Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Get security groups in VB6 (Access VBA)

625 views
Skip to first unread message

Cory J. Laidlaw, Beyond01.com

unread,
Apr 30, 2008, 5:57:01 PM4/30/08
to
Howdy!

I'm new to Active Directory and LDAP. I am trying to get a list of security
groups for a single user in active directory.

I understand I can use ADO to get this information by sending a select
command and referencing LDAP (Select * from LDAP://MyServer) but can't seem
to isolate the user or identify which groups the user is in. My code snippet
is as follows:
---
Dim conn As ADODB.Connection
Dim rs As ADODB.Recordset
Set conn = New ADODB.Connection
conn.Provider = "ADSDSOObject"
conn.Open "ADs Provider"
Set rs = conn.Execute("Select * from 'LDAP://ServerName")
While Not rs.EOF
Debug.Print rs.Fields(0).Value
rs.MoveNext
Wend
conn.Close
---

in this query i get a response. I tried adding my user name Set rs =
conn.Execute("Select * from 'LDAP://ServerName/cn=Cory Laidlaw") but get an
error message that the table does not exist. Every variation i try seems to
fail.

I am baffled! If anyone can shed some light, I would be very greateful!
Thanks!

Cory

HPK

unread,
May 1, 2008, 4:48:56 AM5/1/08
to
On 30 Apr., 23:57, Cory J. Laidlaw, Beyond01.com

<CoryJLaidlawBeyond01...@discussions.microsoft.com> wrote:
> Howdy!
>
> I'm new to Active Directory and LDAP. I am trying to get a list of security
> groups for a single user in active directory.
>
> I understand I can use ADO to get this information by sending a select
> command and referencing LDAP (Select * from LDAP://MyServer) but can't seem
> to isolate the user or identify which groups the user is in. My code snippet
> is as follows:
> ---
> Dim conn As ADODB.Connection
> Dim rs As ADODB.Recordset
> Set conn = New ADODB.Connection
Set oCommand = New ADODB.Command

> conn.Provider = "ADSDSOObject"
> conn.Open "ADs Provider"

oCommand .ActiveConnection = conn

Set oRootDSE = GetObject("LDAP://RootDSE")
strDefaultNC = oRootDSE.Get("defaultNamingContext")

strBase = "<LDAP://" & ServerName & "/" & strDomainNC & ">"
strFilter = "(objectClass=group)"
strAttributes =
"distinguishedName,cn,description,member,memberOf,groupType"
strQuery = strBase & ";" & strFilter & ";" & strAttributes &
";subtree"
oCommand .CommandText = strQuery
oCommand .Properties("Page Size") = 1000
oCommand .Properties("Timeout") = 30
oCommand .Properties("Cache Results") = False
Set oRecordset = oCommand .Execute


> Set rs = conn.Execute("Select * from 'LDAP://ServerName")
> While Not rs.EOF
> Debug.Print rs.Fields(0).Value
> rs.MoveNext
> Wend
> conn.Close

I asume, you got an access table with fields for the attributes you'll
want to get:

Dim myDB As Database
Dim myRS As Recordset

Set myDB = CurrentDb
Set myRS = myDB.OpenRecordset("ADGroups")

Do Until oRecordset.EOF
myRS.AddNew
myRS!cn = oRecordset.Fields("cn")
...
myRS.Update
oRecordset.MoveNext
Loop
...


Peter

HPK

unread,
May 1, 2008, 5:08:57 AM5/1/08
to

I forgot:

First Sub/Function: code above
...


Do Until oRecordset.EOF
myRS.AddNew
myRS!cn = oRecordset.Fields("cn")

strGroupDN =
oRecordset.Fields("distinguishedName").Value
' you have to mask the slash with backslash
strGroupDN = Replace(strGroupDN, "/", "\/")
' you should have referenced ActiveDS.tlb
Set objGroup = GetObject("LDAP://" & ServerName &
"/" & strGroupDN)
myRS!groupType = GetType(objGroup.groupType)

...
myRS.Update
oRecordset.MoveNext
Loop
...

Second Function:

Function GetType(intType)
If (intType And &H1) <> 0 Then
GetType = "Built-in"
ElseIf (intType And &H2) <> 0 Then
GetType = "Global"
ElseIf (intType And &H4) <> 0 Then
GetType = "Local"
ElseIf (intType And &H8) <> 0 Then
GetType = "Universal"
End If
If (intType And &H80000000) <> 0 Then
GetType = GetType & "/Security"
Else
GetType = GetType & "/Distribution"
End If
End Function

HPK

unread,
May 1, 2008, 5:42:44 AM5/1/08
to

I'm a little bit sleepy!

If you want memberOf for users:

Dim oUser As IADsUser
Dim oGroup As AIDsGroup
Dim aMemberOf As Variant
...
Set oUser = GetObject("LDAP://" & ServerName & "/" & strUserDN & "")

' memberOf-attribute is a multivalued field (with GroupDN's) and not
in your property-cache -> get each group object and it's grouptype
aMemberOf = oUser .GetEx("memberOf")
For Each strGoupDN In aMemberOf
...
Set oGroup = GetObject("LDAP://" & ServerName & "/" & strGroupDN)
...
Next
...


Peter

Richard Mueller [MVP]

unread,
May 1, 2008, 10:15:19 AM5/1/08
to
There should be no need to use ADO to search all of AD for this. I assume
you are only concerned with direct group membership. In other words, you can
ignore membership due to group nesting. You use the Groups method of the
user object to get a collection of group object references. For example
(assuming the user object is bound with the LDAP provider):
========
For Each objGroup in objUser.Groups
Wscript.Echo objGroup.sAMAccountName
Next
======
You can also enumerate the memberOf attribute of the user object, which is a
collection of group DN's. However, many methods can raise errors. To avoid
possible errors, I use code similar to:
============
arrGroups = objUser.memberOf

If IsEmpty(arrGroups) Then

Wscript.Echo "Member of no groups"

ElseIf (TypeName(arrGroups) = "String") Then

Wscript.Echo "Member of group " & arrGroups

Else

For Each strGroup In arrGroups

Wscript.Echo "Member of group " & strGroup

Next

End If

=========

For the reasons, see this link:

http://www.rlmueller.net/MemberOf.htm

Enumerating memberOf results in a collection of string values, the DN of
each group the user is a member of. If you need a reference to the group
object (perhaps to get other attribute values), use the Groups method above.
Finally, if the intent is to check group membership, it often is better to
use the IsMember method of the group object. For example, you might use code
similar to this in a logon script:

============

Set objSysInfo = CreateObject("ADSystemInfo")

Set objUser = GetObject("LDAP://" & objSysInfo.UserName)

Set objGroup = GetObject("LDAP://cn=Test
Group,ou=Sales,ou=West,dc=MyDomain,dc=com")

If (objGroup.IsMember(objUser.AdsPath) = True) Then

' User is a member of the group.

Else

' User is NOT a member of the group.

End If

============
To use ADO to search AD, see this link:

http://www.rlmueller.net/ADOSearchTips.htm

For a VBScript example that enumerates all the groups a user is a member of,
including due to group nesting:

http://www.rlmueller.net/List%20User%20Groups.htm

All of these examples are VBScript, but are easily converted to VB. You can
use early binding for the IADs interfaces and ADO objects.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Cory J. Laidlaw, Beyond01.com"
<CoryJLaidla...@discussions.microsoft.com> wrote in message
news:C7526FE4-C43B-4FD9...@microsoft.com...

Cory J. Laidlaw, Beyond01.com

unread,
May 1, 2008, 4:37:00 PM5/1/08
to
Thanks both you you and Peter for your help. With all of the feedback, I
think I can make this work in my application.

You guys ROCK! Thank you!!!

Cory

0 new messages