DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 8 of 8

Thread: Determining user's NT Groups

  1. #1
    DCarter Guest

    Determining user's NT Groups


    Through VB code or ASP code is there a way to determine the NT Groups that
    a user belongs to?

  2. #2
    Michael Howard Guest

    Re: Determining user's NT Groups


    sure you can use ADSI - but we aware that you may need certain privs/rights
    to achieve this. the following code is from my book:

    strComputer = "MyServer" ' Use '.' for the local computer.
    Set oComp = GetObject("WinNT://" & strComputer & ",computer")
    oComp.Filter = Array("group")

    For Each group In oComp
    WScript.echo group.Name
    iCount = 0
    For Each member in group.members
    WScript.echo " " & member.Name
    iCount = iCount + 1
    Next
    If iCount = 0 Then WScript.echo " <none>"
    Next

    what are you trying to achieve?

    "DCarter" <daniel.carter@anhesuer-busch.com> wrote:
    >
    >Through VB code or ASP code is there a way to determine the NT Groups that
    >a user belongs to?



  3. #3
    DCarter Guest

    Re: Determining user's NT Groups


    This returns the groups and users for a particular machine, how about the
    users in a Domain group? We are wanting to create domain groups (not sure
    if that is the right nomenclature) and use them as the security groups we
    check for access to a pages on a local intranet.

    The idea is instead of having to maintain users, groups and security settings
    in a database indicating who has access to what pages; we use NT domain groups.
    Then, using NT Challenge Response, we can check to see if the user hitting
    a page is in the NT domain group that has rights to this page, if not then
    send them back to their previous page or show a "nice" access denied page.
    Our users are scattered throughout the US and we would like the local IS
    groups to add the proper users to the groups, so we don't have to maintain
    the large user-rights list.


    "Michael Howard" <mikehow@microsoft.com> wrote:
    >
    >sure you can use ADSI - but we aware that you may need certain privs/rights
    >to achieve this. the following code is from my book:
    >
    >strComputer = "MyServer" ' Use '.' for the local computer.
    >Set oComp = GetObject("WinNT://" & strComputer & ",computer")
    >oComp.Filter = Array("group")
    >
    >For Each group In oComp
    > WScript.echo group.Name
    > iCount = 0
    > For Each member in group.members
    > WScript.echo " " & member.Name
    > iCount = iCount + 1
    > Next
    > If iCount = 0 Then WScript.echo " <none>"
    >Next
    >
    >what are you trying to achieve?
    >
    >"DCarter" <daniel.carter@anhesuer-busch.com> wrote:
    >>
    >>Through VB code or ASP code is there a way to determine the NT Groups that
    >>a user belongs to?

    >



  4. #4
    Eli Allen Guest

    Re: Determining user's NT Groups

    From: http://www.windows-script.com/
    <quotedStuff>
    How do I detect what groups a user belongs to?

    dsRoot = "WinNT://domain/userid"
    set wshShell = Wscript.CreateObject("Wscript.Shell")
    set dsObj = GetObject(dsRoot)
    For Each Prop In dsobj.groups
    wshshell.popup Prop.Name
    Next 'Prop
    </quotedStuff>

    That should do it.
    --
    Eli Allen
    eallen@bcpl.net



    "DCarter" <daniel.carter@anhesuer-busch.com> wrote in message
    news:3a9e60ba$1@news.devx.com...
    >
    > This returns the groups and users for a particular machine, how about the
    > users in a Domain group? We are wanting to create domain groups (not sure
    > if that is the right nomenclature) and use them as the security groups we
    > check for access to a pages on a local intranet.
    >
    > The idea is instead of having to maintain users, groups and security

    settings
    > in a database indicating who has access to what pages; we use NT domain

    groups.
    > Then, using NT Challenge Response, we can check to see if the user

    hitting
    > a page is in the NT domain group that has rights to this page, if not then
    > send them back to their previous page or show a "nice" access denied page.
    > Our users are scattered throughout the US and we would like the local IS
    > groups to add the proper users to the groups, so we don't have to maintain
    > the large user-rights list.
    >
    >
    > "Michael Howard" <mikehow@microsoft.com> wrote:
    > >
    > >sure you can use ADSI - but we aware that you may need certain

