Announcement

Collapse
No announcement yet.

VBScript for AD - Working, but not as intended

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • VBScript for AD - Working, but not as intended

    I put this script togather with help from previous threads. I have a few printers that are secure, and I wanted to create a script to allow only those with permissions in AD to connect to it. It works, but if there multiple groups for the user it causes them to run through a series of rejections before it connects. Any ideas?

    Dim objDomain, DomainString, UserName, UserObj, strComputer

    Set WSHShell = CreateObject("WScript.Shell")
    Set WSHNetwork = CreateObject("WScript.Network")

    'Automatically find the domain name
    Set objDomain = getObject("LDAP://rootDse")
    DomainString = objDomain.Get("dnsHostName")

    'Find the Windows Directory
    WinDir = WSHShell.ExpandEnvironmentStrings("%WinDir%")

    'Grab the user name
    UserName = WSHNetwork.UserName

    'Bind to the user object to get user name and check for group memberships
    Set UserObj = GetObject("WinNT://" & DomainString & "/" & UserName)



    For Each GroupObj In UserObj.Groups
    If GroupObj.Name = "EASMAN-BSOP COLOR PRT" Then

    strPrinter="\\PrintServer\MANPO-COLORBSOP3"
    Set WshNetwork = CreateObject("WScript.Network")
    Set WshShell = CreateObject("WScript.Shell")
    WshNetwork.AddWindowsPrinterConnection strPrinter
    WshNetwork.SetDefaultPrinter strPrinter
    MsgBox strPrinter & " Printer connected and set as the default printer"
    Set WshNetwork = Script.CreateObject("WScript.Network")
    err.Clear



    Else


    WScript.Echo "You are not authorized to connect to this printer. For help contact

    your local IT Dept"


    End If
    Next

    set UserObj = Nothing
    set GroupObj = Nothing
    set WSHNetwork = Nothing
    set DomainString = Nothing
    set WSHSHell = Nothing
    Set WSHPrinters = Nothing

    wscript.quit
    Last edited by Spiritnblk; 9th October 2007, 16:25.

  • #2
    Re: VBScript for AD - Working, but not as intended

    The message
    "You are not authorized to connect to this printer." & vbNewLine &
    "For help contact your local IT Dept"

    shows at every mismatch before the script checked realy every group membership.

    Try this
    Code:
    Option Explicit
    Dim WSHShell, WshNetwork
    Dim objUserPath, UserObj, GroupObj
    Dim secPrinter, strPrinter
    
    Set WSHShell = CreateObject("WScript.Shell")
    Set WshNetwork = CreateObject("WScript.Network")
    
    objUserPath = CreateObject("adsysteminfo").UserName
    Set UserObj = GetObject("LDAP://" & objUserPath)
    
    For Each GroupObj In UserObj.Groups
       If UCase(GroupObj.Name) = Ucase("CN=EASMAN-BSOP COLOR PRT") Then
           strPrinter="\\PrintServer\MANPO-COLORBSOP3"
           WshNetwork.AddWindowsPrinterConnection strPrinter
           WshNetwork.SetDefaultPrinter strPrinter
           secPrinter = True
          Exit For
      Else
           secPrinter = False
      End If
    Next
    
    If secPrinter = True Then
         MsgBox strPrinter & " Printer connected and set as the default printer"
    Else WScript.Echo "You are not authorized to connect to this printer.", vbNewLine, "For help contact your local IT Dept"
    End If
    
    Wscript.Quit
    \Rems

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: VBScript for AD - Working, but not as intended

      Originally posted by Rems View Post
      The message
      "You are not authorized to connect to this printer." & vbNewLine &
      "For help contact your local IT Dept"

      shows at every mismatch before the script checked realy every group membership.

      Try this


      \Rems
      It stops the rejection loop, but because the group is not the first in the membership list it fails before it checks the entire group list.

