rudi Posted May 14, 2018 Posted May 14, 2018 Hello, from this posting of @Jos https://www.autoitscript.com/forum/topic/162005-getting-windows-users-account-type/?do=findComment&comment=1176831 I can smoothly check, if a user is a *DIRECT* group member. Has anybody some code to check also, if a user is a *INDIRECT* member of a cascaded group construct? Maybe with @Melba23 's AD UDF? The required rights are granted to group "Dept_B" User John is member of group "Dept_A" Group "Dept_A" is member of the group "Dept_B" So in the AD / NTFS FS environment John finally has the rights of both groups But when checking his "membership to group Dept_B" the result is "no member". The approach I can think of would be, to check all Group Members of group "Dept_B" whether they are of type group, then check again if "John" is member of than " 2nd level group" Func UserInGroup($InGroup,$ThisUser=@LogonDomain & "/" & @UserName) Local $objUser = ObjGet("WinNT://" & $ThisUser ) For $oGroup in $objUser.Groups If $oGroup.Name = $InGroup Then Return 1 EndIf Next Return 0 EndFunc Any suggestions appreciated, regards, Rudi. Earth is flat, pigs can fly, and Nuclear Power is SAFE!
Developers Jos Posted May 14, 2018 Developers Posted May 14, 2018 Doesn't _AD_IsMemberOf() do what you want, which is part of the ad.au3 include made by Water? Quote ; Description ...: Returns 1 if the object (user, group, computer) is a member of the specified group or any contained group. Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
water Posted May 14, 2018 Posted May 14, 2018 Correct Set parameter $bRecursive to True to check all nested groups as well. My UDFs and Tutorials: Spoiler UDFs: Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs: Excel - Example Scripts - Wiki Word - Wiki Tutorials: ADO - Wiki WebDriver - Wiki
rudi Posted May 14, 2018 Author Posted May 14, 2018 (edited) Hello, thanks for your reply. Using _AD_IsMemberOf() with these lines ... #include <AD.au3> ; v1.4.8.0, this line is added --> #include <WinAPIConv.au3> ; Needed for AutoIt >= 3.3.14.3 $result=_AD_IsMemberOf("AD\USERXY","data-something_read","",True) ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $result = ' & $result & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console ... I'm getting this error lines in SciTE: >Running:(3.3.14.5):C:\Program Files (x86)\AutoIt3\autoit3.exe "H:\DATEN\PRIVATE\SYSOP\NETZ\Batch\autoit3\Bäurer\test-ad-group-membership.au3" --> Press Ctrl+Alt+Break to Restart or Ctrl+Break to Stop "C:\Program Files (x86)\AutoIt3\Include\AD.au3" (591) : ==> Variable must be of type "Object".: $__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(" & $sProperty & "=" & $sObject & ");ADsPath;subtree" $__oAD_Command^ ERROR ->15:44:02 AutoIt3.exe ended.rc:1 +>15:44:02 AutoIt3Wrapper Finished. >Exit code: 1 Time: 0.7651 That's why I tried the lines posted by @Jos As this was a row of days ago, I forgot to mention that I've already tried AD.AU3, well, basically, I forgot it ... Regards, Rudi. Edited May 14, 2018 by rudi Earth is flat, pigs can fly, and Nuclear Power is SAFE!
Developers Jos Posted May 14, 2018 Developers Posted May 14, 2018 (edited) Have you done the _Ad_Open() command? see the example provided in the ZIP file: _AD_IsMemberOf.au3 expandcollapse popup; Example 1 ; Get a list of group names the current user is a member of. ; Check the group membership of the current user for the first group. ; This will always return 1. ; ***************************************************************************** #include <AD.au3> Global $aUser, $sFQDN_Group, $sFQDN_User, $iResult ; Open Connection to the Active Directory _AD_Open() If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended) ; Get the Fully Qualified Domain Name (FQDN) for the current user $sFQDN_User = _AD_SamAccountNameToFQDN() ; Get an array of group names (FQDN) that the current user is immediately a member of $aUser = _AD_GetUserGroups(@UserName) $sFQDN_Group = $aUser[1] ; Check the group membership of the specified user for the specified group $iResult = _AD_IsMemberOf($sFQDN_Group, $sFQDN_User) Select Case $iResult = 1 MsgBox(64, "Active Directory Functions", _ "User: " & $sFQDN_User & @CRLF & _ "Group: " & $sFQDN_Group & @CRLF & _ "User is a member of the specified group!") Case ($iResult = 0 And @error = 1) MsgBox(64, "Active Directory Functions", _ "User: " & $sFQDN_User & @CRLF & _ "Group: " & $sFQDN_Group & @CRLF & _ "Group does not exist!") Case ($iResult = 0 And @error = 2) MsgBox(64, "Active Directory Functions", _ "User: " & $sFQDN_User & @CRLF & _ "Group: " & $sFQDN_Group & @CRLF & _ "User does not exist!") Case ($iResult = 0) MsgBox(64, "Active Directory Functions", _ "User: " & $sFQDN_User & @CRLF & _ "Group: " & $sFQDN_Group & @CRLF & _ "User is a not member of the specified group!") EndSelect ; Close Connection to the Active Directory _AD_Close() Jos Edited May 14, 2018 by Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
rudi Posted May 14, 2018 Author Posted May 14, 2018 Hello Jos. You are absolutely right, I missed to use _AD_Open() first. Still not getting the results, I'm expecting. I always receive "0", even when the user is directly member of the specified group: #include <AD.au3> _AD_Open() $user=_AD_SamAccountNameToFQDN("ASP") ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $user = ' & $user & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console $group=_AD_SamAccountNameToFQDN("daten-Bestellung-QS_lesen") ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $group = ' & $group & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console $result=_AD_IsMemberOf($user,$group,false,True) ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $result = ' & $result & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console _AD_Close() >Running:(3.3.14.5):C:\Program Files (x86)\AutoIt3\autoit3.exe "H:\DATEN\P...[snip] --> Press Ctrl+Alt+Break to Restart or Ctrl+Break to Stop @@ Debug(7) : $user = CN=Sper...[snip] >Error code: 0 @@ Debug(10) : $group = CN=daten-Bestellung-QS_lesen,OU=F...[snip] >Error code: 0 @@ Debug(13) : $result = 0 >Error code: 0 +>16:15:57 AutoIt3.exe ended.rc:0 +>16:15:57 AutoIt3Wrapper Finished. >Exit code: 0 Time: 0.9412 powershell: [PS] C:\>$(get-qaduser asp).memberof | get-qadgroup | ? {$_.name -like "*qs*"} | ft name Name ---- daten-Bestellung-QS_lesen daten-Bestellung-QS_schreiben Regards, Rudi. Earth is flat, pigs can fly, and Nuclear Power is SAFE!
AdamUL Posted May 14, 2018 Posted May 14, 2018 You are calling _AD_IsMemberOf incorrectly. The group name is the first parameter, and the user name is the second. Adam water 1
rudi Posted May 16, 2018 Author Posted May 16, 2018 Ups.. I overlooked the order of user and group, you're right! Thanks, Rudi. Earth is flat, pigs can fly, and Nuclear Power is SAFE!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now