Gmail Calendar Documents Reader Web more »
Recently Visited Groups | Help | Sign in
Google Groups Home
microsoft.public.scripting.vbscript
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
Message from discussion Set AD Computer Member Of attribute using the computer object
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Nick  
View profile  
 More options Oct 29 2009, 4:16 am
Newsgroups: microsoft.public.scripting.vbscript
From: Nick <nick.huny...@gmail.com>
Date: Wed, 28 Oct 2009 21:16:18 -0700 (PDT)
Local: Thurs, Oct 29 2009 4:16 am
Subject: Re: Set AD Computer Member Of attribute using the computer object
Forward | Print | View thread | Show original | Report this message | Find messages by this author
Richard, you are the man I have been wanting to hear from the entire
time that I have been researching this. If I ever need anything
related to scripting and Active Directory I look to your wisdom. So,
on that note, thank you!

My concern is pretty pointless in some senses because a solid solution
would negate those same concerns all together. We just have several
people who are a little iffy about modifying our group memberships
automagically. The main concern we have is attaching to a group with
thousands of members and removing only specific ones while leaving the
group in tact.  Without getting to much into detail we use group
memberships as the "link"/security filtering to a GPO then attach this
to a server.

So, in your opinion, this is going to be my best option? I can do the
other portions you describe with making it able to take bulk member
names and most likely implement the name translation (love that
feature!) you mentioned. I have about 1000 servers left that I need to
change their group memberships. While several other groups will be
doing the same thing to a few thousand other servers leaving probably
several hundred to another thousand servers in the groups to be
modified (yes, we have that many servers as a member of at least one
of these groups). I am on the hook for creating a solid solution to
this effort.

I have used your code in the past to do this type of work on various
objects and have learned greatly from your experience and knowledge.
Again, I really appreciate you taking the time to look at this post.

Nick H.

On Oct 28, 8:57 am, "Richard Mueller [MVP]" <rlmueller-

nos...@ameritech.nospam.net> wrote:
> "Nick" <nick.huny...@gmail.com> wrote in message

> news:70eee61e-9278-4e8b-b05a-e5843da0eba9@j9g2000prh.googlegroups.com...

> > Hello fellow Scripters,

> > To start, VBScript or Powershell will do. I am looking at the Qwest
> > cmdlets for AD but I have similar results as with Vbscript.

> > I need to change the "Member of" tab group memberships on a couple
> > thousand servers, not necassarily all at once, but you see the need
> > for an automated solution. Every solution I have found is to work with
> > the group and add/delete the server from there. I do not prefer this
> > method as there could be thousands of other servers in that group and
> > to edit its membership, well worries me, to say the least. I know with
> > a solid solution it would work just fine in this manner, but making a
> > mistake of that caliber is a job delimiting decision.

> > Every attempt to script this task results in the following error in
> > both VBScript and PS:

> > The server is unwilling to process the request.

> > Using Qwests AD cmdlets, here is the syntax I have worked up:

> > Get-QADComputer server1| Set-QADObject -objectAttributes {@
> > {MemberOf="CN=blah blah,OU=blah,OU=blah,OU=blah,OU=blah,OU=blah,DC=
> > blah,DC= blah,DC= blah,DC= blah "}}

> > In VBScript:

> > objComputer.PutEx ADS_PROPERTY_APPEND, "memberof", Array("CN=blah
> > blah,OU=blah,OU=blah,OU=blah,OU=blah,OU=blah,DC= blah,DC= blah,DC=
> > blah,DC= blah ")

> > Any thoughts?

> The member attribute of group objects and the memberOf attribute of user
> objects are linked. Member is the forward link attribute and memberOf is the
> back link attribute. You cannot modify back link attributes directly. The
> value of back link attributes are not actually saved with the object, but
> instead refer to the forward link attribute. See this link:

> http://msdn.microsoft.com/en-us/library/ms677270(VS.85).aspx

> Also, quoting from this link:http://technet.microsoft.com/en-us/library/cc773309(WS.10).aspx
> -----------
> As an option, a back link can be defined on a target object (for example,
> the memberOf attribute on the user object). A back-link attribute should be
> created as a multi-valued attribute, and it cannot exist without a
> corresponding forward link. The back-link attribute cannot be updated
> directly. Instead, it is automatically calculated when it is queried, based
> on the corresponding forward link. A back-link value on any instance of an
> object consists of the distinguished names of all source objects that have
> the target object's distinguished name in their corresponding forward link.
> ------------
> I don't understand your concern with modifying the member attribute of the
> group.

> In VBScript I would bind to the group object, then use the IsMember method
> to check if the prospective member is already a member, then if not use the
> Add method to add the new member. I don't like dealing with the
> member/memberOf attributes directly when modifying membership, but instead
> rely on the methods of the group object designed for this purpose. I like to
> bind to the prospective member object to make sure it exists, then use the
> ADsPath property of the object in the IsMember and Add methods. For example:
> =============
> Option Explicit
> Dim objGroup, objMember, strMemberDN

> ' Bind to group object.
> Set objGroup = GetObject("LDAP://cn=My Group,ou=West,dc=MyDomain,dc=com")

> ' Specify Distinguishd Name of prospective member.
> strMemberDN = "cn=MyObject,ou=East,dc=MyDomain,dc=com"

> ' Bind to prospective member object. Trap error if it does not exist.
> On Error Resume Next
> Set objMember = GetObject("LDAP://" & strMemberDN)
> If (Err.Number <> 0) Then
>     Wscript.Echo "Error #: " & Err.Number
>     Wscript.Echo "Description: " & Err.Description
>     Wscript.Quit
> End If
> On Error GoTo 0

> ' Check for membership.
> If (objGroup.IsMember(objMember.ADsPath) = False) Then
>     ' Add new member.
>     objGroup.Add(objMember.ADsPath)
>     Wscript.Echo objMember.Name & " added to group " & objGroup.Name
> Else
>     Wscript.Echo objMember.Name & " already a member of group " &
> objGroup.Name
> End If
> ========
> Code can be designed to do this in bulk, perhaps reading prospective member
> names from a text file or spreadsheet. You can also read NetBIOS names of
> servers from the text file or spreadsheet, and use the NameTranslate object
> to convert to the Distinguished Name.

> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab -http://www.rlmueller.net
> --


    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2010 Google