You are here:
ActiveXperts.com > ActiveXperts Network Monitor > WindowsManagement > Scripts > Active Directory > Groups
Quicklinks
- Download ActiveXperts Network Monitor 7.3 (20418 KB)
- Download Manual (359 KB)
- Screenshots - Product image gallery
Active Directory Group Scripts
Add 1000 Sample Users to a Security GroupAdd a User to Two Security Groups
Add New Members to a Security Group
Assign a Group Manager
Change the Scope of a Security Group
Create a Universal Distribution Group
Create a Universal Security Group
Create a Domain Local Distribution Group
Create a Domain Local Security Group
Create a Global Distribution Group
Create a Global Security Group
Delete a Group from Active Directory
List the Active Directory Groups a User Belongs To
List All the Members of a Group
List the Attributes of the Group Class
List the General Properties of a Group
List Group Memberships for All the Users in an OU
List Group Object Information
List the Managed By Information for a Group
List Other Groups a Group Belongs To
List the Owner of a Group
List the Primary Group for a User Account
List the Security Descriptor for a Group
List the System Access Control List for a Group
Modify Group Attributes
Modify Group Type
Move a Group Within a Domain
Remove All Group Memberships for a User Account
Remove All the Members of a Group
Remove the Manager of a Group
Remove a User from a Group
Replace Group Membership with All-New Members
You can use any of the VBScript programs below in ActiveXperts Network Monitor. Click here for an explanation about how to include scripts in ActiveXperts Network Monitor.
Add 1000 Sample Users to a Security Group
Demonstration script that creates a security group named Group1, and adds one thousand users (UserNo1 through UserNo10000) to that group. This script is not intended for use in a production environment.
Const ADS_PROPERTY_APPEND = 3
Set objRootDSE = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://cn=Users," & _
objRootDSE.Get("defaultNamingContext"))
Set objGroup = objContainer.Create("Group", "cn=Group1")
objGroup.Put "sAMAccountName","Group1"
objGroup.SetInfo
For i = 1 To 1000
strDN = ",cn=Users," & objRootDSE.defaultNamingContext
objGroup.PutEx ADS_PROPERTY_APPEND, "member", _
Array("cn=UserNo" & i & strDN)
objGroup.SetInfo
Next
WScript.Echo "Group1 created and 1000 Users added to the group."
Add a User to Two Security Groups
Adds a user (MyerKen) to two different Active Directory security groups: Atl-Users and NA-Employees.
Const ADS_PROPERTY_APPEND = 3
Set objGroup = GetObject _
("LDAP://cn=Atl-Users,cn=Users,dc=NA,dc=fabrikam,dc=com")
objGroup.PutEx ADS_PROPERTY_APPEND, _
"member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
objGroup.SetInfo
Set objGroup = GetObject _
("LDAP://cn=NA-Employees,cn=Users,dc=NA,dc=fabrikam,dc=com")
objGroup.PutEx ADS_PROPERTY_APPEND, _
"member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
objGroup.SetInfo
Add New Members to a Security Group
Adds two groups (Executives and Scientists) and one user account (MyerKen) to the Sea-Users group in Active Directory.
Const ADS_PROPERTY_APPEND = 3
Set objGroup = GetObject _
("LDAP://cn=Sea-Users,cn=Users,dc=NA,dc=fabrikam,dc=com")
objGroup.PutEx ADS_PROPERTY_APPEND, "member", _
Array("cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com", _
"cn=Executives,ou=Management,dc=NA,dc=fabrikam,dc=com", _
"cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
objGroup.SetInfo
Assign a Group Manager
Adds a user (MyerKen) to two different Active Directory security groups: Atl-Users and NA-Employees.
