Thursday, November 13, 2008

License and Registration, please

As promised the next post is here... this time about checking Groupmembership in a logonscript using VBS.

First of all I have to say this is not the most flexible way of doing it, especially if you have a few different domains to check for, but it should give you a lead on 'how-to'.

  1. Option Explicit

  2. On Error Resume Next

  3. Dim oWS : Set oWS = WScript.CreateObject("WScript.Shell")
  4. Dim oFS : Set oFS = CreateObject("Scripting.FileSystemObject")
  5. Dim oWN : Set oWN = CreateObject("Wscript.Network")

  6. Const ADS_SCOPE_SUBTREE = 2
  7. Set objConnection = CreateObject("ADODB.Connection")
  8. Set objCommand = CreateObject("ADODB.Command")
  9. objConnection.Provider = "ADsDSOObject"
  10. objConnection.Open "Active Directory Provider"

  11. Set objCommand.ActiveConnection = objConnection
  12. objCommand.Properties("Page Size") = 1000
  13. objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

  14. objCommand.CommandText = "Select ADsPath, Name From 'LDAP://dc=my,dc=domain,dc=com' Where objectCategory = 'Group' AND Name='AD-Migration'"
  15. Set objRecordSet = objCommand.Execute
  16. objRecordSet.MoveFirst
  17. Set objGroup = GetObject(objRecordSet.Fields("ADsPath").Value)

  18. Dim UserInGroup
  19. UserInGroup=False

  20. For Each strUser in objGroup.Member
  21. set objUser=GetObject("LDAP://"+struser)

  22. if (LCase(objUser.samaccountname)=LCase(oWN.UserName)) then
  23. UserInGroup=True
  24. end if
  25. Next

  26. if(UserInGroup=True)then
  27. oWS.Run("wscript.exe .\AD_UserProfileMigration\migrate_station.vbs")
  28. else
  29. Wscript.Quit(0)
  30. end if
Actually pretty straigtforward. The only thing that cost me quite some time is the fact that the contents of the 'UserObject' are referenced by a '.' and the 'RecordSet' uses 'Field()'. That threw me off track and was one of the main points of cursing :)

I'll just assume you know your programming bits and go on from top to bottom:
Create default objects for Filesystem, Scriptshell and Network. Though I do not need all of them in this one, the main logonscript has all of those in use. So I just included them here too.

Next thing we do is setting up a query for LDAP to our domain where we look for the specific group 'AD-Migration'. All members of that group have to be migrated to the new Domain.
The beauty of this is that you can stuff a new member in there on the On-Site-DC and the change is immideatly done.. no relog.. no gpupdate... just restart the script.

Next step is to interate through all members and see if their current logonname matches the logonname in the group. Next Gotcha... MS calls this 'SamAccountName' in the AD-Schema. And... great praise to whoever dreamed that up... the description in the schema is... *drumroll* 'SamAccountName' DUH...

So... we set a boolean to 'true' if we found the name and start the script(s) accordingly... no magic there...

I hope this did help you a bit on your way... I have some recommended reading though:
  • The windows script Help (v5.6 at the moment). Won't link it here, because it is likely to change in URL. Just search on MS.com.
  • Windows Server Support Tools. These bring the 'Active Directory Schema' Add-In for the Managementconsole
With these two things and a bit of fiddling I am sure you'll handle some of the more advanced thingies that will cross your way. I am still on my quest for less fuss for the user and will surely try to blog my cur... thoughts here :)

Questions welcome :)

See you soon,
Dirk

P.S.:
Yes, actual workingcode directly from our logonscript. I works, honestly!

No comments: