Contact Info

contact@activexperts.com +31 74 8507807

Crumbtrail

ActiveXperts.com » Administration » VBScript Collection » Users and Groups » Active Directory Groups

Scripts to manage Active Directory Groups

Adding 1,000 Users to a Security Group
Adding New Members to a Group
Assigning a Group Manager
Changing the Scope of a Group
Creating a Domain Local Distribution Group
Creating a Global Security Group
Creating a Universal Distribution Group
Creating a Universal Security Group
Deleting a Group from Active Directory
Determining Other Groups a Group Belongs To
Determining the Primary Group for a User Account
Enumerating Group Members
Identifying the Owner of a Group
Modifying Group Properties
Modifying Group Type
Moving a Group Within a Domain
Reading the General Properties for a Group
Reading the Security Descriptor for a Group
Reading the System Access Control List for a Group
Removing All the Members of a Group
Removing a Group Manager
Removing a User from All Active Directory Security Groups
Removing a User from a Group
Replacing Group Membership
Retrieving the Active Directory Groups a User Belongs To
Returns a list of mandatory and optional attributes of the group class (as stored in the Active Directory schema).
Returning Group Object Information
Returning a List of Group Members
Returning Managed By Information for a Group

Adding 1,000 Users to a Security Group


Demonstration script that creates a security group named Group1, and adds one thousand users (UserNo1 through UserNo10000) to that group. This script is not intended for use in a production environment.
Const ADS_PROPERTY_APPEND = 3 
Set objRootDSE = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://cn=Users," & _
                               objRootDSE.Get("defaultNamingContext"))
Set objGroup = objContainer.Create("Group", "cn=Group1")
objGroup.Put "sAMAccountName","Group1"
objGroup.SetInfo 
For i = 1 To 1000
strDN = ",cn=Users," & objRootDSE.defaultNamingContext
  objGroup.PutEx ADS_PROPERTY_APPEND, "member", _
    Array("cn=UserNo" & i & strDN)
  objGroup.SetInfo
Next
WScript.Echo "Group1 created and 1000 Users added to the group."

Adding New Members to a Group


Adds two groups (Executives and Scientists) and one user account (MyerKen) to the Sea-Users group in Active Directory. 
Const ADS_PROPERTY_APPEND = 3 
 
Set objGroup = GetObject _
  ("LDAP://cn=Sea-Users,cn=Users,dc=NA,dc=fabrikam,dc=com") 
 
objGroup.PutEx ADS_PROPERTY_APPEND, "member", _
    Array("cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com", _
      "cn=Executives,ou=Management,dc=NA,dc=fabrikam,dc=com", _ 
      "cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
 
objGroup.SetInfo

Assigning a Group Manager


Assigns user MyerKen as the manager of the Active Directory security group named Scientists. 
Set objGroup = GetObject _
  ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
 
objGroup.Put "managedBy", "cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com"
objGroup.SetInfo

Changing the Scope of a Group


Changes a global distribution group named Scientists to a universal security group. 
Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000
 
Set objGroup = GetObject _
   ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") 
 
objGroup.Put "groupType", _
  ADS_GROUP_TYPE_GLOBAL_GROUP + ADS_GROUP_TYPE_SECURITY_ENABLED
 
objGroup.SetInfo

Creating a Domain Local Distribution Group


Creates a domain local Active Directory distribution group named Vendors.
Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4
Set objOU = GetObject("LDAP://ou=HR,dc=NA,dc=fabrikam,dc=com")
Set objGroup = objOU.Create("Group", "cn=Vendors")
objGroup.Put "sAMAccountName", "vendors"
objGroup.Put "groupType", ADS_GROUP_TYPE_LOCAL_GROUP
objGroup.SetInfo

Creating a Global Security Group


Creates a global Active Directory security group named HR-Employees. 
Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000
Set objOU = GetObject("LDAP://ou=HR,dc=NA,dc=fabrikam,dc=com")
Set objGroup = objOU.Create("Group", "cn=HR-Employees")
objGroup.Put "sAMAccountName", "HRStaff"
objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP Or _
    ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.SetInfo

