Here is some code I wrote to determine if a user is in a group or not in active directory (somewhat recursively).
** Based off some examples from users like lsavell and others.... **
Code:
FindDistinguishedName(_Item)
{
;This finds a full DN name from a short name or a samaccount name.
MembersOfGroup := Object()
objRootDSE := ComObjGet("LDAP://rootDSE")
strDomain := objRootDSE.Get("defaultNamingContext")
strADPath := "LDAP://" . strDomain
objDomain := ComObjGet(strADPath)
objConnection := ComObjCreate("ADODB.Connection")
objConnection.Open("Provider=ADsDSOObject")
objCommand := ComObjCreate("ADODB.Command")
objCommand.ActiveConnection := objConnection
objCommand.CommandText := "<" . strADPath . ">;(|(name=" . _Item . ")(sAMAccountName=" . _Item . "));distinguishedName;subtree"
objRecordSet := objCommand.Execute
objRecordCount := objRecordSet.RecordCount
objOutputVar :=
While !objRecordSet.EOF
{
_Item := objRecordSet.Fields.Item("distinguishedName").value
objRecordSet.MoveNext
}
objRelease(objRootDSE)
objRelease(objDomain)
objRelease(objConnection)
objRelease(objCommand)
return _Item
}
GetMembersOfADGroup(_Group, _Type = "both") ; _Type can be user (return only users of the group), group (return only groups in this group) or both.
{
MembersOfGroup := Object()
objRootDSE := ComObjGet("LDAP://rootDSE")
strDomain := objRootDSE.Get("defaultNamingContext")
strADPath := "LDAP://" . strDomain
objDomain := ComObjGet(strADPath)
objConnection := ComObjCreate("ADODB.Connection")
objConnection.Open("Provider=ADsDSOObject")
objCommand := ComObjCreate("ADODB.Command")
objCommand.ActiveConnection := objConnection
StringLeft, GroupNameStart, _Group, 3
StringUpper, GroupNameStart, GroupNameStart
If GroupNameStart != "CN=" ; We were given a simple name for the group so we find the distinguished name.
{
_Group := FindDistinguishedName(_Group)
}
LDAPSearchString := "<" . strADPath . ">;"
IfEqual, _Type,user
{
LDAPSearchString .= "(&(&(&(memberOf=" . _Group . ")(objectCategory=user)(objectClass=user))))"
}
IfEqual, _Type,group
{
LDAPSearchString .= "(&(objectCategory=group)(memberOf=" . _Group . "))"
}
IfEqual, _Type,both
{
LDAPSearchString .= "(memberOf=" . _Group . ")"
}
LDAPSearchString .= ";sAMAccountName;subtree"
objCommand.CommandText := LDAPSearchString
objRecordSet := objCommand.Execute
objRecordCount := objRecordSet.RecordCount
objOutputVar :=
x = 0
MemberGroups =
While !objRecordSet.EOF
{
sAMAccountName := objRecordSet.Fields.Item("sAMAccountName").value
;sAMAccountType := objRecordSet.Fields.Item("sAMAccountType").value
If MemberGroups
{
MemberGroups := MemberGroups . "`n"
}
MemberGroups := MemberGroups . sAMAccountName
objRecordSet.MoveNext
}
objRelease(objRootDSE)
objRelease(objDomain)
objRelease(objConnection)
objRelease(objCommand)
return MemberGroups
}
IsUserOfGroup(_User,_Group, _Recurse=0)
{
; First we check the obvious first level of the group.
Users := GetMembersOfADGroup(_Group, "user")
StringSplit, Users, Users,`n
Loop, %Users0%
{
If Users%a_index% = %_User%
{
return true
}
}
If _Recurse
{
; User was not in first level of group and since the recursive flag is set, we have to go deeper.
; This is limited to only one recursion for now. It will check all the groups in this group for the user.
GroupIndex = 0
Groups := GetMembersOfADGroup(_Group, "group")
StringSplit, GroupsArray, Groups,`n
If GroupsArray0
{
Loop
{
GroupIndex++
If GroupIndex > %GroupsArray0%
{
return false
}
;Look for the user in the current group in the list.
CurGroup := GroupsArray%GroupIndex%
Users := GetMembersOfADGroup(CurGroup, "user")
StringSplit, Users, Users,`n
Loop, %Users0%
{
If Users%a_index% = %_User%
{
return true
}
}
}
}
return false
}
; We couldn't find the user.
return false
}
Login
Register
FAQ
Search