    privs/rights
    > >to achieve this. the following code is from my book:
    > >
    > >strComputer = "MyServer" ' Use '.' for the local computer.
    > >Set oComp = GetObject("WinNT://" & strComputer & ",computer")
    > >oComp.Filter = Array("group")
    > >
    > >For Each group In oComp
    > > WScript.echo group.Name
    > > iCount = 0
    > > For Each member in group.members
    > > WScript.echo " " & member.Name
    > > iCount = iCount + 1
    > > Next
    > > If iCount = 0 Then WScript.echo " <none>"
    > >Next
    > >
    > >what are you trying to achieve?
    > >
    > >"DCarter" <daniel.carter@anhesuer-busch.com> wrote:
    > >>
    > >>Through VB code or ASP code is there a way to determine the NT Groups

    that
    > >>a user belongs to?

    > >

    >




  5. #5
    Michael Howard Guest

    Re: Determining user's NT Groups


    actually, it's not QUITE as simple as all this - as this code does not take
    into consideration any restricting SIDs in the user's token. if this is NT4,
    then that's ok - there's no such thing as restricting SIDs in NT4, but on
    Win2000 it can be problematic. there's an api in WIn2000 you can call named
    CheckGroupMembership() that will do the work for you.


    "Eli Allen" <eallen@bcpl.net> wrote:
    >From: http://www.windows-script.com/
    ><quotedStuff>
    >How do I detect what groups a user belongs to?
    >
    >dsRoot = "WinNT://domain/userid"
    >set wshShell = Wscript.CreateObject("Wscript.Shell")
    >set dsObj = GetObject(dsRoot)
    >For Each Prop In dsobj.groups
    > wshshell.popup Prop.Name
    >Next 'Prop
    ></quotedStuff>
    >
    >That should do it.
    >--
    >Eli Allen
    >eallen@bcpl.net
    >
    >
    >
    >"DCarter" <daniel.carter@anhesuer-busch.com> wrote in message
    >news:3a9e60ba$1@news.devx.com...
    >>
    >> This returns the groups and users for a particular machine, how about

    the
    >> users in a Domain group? We are wanting to create domain groups (not

    sure
    >> if that is the right nomenclature) and use them as the security groups

    we
    >> check for access to a pages on a local intranet.
    >>
    >> The idea is instead of having to maintain users, groups and security

    >settings
    >> in a database indicating who has access to what pages; we use NT domain

    >groups.
    >> Then, using NT Challenge Response, we can check to see if the user

    >hitting
    >> a page is in the NT domain group that has rights to this page, if not

    then
    >> send them back to their previous page or show a "nice" access denied page.
    >> Our users are scattered throughout the US and we would like the local

    IS
    >> groups to add the proper users to the groups, so we don't have to maintain
    >> the large user-rights list.
    >>
    >>
    >> "Michael Howard" <mikehow@microsoft.com> wrote:
    >> >
    >> >sure you can use ADSI - but we aware that you may need certain

    >privs/rights
    >> >to achieve this. the following code is from my book:
    >> >
    >> >strComputer = "MyServer" ' Use '.' for the local computer.
    >> >Set oComp = GetObject("WinNT://" & strComputer & ",computer")
    >> >oComp.Filter = Array("group")
    >> >
    >> >For Each group In oComp
    >> > WScript.echo group.Name
    >> > iCount = 0
    >> > For Each member in group.members
    >> > WScript.echo " " & member.Name
    >> > iCount = iCount + 1
    >> > Next
    >> > If iCount = 0 Then WScript.echo " <none>"
    >> >Next
    >> >
    >> >what are you trying to achieve?
    >> >
    >> >"DCarter" <daniel.carter@anhesuer-busch.com> wrote:
    >> >>
    >> >>Through VB code or ASP code is there a way to determine the NT Groups

    >that
    >> >>a user belongs to?
    >> >

    >>

    >
    >



  6. #6
    Eli Allen Guest

    Re: Determining user's NT Groups

    You can set a restriction to prevent someone from being in a workgroup? So
    if Workgroup A contains a smaller workgroup B and user C is in workgroup B
    you can keep them out of workgroup A? But if that was true should ADSI be
    able to tell the actual workgroups a member is part of?