Creating a Universal Distribution Group


Creates a universal Active Directory distribution group named Customers. 
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Set objOU = GetObject("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
Set objGroup = objOU.Create("Group", "cn=Customers")
objGroup.Put "sAMAccountName", "customers"
objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP
objGroup.SetInfo

Creating a Universal Security Group


Creates a universal Active Directory security group named All-Employees. 
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000
Set objOU = GetObject("LDAP://cn=Users,dc=NA,dc=fabrikam,dc=com")
Set objGroup = objOU.Create("Group", "cn=All-Employees")
objGroup.Put "sAMAccountName", "AllEmployees"
objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP Or _
   ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.SetInfo

Deleting a Group from Active Directory


Deletes a group named atl-users from the HR organizational unit in the hypothetical domain fabrikam.com. 
Set objOU = GetObject("LDAP://ou=hr, dc=fabrikam,dc=com")
objOU.Delete "group", "cn=atl-users"

Determining Other Groups a Group Belongs To


Returns a list of all the groups that the Active Directory security group Scientists is a member of. 
On Error Resume Next
 
Set objGroup = GetObject _
  ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
objGroup.GetInfo
 
arrMembersOf = objGroup.GetEx("memberOf")
 
WScript.Echo "MembersOf:"
For Each strMemberOf in arrMembersOf
  WScript.Echo strMemberOf
Next

Determining the Primary Group for a User Account


Reports the primary group for the MyerKen Active Directory user account. 
On Error Resume Next
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject _
    ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
intPrimaryGroupID = objUser.Get("primaryGroupID")
 
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
    "<LDAP://dc=NA,dc=fabrikam,dc=com>;(objectCategory=Group);" & _
        "distinguishedName,primaryGroupToken;subtree"  
Set objRecordSet = objCommand.Execute
  
While Not objRecordset.EOF
    If objRecordset.Fields("primaryGroupToken") = intPrimaryGroupID Then
        WScript.Echo "Primary group:"
        WScript.Echo objRecordset.Fields("distinguishedName") & _
            " (primaryGroupID: " & intPrimaryGroupID & ")"
    End If
    objRecordset.MoveNext
Wend
 
objConnection.Close

Enumerating Group Members


Retrieves the memberOf and primaryGroupID attributes of a user account to display group membership. Note that the primaryGroupID attribute contains an integer that maps to the name of the primary group. The memberOf attribute does not contain the name of the primary group of which the user is a member.
On Error Resume Next
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
Set objOU = GetObject _
    ("LDAP://cn=Users,dc=NA,dc=fabrikam,dc=com")
  
ObjOU.Filter= Array("user")
 
For Each objUser in objOU
    WScript.Echo objUser.cn & " is a member of: " 
    WScript.Echo vbTab & "Primary Group ID: " & _
    objUser.Get("primaryGroupID")
  
    arrMemberOf = objUser.GetEx("memberOf")
  
    If Err.Number <>  E_ADS_PROPERTY_NOT_FOUND Then
        For Each Group in arrMemberOf
        WScript.Echo vbTab & Group
        Next
    Else
        WScript.Echo vbTab & "memberOf attribute is not set"
        Err.Clear
      End If
    Wscript.Echo VbCrLf
Next

Identifying the Owner of a Group


Returns the owner of an Active Directory security group named Scientists. 
Set objGroup = GetObject _
  ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
 
Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")
 
WScript.Echo "Owner Tab"
WScript.Echo "Current owner of this item: " & objNtSecurityDescriptor.Owner

Modifying Group Properties


Modifies both single-value (samAccountName, mail, info) and multi-value (description) attributes for a group named Scientists. 
Const ADS_PROPERTY_UPDATE = 2 
Set objGroup = GetObject _
   ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") 
 
objGroup.Put "sAMAccountName", "Scientist01"
objGroup.Put "mail", "YoungRob@fabrikam.com"
objGroup.Put "info", "Use this group for official communications " & _
  "with scientists who are contracted to work with Contoso.com."
 
