Thursday, November 13, 2008

License and Registration, please

As promised the next post is here... this time about checking Groupmembership in a logonscript using VBS.

First of all I have to say this is not the most flexible way of doing it, especially if you have a few different domains to check for, but it should give you a lead on 'how-to'.

  1. Option Explicit

  3. On Error Resume Next

  5. Dim oWS : Set oWS = WScript.CreateObject("WScript.Shell")
  6. Dim oFS : Set oFS = CreateObject("Scripting.FileSystemObject")
  7. Dim oWN : Set oWN = CreateObject("Wscript.Network")

  9. Const ADS_SCOPE_SUBTREE = 2
  10. Set objConnection = CreateObject("ADODB.Connection")
  11. Set objCommand = CreateObject("ADODB.Command")
  12. objConnection.Provider = "ADsDSOObject"
  13. objConnection.Open "Active Directory Provider"

  15. Set objCommand.ActiveConnection = objConnection
  16. objCommand.Properties("Page Size") = 1000
  17. objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

  19. objCommand.CommandText = "Select ADsPath, Name From 'LDAP://dc=my,dc=domain,dc=com' Where objectCategory = 'Group' AND Name='AD-Migration'"
  20. Set objRecordSet = objCommand.Execute
  21. objRecordSet.MoveFirst
  22. Set objGroup = GetObject(objRecordSet.Fields("ADsPath").Value)

  24. Dim UserInGroup
  25. UserInGroup=False

  27. For Each strUser in objGroup.Member
  28. set objUser=GetObject("LDAP://"+struser)

  30. if (LCase(objUser.samaccountname)=LCase(oWN.UserName)) then
  31. UserInGroup=True
  32. end if
  33. Next

  35. if(UserInGroup=True)then
  36. oWS.Run("wscript.exe .\AD_UserProfileMigration\migrate_station.vbs")
  37. else
  38. Wscript.Quit(0)
  39. end if
Actually pretty straigtforward. The only thing that cost me quite some time is the fact that the contents of the 'UserObject' are referenced by a '.' and the 'RecordSet' uses 'Field()'. That threw me off track and was one of the main points of cursing :)

I'll just assume you know your programming bits and go on from top to bottom:
Create default objects for Filesystem, Scriptshell and Network. Though I do not need all of them in this one, the main logonscript has all of those in use. So I just included them here too.

Next thing we do is setting up a query for LDAP to our domain where we look for the specific group 'AD-Migration'. All members of that group have to be migrated to the new Domain.
The beauty of this is that you can stuff a new member in there on the On-Site-DC and the change is immideatly done.. no relog.. no gpupdate... just restart the script.

Next step is to interate through all members and see if their current logonname matches the logonname in the group. Next Gotcha... MS calls this 'SamAccountName' in the AD-Schema. And... great praise to whoever dreamed that up... the description in the schema is... *drumroll* 'SamAccountName' DUH...

So... we set a boolean to 'true' if we found the name and start the script(s) accordingly... no magic there...

I hope this did help you a bit on your way... I have some recommended reading though:
  • The windows script Help (v5.6 at the moment). Won't link it here, because it is likely to change in URL. Just search on MS.com.
  • Windows Server Support Tools. These bring the 'Active Directory Schema' Add-In for the Managementconsole
With these two things and a bit of fiddling I am sure you'll handle some of the more advanced thingies that will cross your way. I am still on my quest for less fuss for the user and will surely try to blog my cur... thoughts here :)

Questions welcome :)

See you soon,
Dirk

P.S.:
Yes, actual workingcode directly from our logonscript. I works, honestly!
Posted by at No comments:
Labels: , ,

Thursday, November 6, 2008

Long time no C[++,#]

Busy, busy, busy... and still am :)

Recently we were merging our domain(s) to one, big domain... which is not easy when the impact for the users should be zero (best case that is).

So, what did I learn?
First and foremost VBS *shiver* for the logonscripts and other neato thingies that needed to be done while the user cannot do much about them... which is most important, as these pesky people tend to stop whatever is running just to get to their 'Lotus Notes'.

Second... I did not find a way to make a simple, standalone program to set various (temporary) rights for the users in C#. And I *tried*... HARD... which brought me back to my trusty (and rusty) C++ Builder (I *hate* that registration process thing, Borland! And I *hate* the new help, get the old one back... much niiiicer)

Third... don't trust MS with their docs either... I found a few very *wrong* things they put into the Active Directory Schema docs... well... the Domain will recover :)

What is to expect next from me?
Weeeeeeell... a few posts with tips on what to do and what THE HECK NOT to do in Domainmigration, some neato things I got hopping in VBS (in your *face* Central Team! I *did* get it working, noobs), a neato thing discovered in C# (Yes, Kurt, still fiddling with it and not abandoned) and general riffraff I need to get out :)

There were some questions about me abandoning the blog... yeah... riiiight.

So... I try to post more regularly and keep you updated :)
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)