      Comment


      • #4
        Re: VBScript for AD - Working, but not as intended

        It stops the rejection loop, but because the group is not the first in the membership list it fails before it checks the entire group list.
        The line: Exit For stops the loop directly after a match. If you don't use Exit For the loop continues even after the first hit, it stops after the last group.
        So in your previous script, you do must have getting the message at every mismatch before and also after a match if there are any more groups to process.
        To avoid that don't generate messages within the loop.

        In my example I use a boolean variable -> for every mismatch it is set to False and False and... ... ... so on.
        After the first hit then it is set to True and the For-Next Loop will be terminated at that point because of the Exit For.

        After the line: Next the messages will be generated depending on the value of that variable 'secPrinter' (boolean).


        aditional:
        In my example I used the LDAP:// provider,
        and you used the WinNT:// provider in your script.
        I is better to use the LDAP-provider if possible, because of the Windows NT limitations of the WinNT provider (like not all group scopes are reconized by the WinNT provider). However in your case the WinNT provider seems to do the job fine, but as you can see when using the Ldap provider in this case you don't have to use extra function or object calls in you script.
        more: http://www.rlmueller.net/WinNT_LDAP.htm


        \Rems

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: VBScript for AD - Working, but not as intended

          Do you think it would it make more sence to have check for the user's name in the group insted of looking for the group in the user's properties?

          Comment


          • #6
            Re: VBScript for AD - Working, but not as intended

            Originally posted by Spiritnblk View Post
            Do you think it would it make more sence to have check for the user's name in the group insted of looking for the group in the user's properties?
            I don't know,

            The method you are using should work fine;
            Exept... it can only check for a direct membership to that group.
            Code:
            < Cut... >
            
            Dim colGroups : Set colGroups = UserObj.Groups
            For Each GroupObj In colGroups
               If UCase(GroupObj.Name) = Ucase("CN=EASMAN-BSOP COLOR PRT") Then
                   strPrinter="\\PrintServer\MANPO-COLORBSOP3"
                   WshNetwork.AddWindowsPrinterConnection strPrinter
                   WshNetwork.SetDefaultPrinter strPrinter
                  secPrinter = True
                  Exit For
              Else
                  secPrinter = False
              End If
            Next
            An other variant of the same approache:
            Code:
            'http://www.microsoft.com/communities...9-35c1a049e850
            ' by Richard Mueller [MVP]
            ' remark:
            '  "For Each strGroup In objUser.memberOf" will raise an error unless the user
            '  is a direct member of **at least! two groups**, the primary group is
            '  not included in that counting (usually the group "Domain Users").
            '  I would suggest: 
            
            Option Explicit
            
            Dim objSysInfo, objNetwork, strUserPath
            Dim objUser, arrGroups, strGroup
            Dim WSHShell, WshNetwork
            Dim strPrinter
            
            Set WSHShell = CreateObject("WScript.Shell")
            Set WshNetwork = CreateObject("WScript.Network")
            
            Set objSysInfo = CreateObject("ADSystemInfo")
            Set objNetwork = CreateObject("Wscript.Network")
            strUserPath = "LDAP://" & objSysInfo.UserName
            Set objUser = GetObject(strUserPath)
            
            arrGroups = objUser.MemberOf
            If IsEmpty(arrGroups) Then
                Wscript.Quit
            ElseIf (TypeName(arrGroups) = "String") Then
                Call ChkGroup(arrGroups)
            Else
                For Each strGroup In arrGroups
                    Call ChkGroup(strGroup)
                Next
            End If
            
            Wscript.quit
            
            
            Sub ChkGroup(ByVal strGroup)
                Dim objGroup
            
                Set objGroup = GetObject("LDAP://" & strGroup)
                Select Case UCase(objGroup.cn)
                    Case UCase("EASMAN-BSOP COLOR PRT")
                         strPrinter="\\PrintServer\MANPO-COLORBSOP3"
                         WshNetwork.AddWindowsPrinterConnection strPrinter
                         WshNetwork.SetDefaultPrinter strPrinter
                         MsgBox strPrinter & " Printer connected and set as the default printer"
                   Case Else
                         WScript.Echo "You are not authorized to connect to this printer.", vbNewLine
                End Select
            End Sub

            -=OR=-

            You can check for your self whether searching the Groupobject is faster or better,
            Using Function IsMember() and Sub LoadGroups() (see the links below) is a much smarter way to check the Users memberschip.
            The function perform a recursive search on members from nested groups also, and it can handle arrays that are not multivalued.

