AD Member of Group in Group

[rudi]

Hello,

 

from this posting of @Jos https://www.autoitscript.com/forum/topic/162005-getting-windows-users-account-type/?do=findComment&comment=1176831

I can smoothly check, if a user is a *DIRECT* group member. Has anybody some code to check also, if a user is a *INDIRECT* member of a cascaded group construct?  Maybe with @Melba23 's AD UDF?

 

• The required rights are granted to group "Dept_B"
• User John is member of group "Dept_A"
• Group "Dept_A" is member of the group "Dept_B"
• So in the AD / NTFS FS environment John finally has the rights of both groups
• But when checking his "membership to group Dept_B" the result is "no member".

The approach I can think of would be, to check all Group Members of group "Dept_B" whether they are of type group, then check again if "John" is member of than " 2^nd level group"

Func UserInGroup($InGroup,$ThisUser=@LogonDomain & "/" & @UserName)
    Local $objUser = ObjGet("WinNT://" & $ThisUser )
    For $oGroup in $objUser.Groups
        If $oGroup.Name = $InGroup Then
            Return 1
        EndIf
    Next
    Return 0
EndFunc

Any suggestions appreciated, regards, Rudi.

[Jos]

Doesn't _AD_IsMemberOf() do what you want, which is part of the ad.au3 include made by Water?

Quote

; Description ...: Returns 1 if the object (user, group, computer) is a member of the specified group or any contained group.

Jos

[water]

Correct
Set parameter $bRecursive to True to check all nested groups as well.

[rudi]

Hello,

thanks for your reply.

 

Using _AD_IsMemberOf()  with these lines ...

#include <AD.au3> ; v1.4.8.0, this line is added --> #include <WinAPIConv.au3> ; Needed for AutoIt >= 3.3.14.3


$result=_AD_IsMemberOf("AD\USERXY","data-something_read","",True)
ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $result = ' & $result & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console

... I'm getting this error lines in SciTE:

 

>Running:(3.3.14.5):C:\Program Files (x86)\AutoIt3\autoit3.exe "H:\DATEN\PRIVATE\SYSOP\NETZ\Batch\autoit3\Bäurer\test-ad-group-membership.au3"    
--> Press Ctrl+Alt+Break to Restart or Ctrl+Break to Stop
"C:\Program Files (x86)\AutoIt3\Include\AD.au3" (591) : ==> Variable must be of type "Object".:
$__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(" & $sProperty & "=" & $sObject & ");ADsPath;subtree"
$__oAD_Command^ ERROR
->15:44:02 AutoIt3.exe ended.rc:1
+>15:44:02 AutoIt3Wrapper Finished.
>Exit code: 1    Time: 0.7651

That's why I tried the lines posted by @Jos

As this was a row of days ago, I forgot to mention that I've already tried AD.AU3, well, basically, I forgot it ...

Regards, Rudi.

Edited May 14, 2018 by rudi

[Jos]

Have you done the _Ad_Open() command?
see the example provided in the ZIP file: _AD_IsMemberOf.au3

expandcollapse popup

; Example 1
; Get a list of group names the current user is a member of.
; Check the group membership of the current user for the first group.
; This will always return 1.
; *****************************************************************************
#include <AD.au3>

Global $aUser, $sFQDN_Group, $sFQDN_User, $iResult

; Open Connection to the Active Directory
_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

; Get the Fully Qualified Domain Name (FQDN) for the current user
$sFQDN_User = _AD_SamAccountNameToFQDN()

; Get an array of group names (FQDN) that the current user is immediately a member of
$aUser = _AD_GetUserGroups(@UserName)
$sFQDN_Group = $aUser[1]

; Check the group membership of the specified user for the specified group
$iResult = _AD_IsMemberOf($sFQDN_Group, $sFQDN_User)
Select
    Case $iResult = 1
        MsgBox(64, "Active Directory Functions", _
                "User: " & $sFQDN_User & @CRLF & _
                "Group: " & $sFQDN_Group & @CRLF & _
                "User is a member of the specified group!")
    Case ($iResult = 0 And @error = 1)
        MsgBox(64, "Active Directory Functions", _
                "User: " & $sFQDN_User & @CRLF & _
                "Group: " & $sFQDN_Group & @CRLF & _
                "Group does not exist!")
    Case ($iResult = 0 And @error = 2)
        MsgBox(64, "Active Directory Functions", _
                "User: " & $sFQDN_User & @CRLF & _
                "Group: " & $sFQDN_Group & @CRLF & _
                "User does not exist!")
    Case ($iResult = 0)
        MsgBox(64, "Active Directory Functions", _
                "User: " & $sFQDN_User & @CRLF & _
                "Group: " & $sFQDN_Group & @CRLF & _
                "User is a not member of the specified group!")
EndSelect

; Close Connection to the Active Directory
_AD_Close()

Jos

Edited May 14, 2018 by Jos

[rudi]

Hello Jos.

 

You are absolutely right, I missed to use _AD_Open() first.

 

Still not getting the results, I'm expecting. I always receive "0", even when the user is directly member of the specified group:

 

#include <AD.au3>

_AD_Open()
$user=_AD_SamAccountNameToFQDN("ASP")
ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $user = ' & $user & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console

$group=_AD_SamAccountNameToFQDN("daten-Bestellung-QS_lesen")
ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $group = ' & $group & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console

$result=_AD_IsMemberOf($user,$group,false,True)
ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $result = ' & $result & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console

_AD_Close()

 

>Running:(3.3.14.5):C:\Program Files (x86)\AutoIt3\autoit3.exe "H:\DATEN\P...[snip]
--> Press Ctrl+Alt+Break to Restart or Ctrl+Break to Stop
@@ Debug(7) : $user = CN=Sper...[snip]
>Error code: 0
@@ Debug(10) : $group = CN=daten-Bestellung-QS_lesen,OU=F...[snip]
>Error code: 0
@@ Debug(13) : $result = 0
>Error code: 0
+>16:15:57 AutoIt3.exe ended.rc:0
+>16:15:57 AutoIt3Wrapper Finished.
>Exit code: 0    Time: 0.9412

 

powershell:

[PS] C:\>$(get-qaduser asp).memberof | get-qadgroup | ? {$_.name -like "*qs*"} | ft name

Name
----
daten-Bestellung-QS_lesen
daten-Bestellung-QS_schreiben

 

Regards, Rudi.

[AdamUL]

You are calling _AD_IsMemberOf incorrectly.  The group name is the first parameter, and the user name is the second.  

 

Adam

 

[rudi]

Ups..

I overlooked the order of user and group, you're right!

 

Thanks, Rudi.