objGroup.PutEx ADS_PROPERTY_UPDATE, _
    "description", Array("Scientist Mailing List")
 
objGroup.SetInfo

Modifying Group Type


Changes a local group named Scientists to a global security group.
Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000
 
Set objGroup = GetObject _
   ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") 
 
objGroup.Put "groupType", _
  ADS_GROUP_TYPE_UNIVERSAL_GROUP + ADS_GROUP_TYPE_SECURITY_ENABLED
 
objGroup.SetInfo

Moving a Group Within a Domain


Moves a group account from the HR OU to the Users container.
Set objOU = GetObject("LDAP://cn=Users,dc=NA,dc=fabrikam,dc=com")
objOU.MoveHere "LDAP://cn=atl-users,ou=HR,dc=NA,dc=fabrikam,dc=com", _
    vbNullString

Reading the General Properties for a Group


Reads the values found on the General Properties page in Active Directory Users and Computers for a group named Scientists.
On Error Resume Next
Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000
 
Set objGroup = GetObject _
  ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
objGroup.GetInfo
 
strName = objGroup.Get("name")
strSAMAccountName = objGroup.Get("sAMAccountName")
strMail = objGroup.Get("mail")
intgroupType = objGroup.Get("groupType")
strInfo = objGroup.Get("info")
 
strDescription = objGroup.GetEx("description")
 
WScript.Echo "name: " & strName
WScript.Echo "sAMAccountName: " & strSAMAccountName
WScript.Echo "mail: " & strMail
WScript.Echo "info: " & strInfo
 
WScript.StdOut.Write "Group scope: "
If intGroupType AND ADS_GROUP_TYPE_LOCAL_GROUP Then
  WScript.Echo "Domain local"
ElseIf intGroupType AND ADS_GROUP_TYPE_GLOBAL_GROUP Then
  WScript.Echo "Global"
ElseIf intGroupType AND ADS_GROUP_TYPE_UNIVERSAL_GROUP Then
  WScript.Echo "Universal"
Else
  WScript.Echo "Unknown"
End If
 
WScript.StdOut.Write "Group type: "
If intGroupType AND ADS_GROUP_TYPE_SECURITY_ENABLED Then
  WScript.Echo "Security group"
Else
  WScript.Echo "Distribution group"
End If
 
For Each strValue in strDescription
  WScript.Echo "description: " & strValue
Next

Reading the Security Descriptor for a Group


Returns information found on the security descriptor for the Active Directory group named Scientists. This script must be run under CScript.
Const SE_DACL_PROTECTED = &H1000 
 
Set objGroup = GetObject _
  ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
 
Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")
 
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control
 
WScript.Echo "Permissions Tab"
WScript.StdOut.WriteLine "Allow inheritable permissions from the parent to"
WScript.StdOut.Write "propogate to this object and all child objects "
If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then
  Wscript.Echo "is disabled."
Else
  WScript.Echo "is enabled."
End If
WScript.Echo VbCr
 
Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl
DisplayAceInformation objDiscretionaryAcl, "DACL"
 
Sub DisplayAceInformation(SecurityStructure, strType)
  Const ADS_ACETYPE_ACCESS_ALLOWED = &H0 
  Const ADS_ACETYPE_ACCESS_DENIED = &H1 
  Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 
  Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6 
  intAceCount = 0
  For Each objAce In SecurityStructure
    strTrustee = Mid(objAce.Trustee,1,12)
    If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then
      intAceCount = intAceCount + 1
      WScript.Echo strType & " permission entry: " & intAceCount
      WScript.Echo "Name: " & objAce.Trustee
 
      intAceType = objAce.AceType
      If (intAceType = ADS_ACETYPE_ACCESS_ALLOWED Or _
        intAceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then
        WScript.Echo "Type: Allow Access"
      ElseIf (intAceType = ADS_ACETYPE_ACCESS_DENIED Or _
        intAceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) Then
        WScript.StdOut.Write "Type: Deny Acess"
      Else
        WScript.Echo "Acess Type Unknown."
      End If
      ReadBitsInAccessMask(objAce.AccessMask)
      WScript.Echo VbCr
    End If
  Next
End Sub
 
Sub ReadBitsInAccessMask(AccessMask)
  Const ADS_RIGHT_DELETE = &H10000
  Const ADS_RIGHT_READ_CONTROL = &H20000
  Const ADS_RIGHT_WRITE_DAC = &H40000
  Const ADS_RIGHT_WRITE_OWNER = &H80000
  Const ADS_RIGHT_DS_CREATE_CHILD = &H1
  Const ADS_RIGHT_DS_DELETE_CHILD = &H2
  Const ADS_RIGHT_ACTRL_DS_LIST = &H4
  Const ADS_RIGHT_DS_SELF = &H8
  Const ADS_RIGHT_DS_READ_PROP = &H10
  Const ADS_RIGHT_DS_WRITE_PROP = &H20
  Const ADS_RIGHT_DS_DELETE_TREE = &H40
  Const ADS_RIGHT_DS_LIST_OBJECT = &H80
  Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
 
  WScript.Echo VbCrLf & "Standard Access Rights"
  If (AccessMask And ADS_RIGHT_DELETE) Then _
    WScript.Echo vbTab & "-Delete an object."
  If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _
    WScript.Echo vbTab & "-Read permissions."
  If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _
    WScript.Echo vbTab & "-Write permissions."
  If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _
    WScript.Echo vbTab & "-Modify owner."
  
  WScript.Echo VbCrLf & "Directory Service Specific Access Rights"
  If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _
    WScript.Echo vbTab & "-Create child objects."
  If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _
    WScript.Echo vbTab & "-Delete child objects."
  If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _
    WScript.Echo vbTab & "-Enumerate an object."
  If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _
    WScript.Echo vbTab & "-Read the properties of an object."
  If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _
    WScript.Echo vbTab & "-Write the properties of an object."
  If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _
    WScript.Echo vbTab & "-Delete a tree of objects"
  If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _
    WScript.Echo vbTab & "-List a tree of objects."
 
  WScript.Echo VbCrLf & "Control Access Rights"
  If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _
    (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then
    WScript.Echo "-None"
  Else 
    If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _
      WScript.Echo vbTab & "-Extended access rights."
    If (AccessMask And ADS_RIGHT_DS_SELF) Then
      WScript.Echo vbTab & "-Active Directory must validate a property "
      WScript.Echo vbTab & " write operation beyond the schema definition "
      WScript.Echo vbTab & " for the attribute."
    End If
  End If
End Sub

Reading the System Access Control List for a Group


Returns information found on the System Access Control List (SACL) for an Active Directory security group named Scientists. 
Const SE_SACL_PROTECTED = &H2000 
Const ADS_SECURITY_INFO_OWNER = &H1 
Const ADS_SECURITY_INFO_GROUP = &H2
Const ADS_OPTION_SECURITY_MASK =&H3
Const ADS_SECURITY_INFO_DACL = &H4 
Const ADS_SECURITY_INFO_SACL = &H8
 
Set objGroup = GetObject _
  ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
 
objGroup.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER _
  Or ADS_SECURITY_INFO_GROUP Or ADS_SECURITY_INFO_DACL _
  Or ADS_SECURITY_INFO_SACL
  
Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")
 
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control
 
WScript.Echo "Auditing Tab"
WScript.StdOut.WriteLine "Allow inheritable auditing entries from" & _ 
  "the parent to "
WScript.StdOut.Write "propogate to this object and all child objects "
If (intNtSecurityDescriptorControl And SE_SACL_PROTECTED) Then
  Wscript.Echo "is disabled."
Else
  WScript.Echo "is enabled."
End If
WScript.Echo VbCr
 
Set objSacl = objNtSecurityDescriptor.SystemAcl
DisplayAceInformation objSacl, "SACL"
 
