| |
Lancelot
Posts: 3
Score: 0
Joined: 10/2/2005
Status: offline
|
'============================================================================================================
'
' Feel free to use comment or visit me at http://www.Menkaura.com/Forum/index.php
'
' General Comments:
'
' Generic Domain / AD Based User login script.
' This Script is an initiating Script that can be applied via GPO to the Root of an All User OU structure
'
' It Executes as follows:
' 1. Enumerate each Group in the AD Domain starting from a Root OU
' 2. Enemerate Group Membership of each Enumerated Group in turn
' 3. Execute Login Script if the logging in User is a Member of the Enumerated Group AND there is a VBScript
' of the same name and the Enumerated Group in the comScriptLoc Directory.
'
' Senario 1:
' AD User : Fred
' AD Group : Group 1
' User Group Membership : Fred is a Member of Group 1
' VBScript Executed : Group 1.vbs
' Note: A VBScript named Group 1.vbs will be executed though Fred's direct Membership of this Group.
'
' Senario 2:
' AD User : Fred
' AD Groups : Group 1 & Group 2
' AD Group Membership : Group 1 has Group 2 as its Member
' User Group Membership : Fred is a Member of Group 2
' VBScript Executed : Group 1.vbs
' Note: A VBScript named Group 1.vbs will be executed even though fred is NOT directly a Member of this Group.
' His Membership is gained indirectly through Membership of Group 2.
'
' Execution Logging and Error checking are also a feature of this Script.
'
'
' Change Log:
'
'
'===========================================================================================================
Option Explicit
On Error Resume Next
' Define Variables
Dim sUserDN
Dim oGroupList
Dim sGroupDN
Dim oRootDSE
Dim sDNSDomain
Dim sBase
Dim sAttributes
Dim oNet
Dim sSAMAccountName
Dim oUser
Dim oADSPath
Dim OFSO
Dim sScript
Dim oShell
Dim oLogFile
Dim sErr
Dim oConnection
Dim oCommand
Dim oRecordSet
' Define Constants
Const comScriptLoc = "\\ADomainControllerName\AShareName\AFolderName\" ' Script location
Const comPreProc = "SomePreProc.vbs" ' All Users Pre-Process
Const comPostProc = "SomePostProc.vbs" ' All Users Post-Process
Const ForAppending = 8 ' Value for Appending to file
Const LogFilePath = "\\ADomainControllerName\AShareName\AFolderName\Logfile.txt" ' Log File Name and Path
Const LogLine = "==================================================" ' Log File Delimiter
Const sErrText1 = "Error details whilst executing VBScript: " ' General Error pre-text
' Get the Logging in User SamAccountName, Bind to it and return the Users Distinguished Name
Set oNet = CreateObject("Wscript.Network")
sSAMAccountName = oNet.Username
sUserDN = SearchDistinguishedName(sSAMAccountName)
Set oFSO = CreateObject("Scripting.FileSystemObject")
Set oShell = CreateObject("WScript.Shell")
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Open "Provider=ADsDSOObject;"
Set oCommand = CreateObject("ADODB.Command")
oCommand.ActiveConnection = oConnection
oCommand.CommandText = "<GC://ou=A Root OU,dc=YourDomain,dc=com>; (objectCategory=Group);" & "name,member;subtree"
Set oRecordSet = oCommand.Execute
' Create Log File if it doesn't already exist
If NOT oFSO.FileExists(LogFilePath) Then
SET oLogFile = oFSO.CreateTextFile(LogFilePath, True)
oLogFile.WriteLine(LogLine)
oLogFile.WriteLine("Log File Initially Created : " &Date &" - " &Time)
oLogFile.WriteLine(LogLine)
oLogFile.Close
End If
' Run Generic Pre-process script
' Uncomment if functionality required
' sScript = comScriptLoc &comPreProc
' oShell.Run "cmd /c cscript " &chr(34) &sScript &chr(34), 0, True
' The following Code does the bulk of the work as follows:
' 1. Enumerate each Group in the AD Domain starting from a Root OU
' 2. Enemerate Group Membership of that Enumerated Group
' 3. Execute Login Script if the logging in User is a Member of the Enumerated Group has a VBScript of the same name
' in the comScriptLoc directory.
While Not oRecordSet.EOF
If IsMember(SearchGroupDistinguishedName(oRecordSet.Fields("name"))) Then
sScript = comScriptLoc &oRecordSet.Fields("name") &".vbs"
If oFSO.FileExists(sScript) Then
oShell.Run "cmd /c cscript " &chr(34) &sScript &chr(34), 0, True
If err.number <> 0 Then
sErr = sErrText1 &sScript &" Error No: " &Err.Number &" Time:" &Time &" Date:" &Date
Set oLogFile = oFSO.OpenTextFile(LogFilePath, ForAppending)
oLogFile.WriteLine(sErr)
oLogFile.Close
Err.Clear
Else
Set oLogFile = oFSO.OpenTextFile(LogFilePath, ForAppending)
oLogFile.WriteLine(oNet.UserName &" - executed VBScript " &sScript &" from Login.vbs at " &Time &" on the " &Date)
oLogFile.Close
End If
End If
End If
oRecordSet.MoveNext
Wend
' Run Generic Post-process script
' Uncomment if functionality required
' sScript = comScriptLoc &comPostProc
' oShell.Run "cmd /c cscript " &chr(34) &sScript" &chr(34), 0, True
' Nullify Object Handles
Set sUserDN = Nothing
Set oGroupList = Nothing
Set sGroupDN = Nothing
Set oRootDSE = Nothing
Set sDNSDomain = Nothing
Set sBase = Nothing
Set sAttributes = Nothing
Set oNet = Nothing
Set sSAMAccountName = Nothing
Set oUser = Nothing
Set oADSPath = Nothing
Set OFSO = Nothing
Set sScript = Nothing
Set oShell = Nothing
Set oLogFile = Nothing
Set sErr = Nothing
Set oConnection = Nothing
Set oCommand = Nothing
Set oRecordSet = Nothing
' Define Functions
Function IsMember(sGroup)
' Function to test group membership.
