forum.vdsworld.com

[Dave Heck]

I'm looking for an add-on DLL file that will allow me to tap into Active Directory - specifically I'm looking for the ability to check to see if a user is a member of an AD group and then act upon the fact that they are or not. Of course if someone has any suggestions I'm willing to give it a shot.

I've tried using the tool "IFMEMBER.EXE" which will give a Return Code of 1 if they are a member, or 0 if they are not. Unfortunately that is giving inconsistent results sometimes. I've also "piped" the output from the ShowGRPS command to a .TXT file and then loaded it into a List and run through it looking for matches.

Both of these methods seem to work for most of my users I'm checking, but I have this one user whom I am not getting a positive result when checking a group I know she is in. I believe this MAY be related to the number of groups this particular individual is in, but cannot prove it.

Thanks for any and all help,
Dave

[Aslan]

You can use DSQUERY and DSGET with VDS's PIPE option to accomplish this. These are M$ free tools.

[Dave Heck]

When I run it I'm getting the following error:

dsquery failed:'dsget' is an unknown parameter. type dsquery /? for help

I altered the code (see below) by removing the pipe to the dsget command and I do get the user ID, OU, etc. from the dsquery. I'm using VDS6 and running on a Win7 32bit machine right now, but the end result will be run on WinXP SP2 machines - don't know/think this makes a difference....

%%User = @env(Username)
runh dsquery user -samid %%User,PIPE
REM | dsget user -memberof,pipe
info @pipe()

[Aslan]

Try it with quotes:

[Dave Heck]

Hey Aslan - it's now working. When I typed it into a CMD prompt I got the group list for my user. I just put a call to the CMD prompt at the beginning of the RUNH line. It works with and without the quotes

%%User = @env(Username)
runh cmd /c dsquery user -samid %%User | dsget user -memberof,pipe
info @pipe()

Do you know if there is a command line option to check for a specific group? We have an Outlook Add-in that needs to be enabled/disabled depending on whether the user is in an AD group or not. If they are a member of a group called RRC\ReplyAll in AD then I enable it in the registry and disable if they are not a member

I can always dump the results from the @pipe() command into a LIST and loop through it to check, but if you know of something offhand that would be great.

Thanks for your help,
Dave

[Aslan]

Good catch Dave
I looked in my old script and I had to use "cmd /c" also.

You will need to go ahead and dump the results to a list and check for that group.

[Dave Heck]

Cool...thanks again. I'll modify a subroutine that was set to load the showgrps text and loop through it to use this method/output.

Dave

[Dave Heck]

Just in case anyone else tries using this....

I've found that this method works well when the user is in a put directly into a group, but it doesn't work for nested groups.

We have a group (All Attorneys) which is made up of other groups (Hartford Attorneys, Boston Attorneys, etc.). If I put the user directly into the "All Attorneys" group then the DSGet/DSQuery shows the user is in the group.

If I put the user into any of the nested groups such as "Hartford Attorneys" it shows them as a member of that group, but doesn't show they are a member of "All Attorneys"

This is really strange because the older method using the IFMember.exe in a DOS batch file DOES get them as a member of the "top level" group even if they are a only a member of a nested group.

[Aslan]

Dave to get a recursive list of groups you need to use the "-expand" switch

[Dave Heck]

Hi Aslan - thanks for the modification. Working great!

Dave

[Dave Heck]

It appears that the -expand works fine under Windows XP SP2, however under Windows 7 Pro (32bit) the -expand is pulling way too much information and giving inaccurate results.

I checked the version numbers/date-time of DSGet.exe, DSQuery.exe and DSQuery.dll and all are 6.1.7600.16385 7/13/2009 09:14PM

Under Win7 without the -expand I show my user is a member of 50 groups. With the -expand it shows 2274 groups which I would wager is probably the total number of groups in our AD Structure, but don't know for sure.

[Dave Heck]

http://social.technet.microsoft.com/Forums/en-CA/winserverDS/thread/8ac0b896-fca4-48fb-9a6e-657bfe9ad6da

[Aslan]

Try this free utility

http://www.joeware.net/freetools/tools/adfind/index.htm

[Aslan]

Also, have you tried using an older version of DSGET? 5.x maybe...

I haven't tried it with Win 7 but it works with Vista

If you have a copy of "VDSDB.DLL" by Tommy Sools, you can query AD just like a SQL database.

[Dave Heck]

I finally had a chance to get back to this and work out what I believe is the solution - wanted to post it in case anyone else is trying to use this. The code below works fine getting AD Group Membership, including nested groups when run on XP.

It appears that the bug under Windows 7 (at least Pro and Enterprise (aka Ultimate)) is with DSGet.exe. If you replace the Windows 7 version of DSGet.exe with the XP version, but leave the Win7 versions of DSQuery.exe and DSQuery.dll the expand command works fine.

REM Create list to hold Groups
%%GroupList = @NEW(LIST)
REM Get AD Group membership for logged in user
RUNH CMD /C @WINDIR(S)\dsquery user -samid @ENV(USERNAME) | @WINDIR(S)\dsget user -memberof -expand,pipe
REM Pipe Groups into a list
List assign,%%GroupList,@pipe()