How to find out a user's primary group?
Snow Wang
I need to find out a user's primary group. You can get the
"primaryGroupID" attribute value from IADsUser interface. But how do you get
hold of this group by the given id?
Thanks a lot!
Snow
Karen Worth
Kevin is right. This is algorythm using ADSI:
Basic Algorythm:
1. Bind to the user.
2. Enumerate the Groups Colection.
3. Bind to the group object in the collection.
4. Maintain a list of groups already visited.
5. Enumerate the MemberOf attrribute.
6. Check to see if the group is in the List
7. Not in the list, bind to it and recurse its MemborOf atrribute
8. In the list, skip it, go to the next member.
9. Determine the Primary Group by taking the PrimaryGroupID ( the RID of the
group) and combine it with the domain RID to build the Groups SID bind
stirng.
10. Bind to the Group using the SID bind string.
Here is a rough sample:
Const ADSI_PROVIDER = "ADSDSOObject"
Const ADSI_PROV_NAME = "Active Directory Provider"
Const AD_SERVER = "maxvdc2"
Const AD_DN_DOMAIN = "DC=br549,dc=nttest,dc=microsoft,dc=com"
'
' Define IADsSID constants
'enum ADS_SID_FORMAT
' { ADS_SID_RAW = 0,
' ADS_SID_HEXSTRING = ADS_SID_RAW + 1,
' ADS_SID_SAM = ADS_SID_HEXSTRING + 1,
' ADS_SID_UPN = ADS_SID_SAM + 1,
' ADS_SID_SDDL = ADS_SID_UPN + 1,
' ADS_SID_WINNT_PATH = ADS_SID_SDDL + 1,
' ADS_SID_ACTIVE_DIRECTORY_PATH = ADS_SID_WINNT_PATH + 1,
' ADS_SID_SID_BINDING = ADS_SID_ACTIVE_DIRECTORY_PATH + 1
' };
Const ADS_SID_RAW = 0
Const ADS_SID_HEXSTRING = 1
Const ADS_SID_SAM = 2
Const ADS_SID_UPN = 3
Const ADS_SID_SDDL = 4
Const ADS_SID_WINNT_PATH = 5
Const ADS_SID_ACTIVE_DIRECTORY_PATH = 6
Const ADS_SID_SID_BINDING = 7
'
' WalkGroups-> Expexts a group object, enumerates all the nested groups
'
Function WalkGroups( oGrp )
On Error Resume Next
oMems = oGrp.GetEx("memberof")
if( err.number <> 0 ) then
WalksGroups = FALSE
else
for each Item in oMems
lPath = "LDAP://" & item
set obj = GetObject(lPath)
if( obj.class = "group" ) then
WScript.Echo obj.Name
WalkGroups( obj )
end if
next
WalksGroups = FALSE
end if
end function
'
' GetPrimaryGroup -> Does an ADO query to obtain the primary group for a
user
' using the PrimaryGroupID of the user object passed in the adPath arguement
'
Function GetPrimaryGroup(grpId, dfPath)
dim obj
'
' Create an instance of IADsSID
' Initialize it to the AD path of the
' the domain path passed to the function
'
set oADsSID = CreateObject("ADsSID")
oADsSID.SetAs ADS_SID_ACTIVE_DIRECTORY_PATH, CStr(dfPath)
'
' Retrieve SDDL form of the Domain SID
'
strDomSDDL = oADsSID.GetAs(ADS_SID_SDDL)
'
' Append the Primary Group RID
'
strDomSDDL = strDomSDDL & "-" & grpId
'
' Let IADsSID convert it from SDDL to
' HEX String format
'
oADsSID.SetAs ADS_SID_SDDL, CStr(strDomSDDL)
strDomHex = oADsSID.GetAs(ADS_SID_HEXSTRING)
'
' Build the SID bind string for the group
' Bind to the group and retieve the groups
' Common Name, return it to the calling
' process
'
BindSid = "LDAP://<SID=" & strDomHex & ">"
Set objGrp = GetObject(BindSid)
GetPrimaryGroup = objGrp.Get("CN")
End Function
'
'===========================================================================
===
'Main function
'
' Assumes that the user ADsPath passed as the first arguement
' is in the default naming context for the client's login
' domain
'
dim args
dim DomainPath
dim UserPath
dim oRootDSE
'
' Determine the domains DN
'
set oRootDSE = GetObject("LDAP://RootDSE")
DomainPath = "LDAP://" & oRootDSE.Get("defaultNamingContext")
set args = WScript.Arguments
UserPath = args(0)
WScript.Echo UserPath & vbcrlf & "Is a member of the following groups: "
set oUsr = GetObject(UserPath )
set grps = oUsr.Groups
for each item in grps
WScript.Echo item.name
WalkGroups( item )
next
pGroup = GetPrimaryGroup( oUsr.PrimaryGroupID, DomainPath )
WScript.Echo "Primary Group: " & pGroup & vbcrlf & "Done"