Jump to content
rudi

AD Member of Group in Group

Recommended Posts

rudi

Hello,

 

from this posting of @Jos https://www.autoitscript.com/forum/topic/162005-getting-windows-users-account-type/?do=findComment&comment=1176831

I can smoothly check, if a user is a *DIRECT* group member. Has anybody some code to check also, if a user is a *INDIRECT* member of a cascaded group construct?  Maybe with @Melba23 's AD UDF?

 

  • The required rights are granted to group "Dept_B"
  • User John is member of group "Dept_A"
  • Group "Dept_A" is member of the group "Dept_B"
  • So in the AD / NTFS FS environment John finally has the rights of both groups
  • But when checking his "membership to group Dept_B" the result is "no member".

The approach I can think of would be, to check all Group Members of group "Dept_B" whether they are of type group, then check again if "John" is member of than " 2nd level group"

Func UserInGroup($InGroup,$ThisUser=@LogonDomain & "/" & @UserName)
    Local $objUser = ObjGet("WinNT://" & $ThisUser )
    For $oGroup in $objUser.Groups
        If $oGroup.Name = $InGroup Then
            Return 1
        EndIf
    Next
    Return 0
EndFunc

Any suggestions appreciated, regards, Rudi.


Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Share this post


Link to post
Share on other sites
Jos

Doesn't _AD_IsMemberOf() do what you want, which is part of the ad.au3 include made by Water?

Quote

; Description ...: Returns 1 if the object (user, group, computer) is a member of the specified group or any contained group.

Jos


SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites
water

Correct ;)
Set parameter $bRecursive to True to check all nested groups as well.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (2018-06-01 - Version 1.4.9.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2018-09-01 - Version 1.3.4.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
rudi
Posted (edited)

Hello,

thanks for your reply.

 

Using _AD_IsMemberOf()  with these lines ...

#include <AD.au3> ; v1.4.8.0, this line is added --> #include <WinAPIConv.au3> ; Needed for AutoIt >= 3.3.14.3


$result=_AD_IsMemberOf("AD\USERXY","data-something_read","",True)
ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $result = ' & $result & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console

... I'm getting this error lines in SciTE:

 

>Running:(3.3.14.5):C:\Program Files (x86)\AutoIt3\autoit3.exe "H:\DATEN\PRIVATE\SYSOP\NETZ\Batch\autoit3\Bäurer\test-ad-group-membership.au3"    
--> Press Ctrl+Alt+Break to Restart or Ctrl+Break to Stop
"C:\Program Files (x86)\AutoIt3\Include\AD.au3" (591) : ==> Variable must be of type "Object".:
$__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(" & $sProperty & "=" & $sObject & ");ADsPath;subtree"
$__oAD_Command^ ERROR
->15:44:02 AutoIt3.exe ended.rc:1
+>15:44:02 AutoIt3Wrapper Finished.
>Exit code: 1    Time: 0.7651

That's why I tried the lines posted by @Jos

As this was a row of days ago, I forgot to mention that I've already tried AD.AU3, well, basically, I forgot it ... :'(

Regards, Rudi.

Edited by rudi

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Share this post


Link to post
Share on other sites
Jos
Posted (edited)

Have you done the _Ad_Open() command?
see the example provided in the ZIP file: _AD_IsMemberOf.au3

; Example 1
; Get a list of group names the current user is a member of.
; Check the group membership of the current user for the first group.
; This will always return 1.
; *****************************************************************************
#include <AD.au3>

Global $aUser, $sFQDN_Group, $sFQDN_User, $iResult

; Open Connection to the Active Directory
_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

; Get the Fully Qualified Domain Name (FQDN) for the current user
$sFQDN_User = _AD_SamAccountNameToFQDN()

; Get an array of group names (FQDN) that the current user is immediately a member of
$aUser = _AD_GetUserGroups(@UserName)
$sFQDN_Group = $aUser[1]

; Check the group membership of the specified user for the specified group
$iResult = _AD_IsMemberOf($sFQDN_Group, $sFQDN_User)
Select
    Case $iResult = 1
        MsgBox(64, "Active Directory Functions", _
                "User: " & $sFQDN_User & @CRLF & _
                "Group: " & $sFQDN_Group & @CRLF & _
                "User is a member of the specified group!")
    Case ($iResult = 0 And @error = 1)
        MsgBox(64, "Active Directory Functions", _
                "User: " & $sFQDN_User & @CRLF & _
                "Group: " & $sFQDN_Group & @CRLF & _
                "Group does not exist!")
    Case ($iResult = 0 And @error = 2)
        MsgBox(64, "Active Directory Functions", _
                "User: " & $sFQDN_User & @CRLF & _
                "Group: " & $sFQDN_Group & @CRLF & _
                "User does not exist!")
    Case ($iResult = 0)
        MsgBox(64, "Active Directory Functions", _
                "User: " & $sFQDN_User & @CRLF & _
                "Group: " & $sFQDN_Group & @CRLF & _
                "User is a not member of the specified group!")
EndSelect

; Close Connection to the Active Directory
_AD_Close()

Jos

Edited by Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites
rudi

Hello Jos.