Sub DisplayAceInformation(SecurityStructure, strType)
  Const ADS_ACETYPE_SYSTEM_AUDIT = &H2 
  Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7 
  
  intAceCount = 0
  For Each objAce In SecurityStructure
    strTrustee = Mid(objAce.Trustee,1,12)
    If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then
      intAceCount = intAceCount + 1
      WScript.Echo strType & " permission entry: " & intAceCount
      WScript.Echo "Name: " & objAce.Trustee
 
      intAceType = objAce.AceType
      WScript.Echo "ACETYPE IS: " & intAceType
      If (intAceType = ADS_ACETYPE_SYSTEM_AUDIT or _
       intAceType = ADS_ACETYPE_SYSTEM_AUDIT_OBJECT) Then
        WScript.StdOut.Write "Type: Success or Failure Audit"
      Else
        WScript.StdOut.Write "Audit Type Unknown."
      End If
      ReadBitsInAccessMask(objAce.AccessMask)
      WScript.Echo VbCr
    End If
  Next
End Sub
 
Sub ReadBitsInAccessMask(AccessMask)
  Const ADS_RIGHT_DELETE = &H10000
  Const ADS_RIGHT_READ_CONTROL = &H20000
  Const ADS_RIGHT_WRITE_DAC = &H40000
  Const ADS_RIGHT_WRITE_OWNER = &H80000
  Const ADS_RIGHT_DS_CREATE_CHILD = &H1
  Const ADS_RIGHT_DS_DELETE_CHILD = &H2
  Const ADS_RIGHT_ACTRL_DS_LIST = &H4
  Const ADS_RIGHT_DS_SELF = &H8
  Const ADS_RIGHT_DS_READ_PROP = &H10
  Const ADS_RIGHT_DS_WRITE_PROP = &H20
  Const ADS_RIGHT_DS_DELETE_TREE = &H40
  Const ADS_RIGHT_DS_LIST_OBJECT = &H80
  Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
 
  WScript.Echo VbCrLf & "Standard Access Rights"
  If (AccessMask And ADS_RIGHT_DELETE) Then _
    WScript.Echo vbTab & "-Delete an object."
  If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _
    WScript.Echo vbTab & "-Read permissions."
  If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _
    WScript.Echo vbTab & "-Write permissions."
  If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _
    WScript.Echo vbTab & "-Modify owner."
  
  WScript.Echo VbCrLf & "Directory Service Specific Access Rights"
  If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _
    WScript.Echo vbTab & "-Create child objects."
  If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _
    WScript.Echo vbTab & "-Delete child objects."
  If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _
    WScript.Echo vbTab & "-Enumerate an object."
  If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _
    WScript.Echo vbTab & "-Read the properties of an object."
  If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _
    WScript.Echo vbTab & "-Write the properties of an object."
  If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _
    WScript.Echo vbTab & "-Delete a tree of objects"
  If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _
    WScript.Echo vbTab & "-List a tree of objects."
 
  WScript.Echo VbCrLf & "Control Access Rights"
  If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _
    (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then
    WScript.Echo "-None"
  Else 
    If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _
      WScript.Echo vbTab & "-Extended access rights."
    If (AccessMask And ADS_RIGHT_DS_SELF) Then
      WScript.Echo vbTab & "-Active Directory must validate a property "
      WScript.Echo vbTab & " write operation beyond the schema definition "
      WScript.Echo vbTab & " for the attribute."
    End If
  End If
End Sub

Removing All the Members of a Group


Removes all the members of an Active Directory group named Sea-Users. 
Const ADS_PROPERTY_CLEAR = 1 
 
Set objGroup = GetObject _
  ("LDAP://cn=Sea-Users,cn=Users,dc=NA,dc=fabrikam,dc=com") 
 
objGroup.PutEx ADS_PROPERTY_CLEAR, "member", 0
 
objGroup.SetInfo

Removing a Group Manager


Removes the manager entry for the Active Directory security group named Scientists. When this script is run, the group will no longer have an assigned manager.
Const ADS_PROPERTY_CLEAR = 1 
 
Set objGroup = GetObject _
  ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
objGroup.PutEx ADS_PROPERTY_CLEAR, "managedBy", 0
objGroup.SetInfo