Const ADS_PROPERTY_APPEND = 3
Set objGroup = GetObject _
("LDAP://cn=Atl-Users,cn=Users,dc=NA,dc=fabrikam,dc=com")
objGroup.PutEx ADS_PROPERTY_APPEND, _
"member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
objGroup.SetInfo
Set objGroup = GetObject _
("LDAP://cn=NA-Employees,cn=Users,dc=NA,dc=fabrikam,dc=com")
objGroup.PutEx ADS_PROPERTY_APPEND, _
"member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
objGroup.SetInfo
Change the Scope of a Security Group
Changes a global distribution group named Scientists to a universal security group.
Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000
Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
objGroup.Put "groupType", _
ADS_GROUP_TYPE_GLOBAL_GROUP + ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.SetInfo
Create a Universal Distribution Group
Creates a universal Active Directory distribution group named Customers.
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Set objOU = GetObject("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
Set objGroup = objOU.Create("Group", "cn=Customers")
objGroup.Put "sAMAccountName", "customers"
objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP
objGroup.SetInfo
Create a Universal Security Group
Creates a universal Active Directory security group named All-Employees.
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000
Set objOU = GetObject("LDAP://cn=Users,dc=NA,dc=fabrikam,dc=com")
Set objGroup = objOU.Create("Group", "cn=All-Employees")
objGroup.Put "sAMAccountName", "AllEmployees"
objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP Or _
ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.SetInfo
Create a Domain Local Distribution Group
Creates a domain local Active Directory distribution group named Vendors.
Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4
Set objOU = GetObject("LDAP://ou=HR,dc=NA,dc=fabrikam,dc=com")
Set objGroup = objOU.Create("Group", "cn=Vendors")
objGroup.Put "sAMAccountName", "vendors"
objGroup.Put "groupType", ADS_GROUP_TYPE_LOCAL_GROUP
objGroup.SetInfo
Create a Domain Local Security Group
Creates a domain local Active Directory security group named DB-Servers.
Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000
Set objOU = GetObject("LDAP://cn=Computers,dc=NA,dc=fabrikam,dc=com")
Set objGroup = objOU.Create("Group", "cn=DB-Servers")
objGroup.Put "sAMAccountName", "DBServers"
objGroup.Put "groupType", ADS_GROUP_TYPE_LOCAL_GROUP Or _
ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.SetInfo
Create a Global Distribution Group
Creates a global Active Directory distribution group named Scientists.
Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
Set objOU = GetObject("LDAP://ou=R&D,dc=NA,dc=fabrikam,dc=com")
Set objGroup = objOU.Create("Group", "cn=Scientists")
objGroup.Put "sAMAccountName", "scientists"
objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP
objGroup.SetInfo
Create a Global Security Group
Creates a global Active Directory security group named HR-Employees.
Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000
Set objOU = GetObject("LDAP://ou=HR,dc=NA,dc=fabrikam,dc=com")
Set objGroup = objOU.Create("Group", "cn=HR-Employees")
objGroup.Put "sAMAccountName", "HRStaff"
objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP Or _
ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.SetInfo
Delete a Group from Active Directory
Deletes a group named atl-users from the HR organizational unit in the domain fabrikam.com.
Set objOU = GetObject("LDAP://ou=hr,dc=fabrikam,dc=com")
objOU.Delete "group", "cn=atl-users"
List the Active Directory Groups a User Belongs To
Returns a list of all the Active Directory security groups (including the primary group) that include the MyerKen user account as a member.
On Error Resume Next
Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
Set objUser = GetObject _
("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
intPrimaryGroupID = objUser.Get("primaryGroupID")
arrMemberOf = objUser.GetEx("memberOf")
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
WScript.Echo "The memberOf attribute is not set."
Else
WScript.Echo "Member of: "
For Each Group in arrMemberOf
WScript.Echo Group
Next
End If
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
";(objectCategory=Group);" & _
"distinguishedName,primaryGroupToken;subtree"
Set objRecordSet = objCommand.Execute
Do Until objRecordset.EOF
If objRecordset.Fields("primaryGroupToken") = intPrimaryGroupID Then
WScript.Echo "Primary group:"
WScript.Echo objRecordset.Fields("distinguishedName") & _
" (primaryGroupID: " & intPrimaryGroupID & ")"
End If
objRecordset.MoveNext
Loop
objConnection.Close
List All the Members of a Group
Returns the members of an Active Directory group named Scientists.