 

You are absolutely right, I missed to use _AD_Open() first.

 

Still not getting the results, I'm expecting. I always receive "0", even when the user is directly member of the specified group:

 

#include <AD.au3>

_AD_Open()
$user=_AD_SamAccountNameToFQDN("ASP")
ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $user = ' & $user & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console

$group=_AD_SamAccountNameToFQDN("daten-Bestellung-QS_lesen")
ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $group = ' & $group & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console

$result=_AD_IsMemberOf($user,$group,false,True)
ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $result = ' & $result & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console

_AD_Close()

 

>Running:(3.3.14.5):C:\Program Files (x86)\AutoIt3\autoit3.exe "H:\DATEN\P...[snip]
--> Press Ctrl+Alt+Break to Restart or Ctrl+Break to Stop
@@ Debug(7) : $user = CN=Sper...[snip]
>Error code: 0
@@ Debug(10) : $group = CN=daten-Bestellung-QS_lesen,OU=F...[snip]
>Error code: 0
@@ Debug(13) : $result = 0
>Error code: 0
+>16:15:57 AutoIt3.exe ended.rc:0
+>16:15:57 AutoIt3Wrapper Finished.
>Exit code: 0    Time: 0.9412

 

powershell:

[PS] C:\>$(get-qaduser asp).memberof | get-qadgroup | ? {$_.name -like "*qs*"} | ft name

Name
----
daten-Bestellung-QS_lesen
daten-Bestellung-QS_schreiben

 

Regards, Rudi.


Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Share this post


Link to post
Share on other sites
AdamUL

You are calling _AD_IsMemberOf incorrectly.  The group name is the first parameter, and the user name is the second.  

 

Adam

 

  • Like 1

Share this post


Link to post
Share on other sites
rudi

Ups..

I overlooked the order of user and group, you're right!

 

Thanks, Rudi.


Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • tweakster2010
      By tweakster2010
      Hello All,
      It has been a long time since I posted, role changes etc involving work and I finally am back to modifying a program I write in AutoIt that has AD integration. I am at a point where we are modifying our structure where I am validating users access via what Distribution List they belong to in our AD OU's. What I have run into is the OU is a sub OU of a sub OU now. Meaning: CN=team, OU=DL, OU=Groups, DC=business.com(working), is now CN=Team, OU=SubDL, OU=DL, OU=Groups, DC=business.com (Not working).  Just curious if the AD functionality should be able to read it or maybe I am missing something?
       
      ElseIf _AD_IsMemberOf("CN=Team,OU=Distribution Lists,OU=Groups,DC=business,DC=com", $sFQDN_User) Then #works for primary Distro ElseIf _AD_IsMemberOf("CN=Team,OU=SubDL,OU=Distribution Lists,OU=Groups,DC=business,DC=com", $sFQDN_User) Then #fails for subOU of DL How I am accessing AD to get the information:
      _AD_Open() Global $aUser = _AD_GetObjectsInOU("", "(&(objectCategory=person)(objectClass=user)(samaccountname=" & @UserName & "))", 2, "ADsPath,Displayname,distinguishedName") Global $sDisplayName0 = $aUser[1][1] ; Displayname ;MsgBox(0,"", $sDisplayName0) If StringLeft($sDisplayName0, 2) = "9-" Then $Displaynamestring = StringTrimLeft($sDisplayName0, 2) $Displaynamestring1 = StringTrimRight($Displaynamestring, 6) The error code generated is a 1 with a 0 extended. I assume it is because it cannot find the SubOU.
       
      Thanks for any assistance.
    • antmar904
      By antmar904
      I'm trying to read all cells used in column "C" in excel to an array but not sure how.
       
      Local $NameArray = _Excel_RangeRead($oWorkbook, $oWorkbook.Activesheet, $oWorkbook.Range["C"].End)  
    • Blois
      By Blois
      Hey Guys,
      Good?
      I'm ned help to consult in other domain. My three domain contains any domains.
      How do I get this query done?
       
      Tks for the Help!
       
