10 Replies Latest reply: Jul 22, 2013 12:56 PM by Rikab Kothari RSS

    VBScript to check for LDAP group membership

      I have been working on this problem for days, and I am struggling to find a solution that works.


      Basically, I want a function in the following form:


      in_group(username, groupname)


      That returns 1 if the the username is in the group, and 0 otherwise.  Does anyone have any sources or solutions for this problem?  I am trying to work with the following code:

      Function GetMembers(gDN)
          Set objGroup = GetObject("LDAP://" & gDN)
          arrMemberOf = objGroup.GetEx("member")
          For Each strMember in arrMemberOf
              Set objMember = GetObject("LDAP://" & strMember)
              ObjDisp = objMember.Name
              oDL = Len(ObjDisp) - 3
              ObjDisp = Right(ObjDisp,oDL)
              ObjCatArray = Split(objMember.objectCategory,",")
              oType = ObjCatArray(0)
              oTL = Len(oType) - 3
              oType = Right(oType,oTL)
              msgbox "Member:" & ObjDisp & Space(20-Len(ObjDIsp)) &" Type:" & oType
              If oType = "Group" Then
              End If
              Set objMember = Nothing
      End Function
      Public Function SearchGroup(ByVal vSAN)
          Dim oRootDSE, oConnection, oCommand, oRecordSet
          Set oRootDSE = GetObject("LDAP://rootDSE")
          Set oConnection = CreateObject("ADODB.Connection")
          oConnection.Open "Provider=ADsDSOObject;"
          Set oCommand = CreateObject("ADODB.Command")
          oCommand.ActiveConnection = oConnection
          oCommand.CommandText = "<LDAP://" & oRootDSE.get("defaultNamingContext") & _
              ">;(&(objectCategory=Group)(samAccountName=" & vSAN & "));distinguishedName;subtree"
          Set oRecordSet = oCommand.Execute
          On Error Resume Next
          SearchGroup = oRecordSet.Fields("distinguishedName")
          On Error GoTo 0
          Set oRecordSet = Nothing
          Set oCommand = Nothing
          Set oConnection = Nothing
          Set oRootDSE = Nothing
      End Function


      and, alternatively:

      Function IsMember(ByVal objADObject, ByVal strGroupNTName)
        ' Function to test for group membership.
        ' objADObject is a user or computer object.
        ' strGroupNTName is the NT name (sAMAccountName) of the group to test.
        ' objGroupList is a dictionary object, with global scope.
        ' Returns True if the user or computer is a member of the group.
        ' Subroutine LoadGroups is called once for each different objADObject.
          Dim objRootDSE, strDNSDomain
        ' The first time IsMember is called, setup the dictionary object
        ' and objects required for ADO.
          If (IsEmpty(objGroupList) = True) Then
              Set objGroupList = CreateObject("Scripting.Dictionary")
              objGroupList.CompareMode = vbTextCompare
              Set adoCommand = CreateObject("ADODB.Command")
              Set adoConnection = CreateObject("ADODB.Connection")
              adoConnection.Provider = "ADsDSOObject"
              adoConnection.Open "Active Directory Provider"
              adoCommand.ActiveConnection = adoConnection
              Set objRootDSE = GetObject("LDAP://RootDSE")
              strDNSDomain = objRootDSE.Get("defaultNamingContext")
              adoCommand.Properties("Page Size") = 100
              adoCommand.Properties("Timeout") = 30
              adoCommand.Properties("Cache Results") = False
              ' Search entire domain.
              strBase = "<LDAP://" & strDNSDomain & ">"
              ' Retrieve NT name of each group.
              strAttributes = "sAMAccountName"
              ' Load group memberships for this user or computer into dictionary
              ' object.
              Call LoadGroups(objADObject)
              Set objRootDSE = Nothing
          End If
          If (objGroupList.Exists(objADObject.sAMAccountName & "\") = False) Then
              ' Dictionary object established, but group memberships for this
              ' user or computer must be added.
              Call LoadGroups(objADObject)
          End If
          ' Return True if this user or computer is a member of the group.
          IsMember = objGroupList.Exists(objADObject.sAMAccountName & "\" & strGroupNTName)
      End Function


      Thoughts?  Bonus points if the solution uses "Safe Mode" instead of "System Access."  Thanks for your help.