On Error Resume Next
Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
objGroup.GetInfo
arrMemberOf = objGroup.GetEx("member")
WScript.Echo "Members:"
For Each strMember in arrMemberOf
WScript.echo strMember
Next
List the Attributes of the Group Class
Returns a list of mandatory and optional attributes of the group class (as stored in the Active Directory schema).
Set objGroupClass = GetObject("LDAP://schema/group")
Set objSchemaClass = GetObject(objGroupClass.Parent)
i = 0
WScript.Echo "Mandatory attributes:"
For Each strAttribute in objGroupClass.MandatoryProperties
i= i + 1
WScript.Echo i & vbTab & strAttribute
Set objAttribute = objSchemaClass.GetObject("Property", strAttribute)
WScript.Echo " (Syntax: " & objAttribute.Syntax & ")"
If objAttribute.MultiValued Then
WScript.Echo " Multivalued"
Else
WScript.Echo " Single-valued"
End If
Next
WScript.Echo VbCrLf & "Optional attributes:"
For Each strAttribute in objGroupClass.OptionalProperties
i= i + 1
Wscript.Echo i & vbTab & strAttribute
Set objAttribute = objSchemaClass.GetObject("Property", strAttribute)
Wscript.Echo " [Syntax: " & objAttribute.Syntax & "]"
If objAttribute.MultiValued Then
WScript.Echo " Multivalued"
Else
WScript.Echo " Single-valued"
End If
Next
List the General Properties of a Group
Reads the values found on the General Properties page in Active Directory Users and Computers for a group named Scientists.
On Error Resume Next
Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000
Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
WScript.Echo "Name: " & objGroup.Name
WScript.Echo "SAM Account Name: " & objGroup.SAMAccountName
WScript.Echo "Mail: " & objGroup.Mail
WScript.Echo "Info: " & objGroup.Info
If intGroupType AND ADS_GROUP_TYPE_LOCAL_GROUP Then
WScript.Echo "Group scope: Domain local"
ElseIf intGroupType AND ADS_GROUP_TYPE_GLOBAL_GROUP Then
WScript.Echo "Group scope: Global"
ElseIf intGroupType AND ADS_GROUP_TYPE_UNIVERSAL_GROUP Then
WScript.Echo "Group scope: Universal"
Else
WScript.Echo "Group scope: Unknown"
End If
If intGroupType AND ADS_GROUP_TYPE_SECURITY_ENABLED Then
WScript.Echo "Group type: Security group"
Else
WScript.Echo "Group type: Distribution group"
End If
For Each strValue in objGroup.Description
WScript.Echo "Description: " & strValue
Next
List Group Memberships for All the Users in an OU
Retrieves the memberOf and primaryGroupID attributes of a user account to display group membership. Note that the primaryGroupID attribute contains an integer that maps to the name of the primary group. The memberOf attribute does not contain the name of the primary group of which the user is a member.
On Error Resume Next
Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
Set objOU = GetObject _
("LDAP://cn=Users,dc=NA,dc=fabrikam,dc=com")
ObjOU.Filter= Array("user")
For Each objUser in objOU
WScript.Echo objUser.cn & " is a member of: "
WScript.Echo vbTab & "Primary Group ID: " & _
objUser.Get("primaryGroupID")
arrMemberOf = objUser.GetEx("memberOf")
If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then
For Each Group in arrMemberOf
WScript.Echo vbTab & Group
Next
Else
WScript.Echo vbTab & "memberOf attribute is not set"
Err.Clear
End If
Wscript.Echo
Next
List Group Object Information
Retrieves the information found on the Object page in Active Directory Users and Computers for a security group named Scientists.
