您好我想知道是否有人可以帮我弄清楚如何编写一个可以检查用户名的脚本,看看它是否在特定的活动目录组中。然而,该群组位于父域中,因此我们有一个域名为Midwest.Contoso.com,用户为" John Doe",我需要能够针对驻留的群组top_level_admin运行查询在Contoso.com。
我发现的所有脚本似乎只运行中西部域的查询,而不会在父域中看到该组。我对VBScript中的ADO功能知之甚少,无法使用。有没有人有一个他们会慷慨分享的脚本,这样我可以节省一点时间,直到我学到更多关于VBScripting的知识?
我希望能够只在机器上键入组的名称和用户名来运行查询,但我现在已经搞乱了这三天了,并且只想让事情发生变化,所以我以为我会请求一些帮助。
这是我试图为我工作的代码,因为它像我需要的那样访问父域,并从整个林中收集有关组和用户的信息。
'Flush out all domain names found in AD and add them to arrDomainNames
set objRootDSE = GetObject("LDAP://RootDSE")
strBase = "<LDAP://cn=Partitions," & objRootDSE.Get("ConfigurationNamingContext") & ">;"
strFilter = "(&(objectcategory=crossRef)(systemFlags=3));"
strAttrs = "name,trustParent,nCName,dnsRoot,distinguishedName;"
strScope = "onelevel"
set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)
objRS.MoveFirst
set arrDomainNames = CreateObject("Scripting.Dictionary")
set dicDomainHierarchy = CreateObject("Scripting.Dictionary")
set dicDomainRoot = CreateObject("Scripting.Dictionary")
while not objRS.EOF
dicDomainRoot.Add objRS.Fields("name").Value, objRS.Fields("nCName").Value
if objRS.Fields("trustParent").Value <> "" then
arrDomainNames.Add objRS.Fields("name").Value, 0
set objDomainParent = GetObject("LDAP://" & objRS.Fields("trustParent").Value)
dicDomainHierarchy.Add objRS.Fields("name").Value,objDomainParent.Get("name")
else
arrDomainNames.Add objRS.Fields("name").Value, 1
end if
objRS.MoveNext
wend
'Attach to Active Directory
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
for each strDomain in arrDomainNames
strBase = "<LDAP://" & strDomain & ">"
strFilter = "(&(objectCategory=group)(objectClass=group))"
strAttributes = "name,cn,member"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
adoCommand.Properties("Sort On") = "cn"
Set adoRecordset = adoCommand.Execute
inNumGroups = 0
Wscript.Echo ("Pre-Processing " & strFilter & " Data...")
'===Write information to Export File===
While Not adoRecordset.EOF
'working code
arrMember = adoRecordset.Fields("member")
if IsArray(arrmember) then
For each strMember in arrMember
'workingcode
msgbox adoRecordset.Fields("cn") & vbCRLF & strMember
Next
else
msgbox adoRecordset.Fields("cn") & vbCRLF & "This group has no members"
end if
adoRecordset.MoveNext
wend
Next
答案 0 :(得分:0)
这是您可以从
开始的地方Set objNetwork = CreateObject("WScript.Network")
strDomain = objNetwork.UserDomain
strUser = objNetwork.UserName
Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser)
Dim groups
For Each objGroup In objUser.Groups
groups = groups & objGroup.Name & vbCRLF
Next
MsgBox groups
如果未显示预期的组,请确保使用ADSI编辑器或LDAP浏览器查看它。
答案 1 :(得分:0)
以下是我最终得到的答案,但谢谢你的帮助!
strGroupDN = "CN=UserGroup,OU=MainOU,OU=SecondaryGroup,OU=MainGroups,DC=Primary,DC=FQDN,DC=com"
Set objGroup = GetObject("LDAP://" & strGroupDN)
‘wscript.echo strGroupDN
‘Uncomment the following three lines to have the system check the current users directory information rather than specifically specifying the user like it currently is below.
'Set objADSysInfo = CreateObject("ADSystemInfo")
' strUserDN will look like CN=TestUser1,OU=End Users,CN=UserGroup,OU=MainOU,OU=SecondaryGroup,OU=MainGroups,DC=Primary,DC=FQDN,DC=com
'strUserDN = objADSysInfo.UserName
strUserDn = "CN=TestUser1,OU=End Users,CN=UserGroup,OU=MainOU,OU=SecondaryGroup,OU=MainGroups,DC=Primary,DC=FQDN,DC=com"
‘wscript.echo strUserDN
If objGroup.IsMember("LDAP://" & strUserDN) Then
wscript.echo "The User is in the group"
' The user is in the group so run the following actions
else
wscript.echo "The user is not in the group"
End If