viewpoint-particle

Author Topic: Run script based on AD group membership  (Read 4195 times)

fightinggeek

  • Newbie
  • *
  • Posts: 2
Run script based on AD group membership
« on: September 09, 2013, 07:26:12 am »
 I'm trying to create a logon script that checks whether the current user is a member of an AD group. The script runs without error but never returns true. Any suggestions?

UserName=(wntUserInfo(0))
grouppath = "LDAP://cn=INFO-Test,ou=INFO-Groups, ou=INFO, ou=test, dc=new, dc=wow, dc=com"
userpath = "LDAP://cn=UserName, ou=INFO-Users,ou=INFO,ou=test,dc=new,dc=wow,dc=com"
       
if dsIsMemberGrp(grouppath, userpath) Then

;Do something

Else

;Do Something Else

Endif

Deana

  • Wilson WindowWare Tech Support
  • Pundit
  • *****
  • Posts: 1183
  • WinBatch® can do it.
    • WinBatch Tech Support Database
Re: Run script based on AD group membership
« Reply #1 on: September 09, 2013, 07:37:27 am »
The documentation for dsIsMemberGrp states:

Quote
Important: This function sometimes erroneously returns @false (0) when an object is actually a member of the specified group. This occurs when the group is in Active Directory and is the primary group of the object whose membership you are checking. As a workaround, you can get a list of all the members of a group, including members with the target group as the primary group, by using the dsGetMemGrp function with the WinNT provider version of the group path instead of the LDAP version of the path.

For example, if you want to get all the members of the Active Directory group "LDAP://mydomain/cn= domain users, dc=mydomain,dc=mycompany,dc= com", use "WinNT://mydomain/domain users,group" instead. You can then examine the returned list for the path of the possible member object.




Deana F.
Technical Support
Wilson WindowWare Inc.

td

  • Tech Support
  • *****
  • Posts: 3017
    • WinBatch
Re: Run script based on AD group membership
« Reply #2 on: September 09, 2013, 08:37:51 am »
You can also use the dsGetPrimGrp ADSI extender function to check if the user has the group of interest as their primary group. This along with the dsIsMemberGrp will allow you to check all the groups that the user has direct membership in.

"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

fightinggeek

  • Newbie
  • *
  • Posts: 2
Re: Run script based on AD group membership
« Reply #3 on: September 10, 2013, 06:03:01 am »
I figured it out. The Username variable was not being passed properly as it was between quotes and thus part of the string. I used strcat() seperate the variable from the string and it worked perfectly.

Deana

  • Wilson WindowWare Tech Support
  • Pundit
  • *****
  • Posts: 1183
  • WinBatch® can do it.
    • WinBatch Tech Support Database
Re: Run script based on AD group membership
« Reply #4 on: September 10, 2013, 07:36:10 am »
I figured it out. The Username variable was not being passed properly as it was between quotes and thus part of the string. I used strcat() seperate the variable from the string and it worked perfectly.

Ok yes, now I see your username variable wasn't being passed properly. the code should look something like this:


Code: Winbatch
UserName=(wntUserInfo(0))
grouppath = "LDAP://cn=INFO-Test,ou=INFO-Groups, ou=INFO, ou=test, dc=new, dc=wow, dc=com"
userpath = StrCat("LDAP://cn=",UserName,", ou=INFO-Users,ou=INFO,ou=test,dc=new,dc=wow,dc=com") ; Uses StrCat
;or
;userpath = LDAP://cn=":UserName:", ou=INFO-Users,ou=INFO,ou=test,dc=new,dc=wow,dc=com" ; Uses Colon Concatenation operator        
if dsIsMemberGrp(grouppath, userpath) Then
   ;Do something
Else
   ;Do Something Else
Endif
Deana F.
Technical Support
Wilson WindowWare Inc.