Removing a User from All Active Directory Security Groups


Removes the MyerKen user account from all Active Directory security groups.
On Error Resume Next
Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject _
    ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") 
arrMemberOf = objUser.GetEx("memberOf")
 
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "This account is not a member of any security groups."
    WScript.Quit
End If
 
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group) 
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
    objGroup.SetInfo
Next

Removing a User from a Group


Removes user MyerKen from the group Sea-Users. 
Const ADS_PROPERTY_DELETE = 4 
 
Set objGroup = GetObject _
  ("LDAP://cn=Sea-Users,cn=Users,dc=NA,dc=fabrikam,dc=com") 
 
objGroup.PutEx ADS_PROPERTY_DELETE, _
  "member", _
    Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
 
objGroup.SetInfo

Replacing Group Membership


Replaces the existing membership of a group named Scientists with two new group members: YoungRob and ShenAlan. 
Const ADS_PROPERTY_UPDATE = 2 
 
Set objGroup = GetObject _
  ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") 
 
objGroup.PutEx ADS_PROPERTY_UPDATE, "member", _
    Array("cn=YoungRob,ou=R&D,dc=NA,dc=fabrikam,dc=com", _
      "cn=ShenAlan,ou=R&D,dc=NA,dc=fabrikam,dc=com")
 
objGroup.SetInfo

Retrieving the Active Directory Groups a User Belongs To


Returns a list of all the Active Directory security groups (including the primary group) that include the MyerKen user account as a member. 
On Error Resume Next
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject _
    ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
 
intPrimaryGroupID = objUser.Get("primaryGroupID")
arrMemberOf = objUser.GetEx("memberOf")
 
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "The memberOf attribute is not set."
Else
    WScript.Echo "Member of: "
    For each Group in arrMemberOf
        WScript.Echo Group
    Next
End If
 
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
  "<LDAP://dc=NA,dc=fabrikam,dc=com>;(objectCategory=Group);" & _
  "distinguishedName,primaryGroupToken;subtree"  
Set objRecordSet = objCommand.Execute
  
While Not objRecordset.EOF
    If objRecordset.Fields("primaryGroupToken") = intPrimaryGroupID Then
        WScript.Echo "Primary group:"
        WScript.Echo objRecordset.Fields("distinguishedName") & _
            " (primaryGroupID: " & intPrimaryGroupID & ")"
    End If
    objRecordset.MoveNext
Wend
 
objConnection.Close

Returns a list of mandatory and optional attributes of the group class (as stored in the Active Directory schema).


Returning the Attributes of the Group Class
Set objGroupClass = GetObject("LDAP://schema/group")
Set objSchemaClass = GetObject(objGroupClass.Parent)
 
i = 0
WScript.Echo "Mandatory attributes:"
For Each strAttribute in objGroupClass.MandatoryProperties
  i= i + 1
  WScript.StdOut.Write i & vbTab & strAttribute
  Set objAttribute = objSchemaClass.GetObject("Property",  strAttribute)
  WScript.StdOut.Write " (Syntax: " & objAttribute.Syntax & ")"
  If objAttribute.MultiValued Then
    WScript.Echo " Multivalued"
  Else
    WScript.Echo " Single-valued"
  End If
Next
 
WScript.Echo VbCrLf & "Optional attributes:"
For Each strAttribute in objGroupClass.OptionalProperties
  i= i + 1
  WScript.StdOut.Write i & vbTab & strAttribute
  Set objAttribute = objSchemaClass.GetObject("Property",  strAttribute)
  WScript.StdOut.Write " [Syntax: " & objAttribute.Syntax & "]"
  If objAttribute.MultiValued Then
    WScript.Echo " Multivalued"
  Else
    WScript.Echo " Single-valued"
  End If
Next

Returning Group Object Information


Retrieves the information found on the Object page in Active Directory Users and Computers for a security group named Scientists. 
Set objGroup = GetObject _
  ("GC://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
 
strWhenCreated = objGroup.Get("whenCreated")
strWhenChanged = objGroup.Get("whenChanged")
 