    Or are you referring to something else he was talking about? It sounds like
    he just wants very basic ACLs set at the workgroup level and the users just
    exist in a workgroup without any special privileges.
    --
    Eli Allen
    eallen@bcpl.net

    "Michael Howard" <mikehow@microsoft.com> wrote in message
    news:3aa02c02$1@news.devx.com...
    >
    > actually, it's not QUITE as simple as all this - as this code does not

    take
    > into consideration any restricting SIDs in the user's token. if this is

    NT4,
    > then that's ok - there's no such thing as restricting SIDs in NT4, but on
    > Win2000 it can be problematic. there's an api in WIn2000 you can call

    named
    > CheckGroupMembership() that will do the work for you.
    >
    >
    > "Eli Allen" <eallen@bcpl.net> wrote:
    > >From: http://www.windows-script.com/
    > ><quotedStuff>
    > >How do I detect what groups a user belongs to?
    > >
    > >dsRoot = "WinNT://domain/userid"
    > >set wshShell = Wscript.CreateObject("Wscript.Shell")
    > >set dsObj = GetObject(dsRoot)
    > >For Each Prop In dsobj.groups
    > > wshshell.popup Prop.Name
    > >Next 'Prop
    > ></quotedStuff>
    > >
    > >That should do it.
    > >--
    > >Eli Allen
    > >eallen@bcpl.net
    > >
    > >
    > >
    > >"DCarter" <daniel.carter@anhesuer-busch.com> wrote in message
    > >news:3a9e60ba$1@news.devx.com...
    > >>
    > >> This returns the groups and users for a particular machine, how about

    > the
    > >> users in a Domain group? We are wanting to create domain groups (not

    > sure
    > >> if that is the right nomenclature) and use them as the security groups

    > we
    > >> check for access to a pages on a local intranet.
    > >>
    > >> The idea is instead of having to maintain users, groups and security

    > >settings
    > >> in a database indicating who has access to what pages; we use NT domain

    > >groups.
    > >> Then, using NT Challenge Response, we can check to see if the user

    > >hitting
    > >> a page is in the NT domain group that has rights to this page, if not

    > then
    > >> send them back to their previous page or show a "nice" access denied

    page.
    > >> Our users are scattered throughout the US and we would like the local

    > IS
    > >> groups to add the proper users to the groups, so we don't have to

    maintain
    > >> the large user-rights list.
    > >>
    > >>
    > >> "Michael Howard" <mikehow@microsoft.com> wrote:
    > >> >
    > >> >sure you can use ADSI - but we aware that you may need certain

    > >privs/rights
    > >> >to achieve this. the following code is from my book:
    > >> >
    > >> >strComputer = "MyServer" ' Use '.' for the local computer.
    > >> >Set oComp = GetObject("WinNT://" & strComputer & ",computer")
    > >> >oComp.Filter = Array("group")
    > >> >
    > >> >For Each group In oComp
    > >> > WScript.echo group.Name
    > >> > iCount = 0
    > >> > For Each member in group.members
    > >> > WScript.echo " " & member.Name
    > >> > iCount = iCount + 1
    > >> > Next
    > >> > If iCount = 0 Then WScript.echo " <none>"
    > >> >Next
    > >> >
    > >> >what are you trying to achieve?
    > >> >
    > >> >"DCarter" <daniel.carter@anhesuer-busch.com> wrote:
    > >> >>
    > >> >>Through VB code or ASP code is there a way to determine the NT Groups

    > >that
    > >> >>a user belongs to?
    > >> >
    > >>

    > >
    > >

    >




  7. #7
    Michael Howard Guest

    Re: Determining user's NT Groups


    the problem is - you may be in group A, however, you may also have a restricting
    sid which resicts A on acl checks. while the user is STILL a member of A,
    ACL checks may behave differently owing the restricted SID.


    "Eli Allen" <eallen@bcpl.net> wrote:
    >You can set a restriction to prevent someone from being in a workgroup?