Set objGroup = GetObject _
("GC://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
strWhenCreated = objGroup.Get("whenCreated")
strWhenChanged = objGroup.Get("whenChanged")
Set objUSNChanged = objGroup.Get("uSNChanged")
dblUSNChanged = _
Abs(objUSNChanged.HighPart * 2^32 + objUSNChanged.LowPart)
Set objUSNCreated = objGroup.Get("uSNCreated")
dblUSNCreated = _
Abs(objUSNCreated.HighPart * 2^32 + objUSNCreated.LowPart)
objGroup.GetInfoEx Array("canonicalName"), 0
arrCanonicalName = objGroup.GetEx("canonicalName")
WScript.echo "CanonicalName of object:"
For Each strValue in arrCanonicalName
WScript.Echo vbTab & strValue
Next
WScript.Echo
WScript.Echo "Object class: " & objGroup.Class
WScript.Echo "When Created: " & strWhenCreated & " (Created - GMT)"
WScript.Echo "When Changed: " & strWhenChanged & " (Modified - GMT)"
WScript.Echo
WScript.Echo "USN Changed: " & dblUSNChanged & " (USN Current)"
WScript.Echo "USN Created: " & dblUSNCreated & " (USN Original)"
List the Managed By Information for a Group
Returns information about the manager assigned to an Active Directory security group named Scientists.
On Error Resume Next
Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
strManagedBy = objGroup.Get("managedBy")
If IsEmpty(strManagedBy) = TRUE Then
WScript.Echo "No user account is assigned to manage " & _
"this group."
Else
Set objUser = GetObject("LDAP://" & strManagedBy)
Call GetUpdateMemberList
WScript.Echo "Office: " & _
objUser.physicalDeliveryOfficeName
WScript.Echo "Street Address: " & objUser.streetAddress
WScript.Echo "Locality: " & objUser.l
WScript.Echo "State/Province: " & objUser.st
WScript.Echo "Country: " & objUser.c
WScript.Echo "Telephone Number: " & objUser.telephoneNumber
WScript.Echo "Fax Number: " & _
objUser.facsimileTelephoneNumber
End If
Sub GetUpdateMemberList
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const Member_SchemaIDGuid = "{BF9679C0-0DE6-11D0-A285-00AA003049E2}"
Const ADS_RIGHT_DS_WRITE_PROP = &H20
objUser.GetInfoEx Array("canonicalName"),0
strCanonicalName = objUser.Get("canonicalName")
strDomain = Mid(strCanonicalName,1,InStr(1,strCanonicalName,".")-1)
strSAMAccountName = objUser.Get("sAMAccountName")
Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")
Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl
blnMatch = False
For Each objAce In objDiscretionaryAcl
If LCase(objAce.Trustee) = _
LCase(strDomain & "\" & strSAMAccountName) AND _
objAce.ObjectType = Member_SchemaIDGuid AND _
objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT AND _
objAce.AccessMask And ADS_RIGHT_DS_WRITE_PROP Then
blnMatch = True
End If
Next
If blnMatch Then
WScript.Echo "Manager can update the member list"
Else
WScript.Echo "Manager cannot update the member list."
End If
End Sub
List Other Groups a Group Belongs To
Returns a list of all the groups that the Active Directory security group Scientists is a member of.
On Error Resume Next
Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
objGroup.GetInfo
arrMembersOf = objGroup.GetEx("memberOf")
WScript.Echo "MembersOf:"
For Each strMemberOf in arrMembersOf
WScript.Echo strMemberOf
Next
List the Owner of a Group
Returns the owner of an Active Directory security group named Scientists.
Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")
WScript.Echo "Owner Tab"
WScript.Echo "Current owner of this item: " & objNtSecurityDescriptor.Owner
List the Primary Group for a User Account
Reports the primary group for the MyerKen Active Directory user account.