Set objUSNChanged = objGroup.Get("uSNChanged")
dblUSNChanged = _
  Abs(objUSNChanged.HighPart * 2^32 + objUSNChanged.LowPart)
 
Set objUSNCreated = objGroup.Get("uSNCreated")
dblUSNCreated = _
  Abs(objUSNCreated.HighPart * 2^32 + objUSNCreated.LowPart)
 
objGroup.GetInfoEx Array("canonicalName"), 0
arrCanonicalName = objGroup.GetEx("canonicalName")
 
WScript.echo "CanonicalName of object:"
For Each strValue in arrCanonicalName
  WScript.echo vbTab & strValue
Next
WScript.Echo vbCr
 
WScript.Echo "Object class: " & objGroup.Class & vbCrLf
WScript.echo "whenCreated: " & strWhenCreated & " (Created - GMT)"
WScript.echo "whenChanged: " & strWhenChanged & " (Modified - GMT)"
WScript.Echo VbCrLf
WScript.Echo "uSNChanged: " & dblUSNChanged & " (USN Current)"
WScript.Echo "uSNCreated: " & dblUSNCreated & " (USN Original)"

Returning a List of Group Members


Returns the members of an Active Directory group named Scientists.
On Error Resume Next
 
Set objGroup = GetObject _
  ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
objGroup.GetInfo
 
arrMemberOf = objGroup.GetEx("member")
 
WScript.Echo "Members:"
For Each strMember in arrMemberOf
  WScript.echo strMember
Next

Returning Managed By Information for a Group


Returns information about the manager assigned to an Active Directory security group named Scientists. 
On Error Resume Next
 
Set objGroup = GetObject _
  ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
 
strManagedBy = objGroup.Get("managedBy")
 
If IsEmpty(strManagedBy) = TRUE Then
  WScript.Echo "No user account is assigned to manage " & _
    "this group."
Else
  Set objUser = GetObject("LDAP://" & strManagedBy)
  strPhysicalDeliveryOfficeName = _
    objUser.Get("physicalDeliveryOfficeName")
  strStreetAddress = objUser.Get("streetAddress")
  strLocalityName = objUser.Get("l")
  strStateProvince = objUser.Get("st")
  strCountryName = objUser.Get("c")
  strTelephoneNumber = objUser.Get("telephoneNumber")
  strFacsimileTelephoneNumber = _
    objUser.Get("facsimileTelephoneNumber")
 
  Call GetUpdateMemberList
 
  WScript.echo "physicalDeliveryOfficeName: " & _
    strPhysicalDeliveryOfficeName  
  WScript.echo "streetAddress: " & strStreetAddress
  WScript.echo "l: " & strLocalityName
  WScript.echo "state/province: " & strStateProvince
  WScript.echo "c: " & strCountryName
  WScript.echo "telephoneNumber: " & strTelephoneNumber
  WScript.echo "facsimileTelephoneNumber: " & _
    strFacsimileTelephoneNumber
End If
 
Sub GetUpdateMemberList
  Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 
  Const Member_SchemaIDGuid = "{BF9679C0-0DE6-11D0-A285-00AA003049E2}"
  Const ADS_RIGHT_DS_WRITE_PROP = &H20
  objUser.GetInfoEx Array("canonicalName"),0
  strCanonicalName = objUser.Get("canonicalName")
  strDomain = Mid(strCanonicalName,1,InStr(1,strCanonicalName,".")-1)
  strSAMAccountName = objUser.Get("sAMAccountName")
 
  Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")
  Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl
 
  blnMatch = False
  For Each objAce In objDiscretionaryAcl
    If LCase(objAce.Trustee) = _
      LCase(strDomain & "\" & strSAMAccountName) AND _
      objAce.ObjectType =  Member_SchemaIDGuid AND _
      objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT AND _
      objAce.AccessMask And ADS_RIGHT_DS_WRITE_PROP Then
      blnMatch = True
    End If  
  Next
  If blnMatch Then 
    WScript.Echo "Manager can update the member list"
  Else
    WScript.Echo "Manager cannot update the member list."
  End If
End Sub