The IADsUser and IADsGroup interfaces have a few useful methods that are designated for enumerating groups and users.You could certainly directly access the appropriate properties — memberOf for user objects, and member for group objects — that are responsible for membership information. However, it is much more convenient to use the special access methods, especially when modifying memberships.
Refer Listing 17.13 for information on moving and renaming group accounts.
The Groups method of the IADsUser interface allows you to enumerate all groups that a user belongs to. Here is a script that displays the names of the groups for a specified user account:
Listing 17.10. listOfGroups.vbs — Enumerating Groups
Dim objUser 'As IADsUser Dim x 'As Variant Set objUser = Getobject ("LDAP://CN=John Smith,OU=Staff,DC=net,DC=dom") For Each x In objUser.Groups WScript.Echo x.ADsPath WScript.Echo x.Name WScript.Echo x.distinguishedName, vbCrLf Next
(The ADsPath value can be used for subsequent direct binding to a group object.)
Otherwise, you can directly read the value of the memberOf property and use the following statements, instead of the last five statements shown above:
'Dim arrGroups As Variant arrGroups = objUser.Get ("memberOf") For Each x In arrGroups WScript.Echo x Next
Neither by using the Groups method nor by reading the memberOf property can you display a usets primary group, i. e. the Domain Users group (default for user accounts). (By default, the primary group for computer accounts is Domain Computers, and for DCs — Domain Controllers.) To see an account's primary group, bind to that account and use the Get method: object.Get ("primaryGroupID")
By using the Members method of the IADsGroup interface, you can list all members — users or another groups — of the specified group. Here is a sample script:
Listing 17.11. listOfUsers.vbs — Enumerating Users
Dim objGroup 'As IADsGroup Dim x 'As Variant Set objGroup = Getobject ("LDAP: //CN=LocalGrp,OU=Staff, DC=net, DC=dom") For Each x In objGroup.Members WScript.Echo x.Class WScript.Echo x.Name WScript.Echo x.ADsPath WScript.Echo x.distinguishedName + vbCrLf Next
Only one statement (shown in bold) is sufficient to add an account (user, computer, or group) to an existing group. Look at the following code snippet:
Dim objGroup As IADsGroup Set objGroup = Getobject ("LDAP: //CN=LocalGrp,OU=Staff, DC=net, DC=dom") objGroup.Add ("LDAP: //CN=John Smith,OU=Staff,DC=net,DC=dom") objGroup.SetInfo