    • Grasoft
      By Grasoft
      Hi every one,
      I wrote this code and I want both the edit boxes scroll vertically together.
      I used the form v scroll does not help.
      Then I grouped them together with  v scroll does not help.
      Then inserted radios along side the group also does not help.
      This is a sample code:
      #include <EditConstants.au3> #include <GUIConstantsEx.au3> #include <WindowsConstants.au3> $TitleEdit = GUICreate("Title Editor", 1107, 691, 232, 75, BitOR($GUI_SS_DEFAULT_GUI,$WS_VSCROLL)) $Group1 = GUICtrlCreateGroup("Group1", 8, 40, 1081, 1500, BitOR($GUI_SS_DEFAULT_GROUP,$BS_CENTER,$BS_FLAT,$WS_TABSTOP,$WS_HSCROLL,$WS_VSCROLL,$WS_CLIPSIBLINGS)) GUIStartGroup() $Edit1 = GUICtrlCreateEdit("", 16, 56, 50, 1450) GUICtrlSetData(-1, StringFormat(" 1:\r\n 2:\r\n 3:\r\n 4:\r\n 5:\r\n 6:\r\n 7:\r\n 8:\r\n 9:\r\n10:\r\n11:\r\n12:\r\n13:\r\n14:\r\n15:\r\n16:\r\n17:\r\n18:\r\n19:\r\n20:\r\n21:\r\n22:\r\n23:\r\n24:\r\n25:\r\n26:\r\n27:\r\n28:\r\n29:\r\n30:\r\n31:\r\n32:\r\n33:\r\n34:\r\n35:\r\n36:\r\n37:\r\n38:\r\n39:\r\n40:\r\n41:\r\n42:\r\n43:\r\n44:\r\n45:\r\n46:\r\n47:\r\n48:\r\n49:\r\n50:\r\n51:\r\n52:\r\n53:\r\n54:\r\n55:\r\n56:\r\n57:\r\n58:\r\n59:\r\n60:\r\n61:\r\n62:\r\n63:\r\n64:\r\n65:\r\n66:\r\n67:\r\n68:\r\n69:\r\n70:")) GUICtrlSetFont(-1, 12, 800, 0, "MS Sans Serif") $Edit2 = GUICtrlCreateEdit("", 73, 56, 960, 1450) GUICtrlSetFont(-1, 12, 800, 0, "MS Sans Serif") $Radio0 = GUICtrlCreateRadio("1", 1040, 100, 20, 17) $Radio1 = GUICtrlCreateRadio("1", 1040, 208, 20, 17) $Radio2 = GUICtrlCreateRadio("2", 1040, 300, 20, 17) $Radio3 = GUICtrlCreateRadio("3", 1040, 400, 20, 17) $Radio4 = GUICtrlCreateRadio("4", 1040, 500, 20, 17) $Radio5 = GUICtrlCreateRadio("5", 1040, 600, 20, 17) $Radio6 = GUICtrlCreateRadio("6", 1040, 700, 20, 17) $Radio7 = GUICtrlCreateRadio("7", 1040, 800, 20, 17) $Radio8 = GUICtrlCreateRadio("8", 1040, 900, 20, 17) $Radio9 = GUICtrlCreateRadio("9", 1040, 1000, 20, 17) $Radio10 = GUICtrlCreateRadio("10", 1040, 1100, 20, 17) GUICtrlCreateGroup("", -99, -99, 1, 1) GUISetState(@SW_SHOW) While 1 $nMsg = GUIGetMsg() Switch $nMsg Case $GUI_EVENT_CLOSE Exit EndSwitch WEnd Any help??
    • 31290
      By 31290
       
      Hi guys, 
      I'd like to write a piece of tool that would allow me to update a certain field in our Active Directory from a comma separated csv file composed like this:

      This file, automatically generated, can hold more than 10k lines.
      Thus, I need column A to be in one variable, column B in a second one and column C in a third one.
      I'm really missing this part as updating the AD is fairly easy once the 3 variable are populated. 
      I see things like this:
      Here's my attempts at the moment:
      #include <File.au3> #include <Array.au3> Global $csv_file = @DesktopDir & "\Book1.csv" Global $aRecords If Not _FileReadToArray($csv_file,$aRecords) Then MsgBox(4096,"Error", " Error reading log to Array error:" & @error) Exit EndIf For $x = 1 to $aRecords[0] Msgbox(0,'Record:' & $x, $aRecords[$x]) ; Shows the line that was read from file $csv_line_values = StringSplit($aRecords[$x], ",",1) ; Splits the line into 2 or more variables and puts them in an array ; _ArrayDisplay($csv_line_values) ; Shows what's in the array you just created. ; $csv_line_values[0] holds the number of elements in array ; $csv_line_values[1] holds the value ; $csv_line_values[2] holds the value ; etc Msgbox(0, 0, $csv_line_values[1]) Next Any help on this please? 
      Thanks in advance
      -31290-
×