Jump to content

AD Member of Group in Group


Recommended Posts

Hello,

 

from this posting of @Jos https://www.autoitscript.com/forum/topic/162005-getting-windows-users-account-type/?do=findComment&comment=1176831

I can smoothly check, if a user is a *DIRECT* group member. Has anybody some code to check also, if a user is a *INDIRECT* member of a cascaded group construct?  Maybe with @Melba23 's AD UDF?

 

  • The required rights are granted to group "Dept_B"
  • User John is member of group "Dept_A"
  • Group "Dept_A" is member of the group "Dept_B"
  • So in the AD / NTFS FS environment John finally has the rights of both groups
  • But when checking his "membership to group Dept_B" the result is "no member".

The approach I can think of would be, to check all Group Members of group "Dept_B" whether they are of type group, then check again if "John" is member of than " 2nd level group"

Func UserInGroup($InGroup,$ThisUser=@LogonDomain & "/" & @UserName)
    Local $objUser = ObjGet("WinNT://" & $ThisUser )
    For $oGroup in $objUser.Groups
        If $oGroup.Name = $InGroup Then
            Return 1
        EndIf
    Next
    Return 0
EndFunc

Any suggestions appreciated, regards, Rudi.

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Link to comment
Share on other sites

  • Developers

Doesn't _AD_IsMemberOf() do what you want, which is part of the ad.au3 include made by Water?

Quote

; Description ...: Returns 1 if the object (user, group, computer) is a member of the specified group or any contained group.

Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to comment
Share on other sites

Correct ;)
Set parameter $bRecursive to True to check all nested groups as well.

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Hello,

thanks for your reply.

 

Using _AD_IsMemberOf()  with these lines ...

#include <AD.au3> ; v1.4.8.0, this line is added --> #include <WinAPIConv.au3> ; Needed for AutoIt >= 3.3.14.3


$result=_AD_IsMemberOf("AD\USERXY","data-something_read","",True)
ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $result = ' & $result & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console

... I'm getting this error lines in SciTE:

 

>Running:(3.3.14.5):C:\Program Files (x86)\AutoIt3\autoit3.exe "H:\DATEN\PRIVATE\SYSOP\NETZ\Batch\autoit3\Bäurer\test-ad-group-membership.au3"    
--> Press Ctrl+Alt+Break to Restart or Ctrl+Break to Stop
"C:\Program Files (x86)\AutoIt3\Include\AD.au3" (591) : ==> Variable must be of type "Object".:
$__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(" & $sProperty & "=" & $sObject & ");ADsPath;subtree"
$__oAD_Command^ ERROR
->15:44:02 AutoIt3.exe ended.rc:1
+>15:44:02 AutoIt3Wrapper Finished.
>Exit code: 1    Time: 0.7651

That's why I tried the lines posted by @Jos

As this was a row of days ago, I forgot to mention that I've already tried AD.AU3, well, basically, I forgot it ... :'(

Regards, Rudi.

Edited by rudi

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Link to comment
Share on other sites

  • Developers

Have you done the _Ad_Open() command?
see the example provided in the ZIP file: _AD_IsMemberOf.au3

; Example 1
; Get a list of group names the current user is a member of.
; Check the group membership of the current user for the first group.
; This will always return 1.
; *****************************************************************************
#include <AD.au3>

Global $aUser, $sFQDN_Group, $sFQDN_User, $iResult

; Open Connection to the Active Directory
_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

; Get the Fully Qualified Domain Name (FQDN) for the current user
$sFQDN_User = _AD_SamAccountNameToFQDN()

; Get an array of group names (FQDN) that the current user is immediately a member of
$aUser = _AD_GetUserGroups(@UserName)
$sFQDN_Group = $aUser[1]

; Check the group membership of the specified user for the specified group
$iResult = _AD_IsMemberOf($sFQDN_Group, $sFQDN_User)
Select
    Case $iResult = 1
        MsgBox(64, "Active Directory Functions", _
                "User: " & $sFQDN_User & @CRLF & _
                "Group: " & $sFQDN_Group & @CRLF & _
                "User is a member of the specified group!")
    Case ($iResult = 0 And @error = 1)
        MsgBox(64, "Active Directory Functions", _
                "User: " & $sFQDN_User & @CRLF & _
                "Group: " & $sFQDN_Group & @CRLF & _
                "Group does not exist!")
    Case ($iResult = 0 And @error = 2)
        MsgBox(64, "Active Directory Functions", _
                "User: " & $sFQDN_User & @CRLF & _
                "Group: " & $sFQDN_Group & @CRLF & _
                "User does not exist!")
    Case ($iResult = 0)
        MsgBox(64, "Active Directory Functions", _
                "User: " & $sFQDN_User & @CRLF & _
                "Group: " & $sFQDN_Group & @CRLF & _
                "User is a not member of the specified group!")
EndSelect

; Close Connection to the Active Directory
_AD_Close()

Jos

Edited by Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to comment
Share on other sites

Hello Jos.

 

You are absolutely right, I missed to use _AD_Open() first.

 

Still not getting the results, I'm expecting. I always receive "0", even when the user is directly member of the specified group:

 

#include <AD.au3>

_AD_Open()
$user=_AD_SamAccountNameToFQDN("ASP")
ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $user = ' & $user & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console

$group=_AD_SamAccountNameToFQDN("daten-Bestellung-QS_lesen")
ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $group = ' & $group & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console

$result=_AD_IsMemberOf($user,$group,false,True)
ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $result = ' & $result & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console

_AD_Close()

 

>Running:(3.3.14.5):C:\Program Files (x86)\AutoIt3\autoit3.exe "H:\DATEN\P...[snip]
--> Press Ctrl+Alt+Break to Restart or Ctrl+Break to Stop
@@ Debug(7) : $user = CN=Sper...[snip]
>Error code: 0
@@ Debug(10) : $group = CN=daten-Bestellung-QS_lesen,OU=F...[snip]
>Error code: 0
@@ Debug(13) : $result = 0
>Error code: 0
+>16:15:57 AutoIt3.exe ended.rc:0
+>16:15:57 AutoIt3Wrapper Finished.
>Exit code: 0    Time: 0.9412

 

powershell:

[PS] C:\>$(get-qaduser asp).memberof | get-qadgroup | ? {$_.name -like "*qs*"} | ft name

Name
----
daten-Bestellung-QS_lesen
daten-Bestellung-QS_schreiben

 

Regards, Rudi.

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...