On Error Resume Next
Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
Set objUser = GetObject _
("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
intPrimaryGroupID = objUser.Get("primaryGroupID")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
";(objectCategory=Group);" & _
"distinguishedName,primaryGroupToken;subtree"
Set objRecordSet = objCommand.Execute
Do Until objRecordset.EOF
If objRecordset.Fields("primaryGroupToken") = intPrimaryGroupID Then
WScript.Echo "Primary group:"
WScript.Echo objRecordset.Fields("distinguishedName") & _
" (primaryGroupID: " & intPrimaryGroupID & ")"
End If
objRecordset.MoveNext
Loop
objConnection.Close
List the Security Descriptor for a Group
Returns information found on the security descriptor for the Active Directory group named Scientists.
Const SE_DACL_PROTECTED = &H1000
Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control
WScript.Echo "Permissions Tab"
strMessage = "Allow inheritable permissions from the parent to " & _
"propogate to this object and all child objects "
If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then
Wscript.Echo strMessage & "is disabled."
Else
WScript.Echo strMessage & "is enabled."
End If
WScript.Echo
Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl
DisplayAceInformation objDiscretionaryAcl, "DACL"
Sub DisplayAceInformation(SecurityStructure, strType)
Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
intAceCount = 0
For Each objAce In SecurityStructure
strTrustee = Mid(objAce.Trustee,1,12)
If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then
intAceCount = intAceCount + 1
WScript.Echo strType & " permission entry: " & intAceCount
WScript.Echo "Name: " & objAce.Trustee
intAceType = objAce.AceType
If (intAceType = ADS_ACETYPE_ACCESS_ALLOWED Or _
intAceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then
WScript.Echo "Type: Allow Access"
ElseIf (intAceType = ADS_ACETYPE_ACCESS_DENIED Or _
intAceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) Then
WScript.Echo "Type: Deny Acess"
Else
WScript.Echo "Acess Type Unknown."
End If
ReadBitsInAccessMask(objAce.AccessMask)
WScript.Echo VbCr
End If
Next
End Sub
Sub ReadBitsInAccessMask(AccessMask)
Const ADS_RIGHT_DELETE = &H10000
Const ADS_RIGHT_READ_CONTROL = &H20000
Const ADS_RIGHT_WRITE_DAC = &H40000
Const ADS_RIGHT_WRITE_OWNER = &H80000
Const ADS_RIGHT_DS_CREATE_CHILD = &H1
Const ADS_RIGHT_DS_DELETE_CHILD = &H2
Const ADS_RIGHT_ACTRL_DS_LIST = &H4
Const ADS_RIGHT_DS_SELF = &H8
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_RIGHT_DS_DELETE_TREE = &H40
Const ADS_RIGHT_DS_LIST_OBJECT = &H80
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
WScript.Echo VbCrLf & "Standard Access Rights"
If (AccessMask And ADS_RIGHT_DELETE) Then _
WScript.Echo vbTab & "-Delete an object."
If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _
WScript.Echo vbTab & "-Read permissions."
If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _
WScript.Echo vbTab & "-Write permissions."
If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _
WScript.Echo vbTab & "-Modify owner."
WScript.Echo VbCrLf & "Directory Service Specific Access Rights"
If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _
WScript.Echo vbTab & "-Create child objects."
If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _
WScript.Echo vbTab & "-Delete child objects."
If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _
WScript.Echo vbTab & "-Enumerate an object."
If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _
WScript.Echo vbTab & "-Read the properties of an object."
If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _
WScript.Echo vbTab & "-Write the properties of an object."
If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _
WScript.Echo vbTab & "-Delete a tree of objects"
If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _
WScript.Echo vbTab & "-List a tree of objects."
WScript.Echo VbCrLf & "Control Access Rights"
If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _
(AccessMask And ADS_RIGHT_DS_SELF) = 0 Then
WScript.Echo "-None"
Else
If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _
WScript.Echo vbTab & "-Extended access rights."
If (AccessMask And ADS_RIGHT_DS_SELF) Then
WScript.Echo vbTab & "-Active Directory must validate a property "
WScript.Echo vbTab & " write operation beyond the schema " & _
"definition "
WScript.Echo vbTab & " for the attribute."
End If
End If
End Sub
List the System Access Control List for a Group
Returns information found on the System Access Control List (SACL) for an Active Directory security group named Scientists.
Const SE_SACL_PROTECTED = &H2000
Const ADS_SECURITY_INFO_OWNER = &H1
Const ADS_SECURITY_INFO_GROUP = &H2
Const ADS_OPTION_SECURITY_MASK =&H3
Const ADS_SECURITY_INFO_DACL = &H4
Const ADS_SECURITY_INFO_SACL = &H8
Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
objGroup.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER _
Or ADS_SECURITY_INFO_GROUP Or ADS_SECURITY_INFO_DACL _
Or ADS_SECURITY_INFO_SACL
Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control
WScript.Echo "Auditing Tab"
strMessage = "Allow inheritable auditing entries from" & _
"the parent to "
strMessage = strMessage & "propogate to this object and all child objects "
If (intNtSecurityDescriptorControl And SE_SACL_PROTECTED) Then
Wscript.Echo strMessage & "is disabled."
Else
WScript.Echo strMessage & "is enabled."
End If
WScript.Echo
Set objSacl = objNtSecurityDescriptor.SystemAcl
DisplayAceInformation objSacl, "SACL"
Sub DisplayAceInformation(SecurityStructure, strType)
Const ADS_ACETYPE_SYSTEM_AUDIT = &H2
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7
intAceCount = 0
For Each objAce In SecurityStructure
strTrustee = Mid(objAce.Trustee,1,12)
If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then
intAceCount = intAceCount + 1
WScript.Echo strType & " permission entry: " & intAceCount
WScript.Echo "Name: " & objAce.Trustee
intAceType = objAce.AceType
WScript.Echo "ACETYPE IS: " & intAceType
If (intAceType = ADS_ACETYPE_SYSTEM_AUDIT or _
intAceType = ADS_ACETYPE_SYSTEM_AUDIT_OBJECT) Then
WScript.Echo "Type: Success or Failure Audit"
Else
WScript.Echo "Audit Type Unknown."
End If
ReadBitsInAccessMask(objAce.AccessMask)
WScript.Echo
End If
Next
End Sub
Sub ReadBitsInAccessMask(AccessMask)
Const ADS_RIGHT_DELETE = &H10000
Const ADS_RIGHT_READ_CONTROL = &H20000
Const ADS_RIGHT_WRITE_DAC = &H40000
Const ADS_RIGHT_WRITE_OWNER = &H80000
Const ADS_RIGHT_DS_CREATE_CHILD = &H1
Const ADS_RIGHT_DS_DELETE_CHILD = &H2
Const ADS_RIGHT_ACTRL_DS_LIST = &H4
Const ADS_RIGHT_DS_SELF = &H8
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_RIGHT_DS_DELETE_TREE = &H40
Const ADS_RIGHT_DS_LIST_OBJECT = &H80
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
WScript.Echo VbCrLf & "Standard Access Rights"
If (AccessMask And ADS_RIGHT_DELETE) Then _
WScript.Echo vbTab & "-Delete an object."
If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _
WScript.Echo vbTab & "-Read permissions."
If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _
WScript.Echo vbTab & "-Write permissions."
If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _
WScript.Echo vbTab & "-Modify owner."
WScript.Echo VbCrLf & "Directory Service Specific Access Rights"
If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _
WScript.Echo vbTab & "-Create child objects."
If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _
WScript.Echo vbTab & "-Delete child objects."
If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _
WScript.Echo vbTab & "-Enumerate an object."
If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _
WScript.Echo vbTab & "-Read the properties of an object."
If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _
WScript.Echo vbTab & "-Write the properties of an object."