' sGroup is the Distinguished Name of the group.
' oGroupList is a dictionary object with global scope.
' sUserDN is the Distinguished Name of the user, with
' global scope. ADO is used to search for all groups that
' have the user as a member.
If IsEmpty(oGroupList) Then
Set oGroupList = CreateObject("Scripting.Dictionary")
oGroupList.CompareMode = vbTextCompare
' Determine DNS domain name.
Set oRootDSE = GetObject("LDAP://RootDSE")
sDNSDomain = oRootDSE.Get("DefaultNamingContext")
' Use ADO to search Active Directory.
Set oCommand = CreateObject("ADODB.Command")
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Provider = "ADsDSOObject"
oConnection.Open "Active Directory Provider"
oCommand.ActiveConnection = oConnection
sBase = "<GC://" & sDNSDomain & ">"
sAttributes = "distinguishedName"
oCommand.Properties("Page Size") = 100
oCommand.Properties("Timeout") = 30
oCommand.Properties("Cache Results") = False
Call LoadGroups("(member=" & sUserDN & ")")
oConnection.Close
End If
IsMember = oGroupList.Exists(sGroup)
End Function
Sub LoadGroups(sMemberFilter)
' Recursive subroutine to populate a dictionary object with group
' memberships. strMemberFilter is the filter used by ADO to find
' groups having the members specified. When this subroutine is first
' called by Function IsMember, strMemberFilter specifies the user.
' On recursive calls, strMemberFilter specifies all groups returned
' by the previous call of the subroutine. The subroutine is called
' once for each level of group nesting.
Dim sFilter, sQuery, sDN, oRecordSet
Dim sNextFilter, blnRecurse
sFilter = "(&(objectCategory=Group)" & sMemberFilter & ")"
sQuery = sBase & ";" & sFilter & ";" & sAttributes & ";subtree"
oCommand.CommandText = sQuery
Set oRecordSet = oCommand.Execute
sNextFilter = "(|"
blnRecurse = False
Do Until oRecordSet.EOF
sDN = oRecordSet.Fields("DistinguishedName")
If Not oGroupList.Exists(sDN) Then
oGroupList(sDN) = True
sNextFilter = sNextFilter & "(member=" & sDN & ")"
blnRecurse = True
End If
oRecordSet.MoveNext
Loop
If blnRecurse = True Then
sNextFilter = sNextFilter & ")"
Call LoadGroups(sNextFilter)
End If
End Sub
Public Function SearchDistinguishedName(ByVal vSAN)
' Function: SearchDistinguishedName
' Description: Searches the DistinguishedName for a given SamAccountName
' Parameters: ByVal vSAN - The SamAccountName to search
' Returns: The DistinguishedName Name
Dim oRootDSE, oConnection, oCommand, oRecordSet
Set oRootDSE = GetObject("LDAP://rootDSE")
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Open "Provider=ADsDSOObject;"
Set oCommand = CreateObject("ADODB.Command")
oCommand.ActiveConnection = oConnection
oCommand.CommandText = "<LDAP://" & oRootDSE.get("defaultNamingContext") & _
">;(&(objectCategory=User)(samAccountName=" & vSAN & "));distinguishedName;subtree"
Set oRecordSet = oCommand.Execute
On Error Resume Next
SearchDistinguishedName = oRecordSet.Fields("DistinguishedName")
On Error GoTo 0
oConnection.Close
Set oRecordSet = Nothing
Set oCommand = Nothing
Set oConnection = Nothing
Set oRootDSE = Nothing
End Function
Public Function SearchGroupDistinguishedName(ByVal vGSAN)
' Function: SearchDistinguishedName
' Description: Searches the DistinguishedName for a given SamAccountName
' Parameters: ByVal vGSAN - The SamAccountName to search
' Returns: The DistinguishedName Name
Dim oRootDSE, oConnection, oCommand, oRecordSet
Set oRootDSE = GetObject("LDAP://rootDSE")
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Open "Provider=ADsDSOObject;"
Set oCommand = CreateObject("ADODB.Command")
oCommand.ActiveConnection = oConnection
oCommand.CommandText = "<LDAP://" & oRootDSE.get("defaultNamingContext") & _
">;(&(objectCategory=Group)(samAccountName=" & vGSAN & "));distinguishedName;subtree"
Set oRecordSet = oCommand.Execute
On Error Resume Next
SearchGroupDistinguishedName = oRecordSet.Fields("DistinguishedName")
On Error GoTo 0
oConnection.Close
Set oRecordSet = Nothing
Set oCommand = Nothing
Set oConnection = Nothing
Set oRootDSE = Nothing
End Function
_____________________________
Regards, John
Find me at: http://www.Menkaura.com/Forum/index.php
|
|
Printable Version
AD Login Script Example - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread