I'm new to Active Directory and LDAP. I am trying to get a list of security
groups for a single user in active directory.
I understand I can use ADO to get this information by sending a select
command and referencing LDAP (Select * from LDAP://MyServer) but can't seem
to isolate the user or identify which groups the user is in. My code snippet
is as follows:
---
Dim conn As ADODB.Connection
Dim rs As ADODB.Recordset
Set conn = New ADODB.Connection
conn.Provider = "ADSDSOObject"
conn.Open "ADs Provider"
Set rs = conn.Execute("Select * from 'LDAP://ServerName")
While Not rs.EOF
Debug.Print rs.Fields(0).Value
rs.MoveNext
Wend
conn.Close
---
in this query i get a response. I tried adding my user name Set rs =
conn.Execute("Select * from 'LDAP://ServerName/cn=Cory Laidlaw") but get an
error message that the table does not exist. Every variation i try seems to
fail.
I am baffled! If anyone can shed some light, I would be very greateful!
Thanks!
Cory
> conn.Provider = "ADSDSOObject"
> conn.Open "ADs Provider"
oCommand .ActiveConnection = conn
Set oRootDSE = GetObject("LDAP://RootDSE")
strDefaultNC = oRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & ServerName & "/" & strDomainNC & ">"
strFilter = "(objectClass=group)"
strAttributes =
"distinguishedName,cn,description,member,memberOf,groupType"
strQuery = strBase & ";" & strFilter & ";" & strAttributes &
";subtree"
oCommand .CommandText = strQuery
oCommand .Properties("Page Size") = 1000
oCommand .Properties("Timeout") = 30
oCommand .Properties("Cache Results") = False
Set oRecordset = oCommand .Execute
> Set rs = conn.Execute("Select * from 'LDAP://ServerName")
> While Not rs.EOF
> Debug.Print rs.Fields(0).Value
> rs.MoveNext
> Wend
> conn.Close
I asume, you got an access table with fields for the attributes you'll
want to get:
Dim myDB As Database
Dim myRS As Recordset
Set myDB = CurrentDb
Set myRS = myDB.OpenRecordset("ADGroups")
Do Until oRecordset.EOF
myRS.AddNew
myRS!cn = oRecordset.Fields("cn")
...
myRS.Update
oRecordset.MoveNext
Loop
...
Peter
I forgot:
First Sub/Function: code above
...
Do Until oRecordset.EOF
myRS.AddNew
myRS!cn = oRecordset.Fields("cn")
strGroupDN =
oRecordset.Fields("distinguishedName").Value
' you have to mask the slash with backslash
strGroupDN = Replace(strGroupDN, "/", "\/")
' you should have referenced ActiveDS.tlb
Set objGroup = GetObject("LDAP://" & ServerName &
"/" & strGroupDN)
myRS!groupType = GetType(objGroup.groupType)
...
myRS.Update
oRecordset.MoveNext
Loop
...
Second Function:
Function GetType(intType)
If (intType And &H1) <> 0 Then
GetType = "Built-in"
ElseIf (intType And &H2) <> 0 Then
GetType = "Global"
ElseIf (intType And &H4) <> 0 Then
GetType = "Local"
ElseIf (intType And &H8) <> 0 Then
GetType = "Universal"
End If
If (intType And &H80000000) <> 0 Then
GetType = GetType & "/Security"
Else
GetType = GetType & "/Distribution"
End If
End Function
I'm a little bit sleepy!
If you want memberOf for users:
Dim oUser As IADsUser
Dim oGroup As AIDsGroup
Dim aMemberOf As Variant
...
Set oUser = GetObject("LDAP://" & ServerName & "/" & strUserDN & "")
' memberOf-attribute is a multivalued field (with GroupDN's) and not
in your property-cache -> get each group object and it's grouptype
aMemberOf = oUser .GetEx("memberOf")
For Each strGoupDN In aMemberOf
...
Set oGroup = GetObject("LDAP://" & ServerName & "/" & strGroupDN)
...
Next
...
Peter
If IsEmpty(arrGroups) Then
Wscript.Echo "Member of no groups"
ElseIf (TypeName(arrGroups) = "String") Then
Wscript.Echo "Member of group " & arrGroups
Else
For Each strGroup In arrGroups
Wscript.Echo "Member of group " & strGroup
Next
End If
=========
For the reasons, see this link:
http://www.rlmueller.net/MemberOf.htm
Enumerating memberOf results in a collection of string values, the DN of
each group the user is a member of. If you need a reference to the group
object (perhaps to get other attribute values), use the Groups method above.
Finally, if the intent is to check group membership, it often is better to
use the IsMember method of the group object. For example, you might use code
similar to this in a logon script:
============
Set objSysInfo = CreateObject("ADSystemInfo")
Set objUser = GetObject("LDAP://" & objSysInfo.UserName)
Set objGroup = GetObject("LDAP://cn=Test
Group,ou=Sales,ou=West,dc=MyDomain,dc=com")
If (objGroup.IsMember(objUser.AdsPath) = True) Then
' User is a member of the group.
Else
' User is NOT a member of the group.
End If
============
To use ADO to search AD, see this link:
http://www.rlmueller.net/ADOSearchTips.htm
For a VBScript example that enumerates all the groups a user is a member of,
including due to group nesting:
http://www.rlmueller.net/List%20User%20Groups.htm
All of these examples are VBScript, but are easily converted to VB. You can
use early binding for the IADs interfaces and ADO objects.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
"Cory J. Laidlaw, Beyond01.com"
<CoryJLaidla...@discussions.microsoft.com> wrote in message
news:C7526FE4-C43B-4FD9...@microsoft.com...
You guys ROCK! Thank you!!!
Cory