If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _
WScript.Echo vbTab & "-Delete a tree of objects"
If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _
WScript.Echo vbTab & "-List a tree of objects."
WScript.Echo VbCrLf & "Control Access Rights"
If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _
(AccessMask And ADS_RIGHT_DS_SELF) = 0 Then
WScript.Echo "-None"
Else
If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _
WScript.Echo vbTab & "-Extended access rights."
If (AccessMask And ADS_RIGHT_DS_SELF) Then
WScript.Echo vbTab & "-Active Directory must validate a property "
WScript.Echo vbTab & " write operation beyond the schema " & _
"definition "
WScript.Echo vbTab & " for the attribute."
End If
End If
End Sub
Modify Group Attributes
Modifies both single-value (samAccountName, mail, info) and multi-value (description) attributes for a group named Scientists.
Const ADS_PROPERTY_UPDATE = 2
Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
objGroup.Put "sAMAccountName", "Scientist01"
objGroup.Put "mail", "YoungRob@fabrikam.com"
objGroup.Put "info", "Use this group for official communications " & _
"with scientists who are contracted to work with Contoso.com."
objGroup.PutEx ADS_PROPERTY_UPDATE, _
"description", Array("Scientist Mailing List")
objGroup.SetInfo
Modify Group Type
Changes a local group named Scientists to a global security group
Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000
Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
objGroup.Put "groupType", _
ADS_GROUP_TYPE_UNIVERSAL_GROUP + ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.SetInfo
Move a Group Within a Domain
Moves a group account from the HR OU to the Users container.
Set objOU = GetObject("LDAP://cn=Users,dc=NA,dc=fabrikam,dc=com")
objOU.MoveHere "LDAP://cn=atl-users,ou=HR,dc=NA,dc=fabrikam,dc=com", _
vbNullString
Remove All Group Memberships for a User Account
Removes the MyerKen user account from all Active Directory security groups.
On Error Resume Next
Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
Set objUser = GetObject _
("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
arrMemberOf = objUser.GetEx("memberOf")
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
WScript.Echo "This account is not a member of any security groups."
WScript.Quit
End If
For Each Group in arrMemberOf
Set objGroup = GetObject("LDAP://" & Group)
objGroup.PutEx ADS_PROPERTY_DELETE, _
"member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
objGroup.SetInfo
Next
Remove All the Members of a Group
Removes all the members of an Active Directory group named Sea-Users.
Const ADS_PROPERTY_CLEAR = 1
Set objGroup = GetObject _
("LDAP://cn=Sea-Users,cn=Users,dc=NA,dc=fabrikam,dc=com")
objGroup.PutEx ADS_PROPERTY_CLEAR, "member", 0
objGroup.SetInfo
Remove the Manager of a Group
Removes the manager entry for the Active Directory security group named Scientists. When this script is run, the group will no longer have an assigned manager.
Const ADS_PROPERTY_CLEAR = 1
Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
objGroup.PutEx ADS_PROPERTY_CLEAR, "managedBy", 0
objGroup.SetInfo
Remove a User from a Group
Removes user MyerKen from the group Sea-Users.
Const ADS_PROPERTY_DELETE = 4
Set objGroup = GetObject _
("LDAP://cn=Sea-Users,cn=Users,dc=NA,dc=fabrikam,dc=com")
objGroup.PutEx ADS_PROPERTY_DELETE, _
"member",Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
objGroup.SetInfo
Replace Group Membership with All-New Members
Replaces the existing membership of a group named Scientists with two new group members: YoungRob and ShenAlan.
Const ADS_PROPERTY_UPDATE = 2
Set objGroup = GetObject _
("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
objGroup.PutEx ADS_PROPERTY_UPDATE, "member", _
Array("cn=YoungRob,ou=R&D,dc=NA,dc=fabrikam,dc=com", _
"cn=ShenAlan,ou=R&D,dc=NA,dc=fabrikam,dc=com")
objGroup.SetInfo