Accessing AD: Memberlist not correct

[Anonymous]

Hi!
I would like to access the AD from Visual Basic and get me information about
groups and group members. All this works quite well, except for the problem
that I cannot read the members of a group of computers. Here's the code,
that might illuminate the picture somewhat (cutout, so probably not
executable!)
Private Sub UpdateADUsers(ByVal Ort As String)
Dim OU As IADsContainer
Dim GRP As IADsGroup
Dim Memberlist As IADsMembers
Dim Item, GRPMember As IADs
Dim hostname, Zeichen, GruppenMitglied As String
Dim Gruppe, Member As Variant

Set OU = GetObject("LDAP://" & Ort)

For Each Item In OU
If Item.Class = "group" Then
Set GRP = GetObject("LDAP://" & Item.Name & ", " & Ort)
Set Memberlist = GRP.Members
For Each Member In Memberlist
Debug.Print "Mitglied gefunden: " & Member & crlf
Next
End If
Next
'(...)
End Sub



The problem is, that "Memberlist" is always empty, if it I#m accessing a
group, which groups computers, e.g. the group "Domain Computers" or "Domain
Controllers". If I run the above code step by step in the Debug mode step
by, I can see that VB accesses the correct AD Object successfully, which
proves to me that the access is generally working well. I can read the
members of a group with the above code if the members are users (e.g. Group
"Domain Users"). But if the members are just computers, I get back an empty
list.
Any hints are welcome!
Thanks in advance!
Regards, T.

 

[Wayne Tilton]

Hi!
I would like to access the AD from Visual Basic and get me information
about groups and group members. All this works quite well, except for
the problem that I cannot read the members of a group of computers.
Here's the code, that might illuminate the picture somewhat (cutout,
so probably not executable!)
Private Sub UpdateADUsers(ByVal Ort As String)
Dim OU As IADsContainer
Dim GRP As IADsGroup
Dim Memberlist As IADsMembers
Dim Item, GRPMember As IADs
Dim hostname, Zeichen, GruppenMitglied As String
Dim Gruppe, Member As Variant

Set OU = GetObject("LDAP://" & Ort)

For Each Item In OU
If Item.Class = "group" Then
Set GRP = GetObject("LDAP://" & Item.Name & ", " & Ort)
Set Memberlist = GRP.Members
For Each Member In Memberlist
Debug.Print "Mitglied gefunden: " & Member & crlf
Next
End If
Next
'(...)
End Sub



The problem is, that "Memberlist" is always empty, if it I#m accessing
a group, which groups computers, e.g. the group "Domain Computers" or
"Domain Controllers". If I run the above code step by step in the
Debug mode step by, I can see that VB accesses the correct AD Object
successfully, which proves to me that the access is generally working
well. I can read the members of a group with the above code if the
members are users (e.g. Group "Domain Users"). But if the members are
just computers, I get back an empty list.
Any hints are welcome!
Thanks in advance!
Regards, T.

The problem is that an objects Primary Group, which is Domain Computers
for member computers, is NOT stored in the group object. Instead, the
PrimaryGroupID attribute on the object contains the RID of the primary
group, which is all well and good except there is no easy way to figure
out what the name of that group is (i.e. there is no RID-to-name lookup
function).

There are several ways to get around this, the easiest being to use the
WinNT provider instead of the LDAP:// provider. The WinNT provider
returns ALL an objects security groups, including the Primary Group (but
it won't return non-security groups). The other is to go to
http://cwashington.netreach.net/ and search for 'primarygroup' where
you'll find a little script I wrote a couple years ago that does the work
for you. It basically uses the WinNT provider to get a list of the
objects groups and then looks up the RID on each of them until it finds a
match.

Hope that helps,

Wayne Tilton

 

[Anonymous]

Wayne,

thanks a lot for your answer.

But I still have problems:

The problem is that an objects Primary Group, which is Domain Computers
for member computers, is NOT stored in the group object. Instead, the
PrimaryGroupID attribute on the object contains the RID of the primary
group, which is all well and good except there is no easy way to figure
out what the name of that group is (i.e. there is no RID-to-name lookup
function).

There are several ways to get around this, the easiest being to use the
WinNT provider instead of the LDAP:// provider. The WinNT provider
returns ALL an objects security groups, including the Primary Group (but
it won't return non-security groups). The other is to go to
http://cwashington.netreach.net/ and search for 'primarygroup' where
you'll find a little script I wrote a couple years ago that does the work
for you. It basically uses the WinNT provider to get a list of the
objects groups and then looks up the RID on each of them until it finds a
match.