            - forums.petri.com/showpost.php?p=74419&highlight=objUser
            - forums.petri.com/showpost.php?p=64867&highlight=objComputer
            Code:
            'Option Explicit
            Dim objSysInfo, objUser, objComputer
            Dim WSHShell, WshNetwork
            Dim strGroup, strPrinter
            
            Set objSysInfo = CreateObject("ADSystemInfo")
                Set objUser = GetObject("LDAP://" & objSysInfo.userName)
                Set objComputer = GetObject("LDAP://" & objSysInfo.computerName)
            Private objGroupList
            Set objSysInfo = Nothing
            
            Set WSHShell = CreateObject("WScript.Shell")
            Set WshNetwork = CreateObject("WScript.Network")
            
            strGroup = "EASMAN-BSOP COLOR PRT"
            If IsMember(objUser, strGroup)  Then
                  strPrinter="\\PrintServer\MANPO-COLORBSOP3"
                  WshNetwork.AddWindowsPrinterConnection strPrinter
                  WshNetwork.SetDefaultPrinter strPrinter
                  MsgBox strPrinter & " Printer connected and set as the default printer"
            Else 
                  WScript.Echo "You are not authorized to connect to this printer.", vbNewLine
            End If
            
            wscript.quit
            
            '------------------------------------------
            Function IsMember(ByVal objADObject, ByVal strGroup)
                '(from: http://www.rlmueller.net/freecode2.htm : Logon Script 3)
                ' Function to test for group membership.
                ' objGroupList is a dictionary object with global scope.
                If (IsEmpty(objGroupList) = True) Then 
                     Set objGroupList = CreateObject("Scripting.Dictionary")
                End If
                If (objGroupList.Exists(objADObject.sAMAccountName & "\") _
                     = False) Then
                    Call LoadGroups(objADObject, objADObject)
                    objGroupList.Add objADObject.sAMAccountName & "\", True
                End If
                IsMember = objGroupList.Exists(objADObject.sAMAccountName & "\" _
                    & strGroup)
            End Function
            
            Sub LoadGroups(ByVal objPriObject, ByVal objADSubObject)
                ' Recursive subroutine to populate dictionary object objGroupList.
                Dim colstrGroups, objGroup, j
            
                objGroupList.CompareMode = vbTextCompare
                colstrGroups = objADSubObject.memberOf
                If (IsEmpty(colstrGroups) = True) Then
                    Exit Sub
                End If
                If (TypeName(colstrGroups) = "String") Then
                    Set objGroup = GetObject("LDAP://" & colstrGroups)
                    If (objGroupList.Exists(objPriObject.sAMAccountName & "\" _
                            & objGroup.sAMAccountName) = False) Then
                        objGroupList.Add objPriObject.sAMAccountName & "\" _
                            & objGroup.sAMAccountName, True
                        Call LoadGroups(objPriObject, objGroup)
                    End If
                    Set objGroup = Nothing
                    Exit Sub
                End If
                For j = 0 To UBound(colstrGroups)
                    Set objGroup = GetObject("LDAP://" & colstrGroups(j))
                    If (objGroupList.Exists(objPriObject.sAMAccountName & "\" _
                            & objGroup.sAMAccountName) = False) Then
                        objGroupList.Add objPriObject.sAMAccountName & "\" _
                            & objGroup.sAMAccountName, True
                        Call LoadGroups(objPriObject, objGroup)
                    End If
                Next
                Set objGroup = Nothing
            End Sub
            '------------------------------------------


            \Rems
            Last edited by Rems; 10th October 2007, 23:10.

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: VBScript for AD - Working, but not as intended

              Thanks.

              I'm still picking at it. For whatever reason the code from yesterday gives me permission errors where j is defined. Do you recommend any sites or books that explain AD object properties (names and such) for scripting?

              Comment

              Working...
              X