vbCrLf & "Enter the LOGIN ID of the
> required user, using the First Initial + Lastname format as in the below
> example:" & vbCrLf & vbCrLf & "Joe User would be" & vbCrLf & vbCrLf &
> "juser" & vbCrLf, "Group Membership Duplication process")
> strDomain = "chgfe"
>
> if strUsr2Duplicate = "" then
> msgbox "No user requested - No group memberships will be duplicated"
> else
> call LocateUser
> End if
> End Function
>
> Function LocateUser()
> 'On Error Resume Next
> Set ObjUser1 = Getobject("WinNT://" & strDomain & "/" &
> strUsr2Duplicate & ",user")
> if err.number<0 then
> Call BadUserName
> Else
> Call DuplicateUserFinish
> End if
> End Function
>
> Function BadUserName()
> MsgBox "You've chosen a username which does not exist"
> intAnswer = _
> Msgbox("Do you wish to choose another username for Group Membership
> duplication?", _
> vbYesNo, "Copy User Membership?")
> If intAnswer = vbYes Then
> Call DuplicateUser
> Else
> Msgbox "No user requested - No group memberships will be duplicated"
> End if
> End Function
>
> Function DuplicateUserFinish()
> ' Use the NameTranslate object to convert the NT user name to the
> ' Distinguished Name required for the LDAP provider.
> Set objTrans = CreateObject("NameTranslate")
> ' Initialize NameTranslate by locating the Global Catalog.
> objTrans.Init ADS_NAME_INITTYPE_GC, ""
> ' Use the Set method to specify the NT format of the object name.
> ' Trap the error if the user does not exist.
> On Error Resume Next
> objTrans.Set ADS_NAME_TYPE_NT4, strDomain & "\" & strUsr2Duplicate
> If (Err.Number <0) Then
> Wscript.Echo "User " & strUsrName & " not found."
> Wscript.Quit
> End If
> On Error GoTo 0
> strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
>
> ' Bind to the user object in Active Directory with the LDAP provider.
> Set objUser2 = GetObject("LDAP://" & strUserDN)
> ' Enumerate groups the template user belongs to.
> For Each objGroup In objUser2.Groups
> ' Check if new user belongs.
> If (objGroup.IsMember(objUser1.AdsPath) = False) Then
> ' Add the new user to the group.
> objGroup.Add(objUser1.AdsPath)
> End if
> Next
>
> Wscript.Echo "Success " & strUsr2Duplicate & "'s Group Memberships have
> been duplicated for " & strSAm
> End function
>
>
> --
> SecurityGuy
> ------------------------------------------------------------------------
> SecurityGuy's Profile: http://forums.techarena.in/members/85156.htm
> View this thread: Add User to group through comparison to other user's memberships
>
> http://forums.techarena.in
>

We don't which is line 1009, but the object reference objUser1 still refers
to the template user bound with the WinNT provider. Because objUser1
probably has global scope, the statement

Set ObjUser1 = Getobject("WinNT://" & strDomain & "/" & strUsr2Duplicate &
",user")

replaces the reference for the newly created user. This causes an error when
you attempt to add the user to a group by passing objUser1.AdsPath to the
Add method of the group. Perhaps use objUser3 in the statement above.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

[SecurityGuy]

Thanks once again Richard. You are an eggggggsellent resource to say the least.

Everything is working great now, and I have cleaned up a bunch of extraneous stuff from the script in the process. I realised that we already have declared and defined the initial user, and we're only dealing with a total of two user objects, so the end result is I use objUser and objUser2 to accomplish the comparison. Works like a charm.

One last piece I'd like to add to the script if you haven't had enough of me yet, is to determine who is the logged on user that is running the script. I currently have an input box that allows opportuinty to add a "Description" of your own choosing at the time of creation, and append to that the date and time it is created. I would like to add the creator as we have a large compliment of people who deal with the new user requests.

Also, if you feel it would be useful to the general populace reading this forum, I can publish the completed script with some sanitization


Once again, you have been invaluable

Thanks

Glad the script works. You can retrieve the DN of the current user from the
ADSystemInfo object. For example:

Set objSysInfo = CreateObject("ADSystemInfo")
strUserDN = objSysInfo.UserName

To get the UserID (pre-Windows 2000 logon name) you can either bind to the
current user object (with the DN from above) and retrieve the sAMAccountName
attribute, or you can retrieve the UserName property of the wshNetwork
object. For example:

Set objNetwork = CreateObject("Wscript.Network")
strUserName = objNetwork.UserName

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"SecurityGuy" <SecurityGuy.3ppvvb@DoNotSpam.com> wrote in message
news:SecurityGuy.3ppvvb@DoNotSpam.com...
>
> Thanks once again Richard. You are an eggggggsellent resource to say
> the least.
>
> Everything is working great now, and I have cleaned up a bunch of
> extraneous stuff from the script in the process. I realised that we
> already have declared and defined the initial user, and we're only
> dealing with a total of two user objects, so the end result is I use
> objUser and objUser2 to accomplish the comparison. Works like a charm.
>
> One last piece I'd like to add to the script if you haven't had enough
> of me yet, is to determine who is the logged on user that is running the
> script. I currently have an input box that allows opportuinty to add a
> "Description" of your own choosing at the time of creation, and append
> to that the date and time it is created. I would like to add the creator
> as we have a large compliment of people who deal with the new user
> requests.
>
> Also, if you feel it would be useful to the general populace reading
> this forum, I can publish the completed script with some sanitization
>
>
> Once again, you have been invaluable
>
> Thanks
>
>
> --
> SecurityGuy
> ------------------------------------------------------------------------
> SecurityGuy's Profile: http://forums.techarena.in/members/85156.htm
> View this thread: Add User to group through comparison to other user's memberships
>
> http://forums.techarena.in
>

In news:SecurityGuy.3ppvvb@DoNotSpam.com,
SecurityGuy <SecurityGuy.3ppvvb@DoNotSpam.com>, posted the following:
> Thanks once again Richard. You are an eggggggsellent resource to say
> the least.
>
> Everything is working great now, and I have cleaned up a bunch of
> extraneous stuff from the script in the process. I realised that we
> already have declared and defined the initial user, and we're only
> dealing with a total of two user objects, so the end result is I use
> objUser and objUser2 to accomplish the comparison. Works like a
> charm.
>
> One last piece I'd like to add to the script if you haven't had enough
> of me yet, is to determine who is the logged on user that is running
> the script. I currently have an input box that allows opportuinty to
> add a "Description" of your own choosing at the time of creation, and
> append to that the date and time it is created. I would like to add
> the creator as we have a large compliment of people who deal with the
> new user requests.
>
> Also, if you feel it would be useful to the general populace reading
> this forum, I can publish the completed script with some sanitization
>
>
> Once again, you have been invaluable
>
> Thanks

Hello SecurityGuy,

I've been following yourr threads and you and Richard's postings. I would
actually be interested in the script, because it sounds like a very
comprehensive, and resourceful script. However, I realize how much time and
effort you've put into it, and I can quite understand if you may be
reluctant to post it.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

[SecurityGuy]

Ace

I will be posting the sanitized and polished version shortly. Stay tuned. However, there are two outstandfing issues I want to resolve first before posting

1.) Just esthetics really, I want to add the creators name to the description field of the new user

2.) Minor annoyance, in that if you choose to NOT create a mailbox for the new user, you still get prompted to choose the mailstore. Doesn't affect the outcome, just annoying

In news:SecurityGuy.3pq6zc@DoNotSpam.com,
SecurityGuy <SecurityGuy.3pq6zc@DoNotSpam.com>, posted the following:
> Ace
>
> I will be posting the sanitized and polished version shortly. Stay
> tuned. However, there are two outstandfing issues I want to resolve
> first before posting
>
> 1.) Just esthetics really, I want to add the creators name to the
> description field of the new user
>
> 2.) Minor annoyance, in that if you choose to NOT create a mailbox for
> the new user, you still get prompted to choose the mailstore. Doesn't
> affect the outcome, just annoying

Ok, sounds good. I appreciate your efforts. As for mailbox, is this for
Exchange 2003 or 2007? I know 2007 you can use the monad (power shell)
scripts, but I have no idea how to incorporate that into a VB script, or
even if you can mix it for both 2003 and 2007, since this is not my forte.

Ace

[SecurityGuy]

Richard

Your function for finding the logged in user works fine for me, but I'm having an issue truncating it down to just the username. Not sure how I would accomplish that. I've looked a the VB Functions Left, Trim, Right, Mid, etc, but non of those will suffice. Your function results in the full adsi path for the user, and not all the users running the script will be in the same container, so I can't be sure of the number of characters to remove from the right, and the user names aren't the same length from the left. Is there a way I can do a string compare and just pull out the characters between the cn= and the comma trailing the username?

Other than this last bit of polish, the script is looking good and should prove useful to the larger audience

Thanks in advance for all the help you've been thus far

[SecurityGuy]

Looks like I have the script completed.

I am posting the script in a new thread entitled

"Useful CreateUser script for Any and All"

In news:SecurityGuy.3pvtrb@DoNotSpam.com,
SecurityGuy <SecurityGuy.3pvtrb@DoNotSpam.com>, posted the following:
> Looks like I have the script completed.
>
> I am posting the script in a new thread entitled
>
> "Useful CreateUser script for Any and All"

Thanks!