Hope that helps,

I tried your code and modified it a bit to meet my needs. I don't just need
the groups of users, but also from the computers in a network. So this is
what I tried:

Public Function PrimaryGroup(ByVal theUser As String, ByVal Typ As String)
As String
Dim objUser
Dim Group, aGroup, PrimaryGroupRID
Set objUser = GetObject("WinNT://test1/vmxpdev,computer") 'Hardcoded
during debugging
PrimaryGroupRID = objUser.Get("PrimaryGroupID") ' always fails
For Each Group In objUser.Groups
aGroup = Group.Name
If Rid(aGroup) = PrimaryGroupRID Then
PrimaryGroup = aGroup
Exit Function
End If
Next
Set objUser = Nothing
End Function

The line
PrimaryGroupRID = objUser.Get("PrimaryGroupID") ' always fails
always causes a runtime error -2147463155 (Automation error), if the object
is a computer. It works well with users.

Any more hints?


A.

 

[Anonymous]

Wayne,

thanks a lot for your answer.

But I still have problems:

The problem is that an objects Primary Group, which is Domain Computers
for member computers, is NOT stored in the group object. Instead, the
PrimaryGroupID attribute on the object contains the RID of the primary
group, which is all well and good except there is no easy way to figure
out what the name of that group is (i.e. there is no RID-to-name lookup
function).

There are several ways to get around this, the easiest being to use the
WinNT provider instead of the LDAP:// provider. The WinNT provider
returns ALL an objects security groups, including the Primary Group (but
it won't return non-security groups). The other is to go to
http://cwashington.netreach.net/ and search for 'primarygroup' where
you'll find a little script I wrote a couple years ago that does the work
for you. It basically uses the WinNT provider to get a list of the
objects groups and then looks up the RID on each of them until it finds a
match.

Hope that helps,

I tried your code and modified it a bit to meet my needs. I don't just need
the groups of users, but also from the computers in a network. So this is
what I tried:

Public Function PrimaryGroup(ByVal theUser As String, ByVal Typ As String)
As String
Dim objUser
Dim Group, aGroup, PrimaryGroupRID
Set objUser = GetObject("WinNT://test1/vmxpdev,computer") 'Hardcoded
during debugging
PrimaryGroupRID = objUser.Get("PrimaryGroupID") ' always fails
For Each Group In objUser.Groups
aGroup = Group.Name
If Rid(aGroup) = PrimaryGroupRID Then
PrimaryGroup = aGroup
Exit Function
End If
Next
Set objUser = Nothing
End Function

The line
PrimaryGroupRID = objUser.Get("PrimaryGroupID") ' always fails
always causes a runtime error -2147463155 (Automation error), if the object
is a computer. It works well with users.

Any more hints?


A.

 

[Wayne Tilton]

Wayne,

thanks a lot for your answer.

But I still have problems:


I tried your code and modified it a bit to meet my needs. I don't just
need the groups of users, but also from the computers in a network. So
this is what I tried:

Public Function PrimaryGroup(ByVal theUser As String, ByVal Typ As
String) As String
Dim objUser
Dim Group, aGroup, PrimaryGroupRID
Set objUser = GetObject("WinNT://test1/vmxpdev,computer")
'Hardcoded
during debugging
PrimaryGroupRID = objUser.Get("PrimaryGroupID") ' always fails
For Each Group In objUser.Groups
aGroup = Group.Name
If Rid(aGroup) = PrimaryGroupRID Then
PrimaryGroup = aGroup
Exit Function
End If
Next
Set objUser = Nothing
End Function

The line
PrimaryGroupRID = objUser.Get("PrimaryGroupID") ' always fails
always causes a runtime error -2147463155 (Automation error), if the
object is a computer. It works well with users.

Any more hints?


A.

That's easy. The sAMAccountName (aka the NT4 name) of a Computer object
is the name of the computer with a $ appended. So, simply change:

Set objUser = GetObject("WinNT://test1/vmxpdev,computer")

to

Set objUser = GetObject("WinNT://test1/vmxpdev$,computer")


Wayne

 

[Anonymous]

That's easy. The sAMAccountName (aka the NT4 name) of a Computer object

is the name of the computer with a $ appended. So, simply change:

Set objUser = GetObject("WinNT://test1/vmxpdev,computer")

to

Set objUser = GetObject("WinNT://test1/vmxpdev$,computer")

I tried that already. If I do that I get the runtime error:
-2147024843 Automation error

 

[Bob Butler]

I tried that already. If I do that I get the runtime error:
-2147024843 Automation error

Set objUser = GetObject("WinNT://test1/vmxpdev$,user")

The <name>$ entry is a 'user' account even though the 'user' is the
computer.

 

[Anonymous]

Set objUser = GetObject("WinNT://test1/vmxpdev$,user")

The <name>$ entry is a 'user' account even though the 'user' is the
computer.

Yes!!! That's it!

Thanks a lot