Run script based on AD group membership

Started by fightinggeek, September 09, 2013, 07:26:12 AM

Previous topic - Next topic

fightinggeek

 I'm trying to create a logon script that checks whether the current user is a member of an AD group. The script runs without error but never returns true. Any suggestions?

UserName=(wntUserInfo(0))
grouppath = "LDAP://cn=INFO-Test,ou=INFO-Groups, ou=INFO, ou=test, dc=new, dc=wow, dc=com"
userpath = "LDAP://cn=UserName, ou=INFO-Users,ou=INFO,ou=test,dc=new,dc=wow,dc=com"
       
if dsIsMemberGrp(grouppath, userpath) Then

;Do something

Else

;Do Something Else

Endif

Deana

The documentation for dsIsMemberGrp states:

QuoteImportant: This function sometimes erroneously returns @false (0) when an object is actually a member of the specified group. This occurs when the group is in Active Directory and is the primary group of the object whose membership you are checking. As a workaround, you can get a list of all the members of a group, including members with the target group as the primary group, by using the dsGetMemGrp function with the WinNT provider version of the group path instead of the LDAP version of the path.

For example, if you want to get all the members of the Active Directory group "LDAP://mydomain/cn= domain users, dc=mydomain,dc=mycompany,dc= com", use "WinNT://mydomain/domain users,group" instead. You can then examine the returned list for the path of the possible member object.




Deana F.
Technical Support
Wilson WindowWare Inc.

td

You can also use the dsGetPrimGrp ADSI extender function to check if the user has the group of interest as their primary group. This along with the dsIsMemberGrp will allow you to check all the groups that the user has direct membership in.

"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

fightinggeek

I figured it out. The Username variable was not being passed properly as it was between quotes and thus part of the string. I used strcat() seperate the variable from the string and it worked perfectly.

Deana

Quote from: fightinggeek on September 10, 2013, 06:03:01 AM
I figured it out. The Username variable was not being passed properly as it was between quotes and thus part of the string. I used strcat() seperate the variable from the string and it worked perfectly.

Ok yes, now I see your username variable wasn't being passed properly. the code should look something like this:


Code (winbatch) Select
UserName=(wntUserInfo(0))
grouppath = "LDAP://cn=INFO-Test,ou=INFO-Groups, ou=INFO, ou=test, dc=new, dc=wow, dc=com"
userpath = StrCat("LDAP://cn=",UserName,", ou=INFO-Users,ou=INFO,ou=test,dc=new,dc=wow,dc=com") ; Uses StrCat
;or
;userpath = LDAP://cn=":UserName:", ou=INFO-Users,ou=INFO,ou=test,dc=new,dc=wow,dc=com" ; Uses Colon Concatenation operator       
if dsIsMemberGrp(grouppath, userpath) Then
   ;Do something
Else
   ;Do Something Else
Endif
Deana F.
Technical Support
Wilson WindowWare Inc.