    So
    >if Workgroup A contains a smaller workgroup B and user C is in workgroup

    B
    >you can keep them out of workgroup A? But if that was true should ADSI

    be
    >able to tell the actual workgroups a member is part of?
    >
    >Or are you referring to something else he was talking about? It sounds

    like
    >he just wants very basic ACLs set at the workgroup level and the users just
    >exist in a workgroup without any special privileges.
    >--
    >Eli Allen
    >eallen@bcpl.net
    >
    >"Michael Howard" <mikehow@microsoft.com> wrote in message
    >news:3aa02c02$1@news.devx.com...
    >>
    >> actually, it's not QUITE as simple as all this - as this code does not

    >take
    >> into consideration any restricting SIDs in the user's token. if this is

    >NT4,
    >> then that's ok - there's no such thing as restricting SIDs in NT4, but

    on
    >> Win2000 it can be problematic. there's an api in WIn2000 you can call

    >named
    >> CheckGroupMembership() that will do the work for you.
    >>
    >>
    >> "Eli Allen" <eallen@bcpl.net> wrote:
    >> >From: http://www.windows-script.com/
    >> ><quotedStuff>
    >> >How do I detect what groups a user belongs to?
    >> >
    >> >dsRoot = "WinNT://domain/userid"
    >> >set wshShell = Wscript.CreateObject("Wscript.Shell")
    >> >set dsObj = GetObject(dsRoot)
    >> >For Each Prop In dsobj.groups
    >> > wshshell.popup Prop.Name
    >> >Next 'Prop
    >> ></quotedStuff>
    >> >
    >> >That should do it.
    >> >--
    >> >Eli Allen
    >> >eallen@bcpl.net
    >> >
    >> >
    >> >
    >> >"DCarter" <daniel.carter@anhesuer-busch.com> wrote in message
    >> >news:3a9e60ba$1@news.devx.com...
    >> >>
    >> >> This returns the groups and users for a particular machine, how about

    >> the
    >> >> users in a Domain group? We are wanting to create domain groups (not

    >> sure
    >> >> if that is the right nomenclature) and use them as the security groups

    >> we
    >> >> check for access to a pages on a local intranet.
    >> >>
    >> >> The idea is instead of having to maintain users, groups and security
    >> >settings
    >> >> in a database indicating who has access to what pages; we use NT domain
    >> >groups.
    >> >> Then, using NT Challenge Response, we can check to see if the user
    >> >hitting
    >> >> a page is in the NT domain group that has rights to this page, if not

    >> then
    >> >> send them back to their previous page or show a "nice" access denied

    >page.
    >> >> Our users are scattered throughout the US and we would like the local

    >> IS
    >> >> groups to add the proper users to the groups, so we don't have to

    >maintain
    >> >> the large user-rights list.
    >> >>
    >> >>
    >> >> "Michael Howard" <mikehow@microsoft.com> wrote:
    >> >> >
    >> >> >sure you can use ADSI - but we aware that you may need certain
    >> >privs/rights
    >> >> >to achieve this. the following code is from my book:
    >> >> >
    >> >> >strComputer = "MyServer" ' Use '.' for the local computer.
    >> >> >Set oComp = GetObject("WinNT://" & strComputer & ",computer")
    >> >> >oComp.Filter = Array("group")
    >> >> >
    >> >> >For Each group In oComp
    >> >> > WScript.echo group.Name
    >> >> > iCount = 0
    >> >> > For Each member in group.members
    >> >> > WScript.echo " " & member.Name
    >> >> > iCount = iCount + 1
    >> >> > Next
    >> >> > If iCount = 0 Then WScript.echo " <none>"
    >> >> >Next
    >> >> >
    >> >> >what are you trying to achieve?
    >> >> >
    >> >> >"DCarter" <daniel.carter@anhesuer-busch.com> wrote:
    >> >> >>
    >> >> >>Through VB code or ASP code is there a way to determine the NT Groups
    >> >that
    >> >> >>a user belongs to?
    >> >> >
    >> >>
    >> >
    >> >

    >>

    >
    >



  8. #8
    DCarter Guest

    Re: Determining user's NT Groups


    Thanks! This is what I was looking for

    "Eli Allen" <eallen@bcpl.net> wrote:
    >From: http://www.windows-script.com/
    ><quotedStuff>
    >How do I detect what groups a user belongs to?
    >
    >dsRoot = "WinNT://domain/userid"
    >set wshShell = Wscript.CreateObject("Wscript.Shell")
    >set dsObj = GetObject(dsRoot)
    >For Each Prop In dsobj.groups
    > wshshell.popup Prop.Name
    >Next 'Prop
    ></quotedStuff>
    >
    >That should do it.
    >--
    >Eli Allen
    >eallen@bcpl.net
    >
    >
    >
    >"DCarter" <daniel.carter@anhesuer-busch.com> wrote in message
    >news:3a9e60ba$1@news.devx.com...
    >>
    >> This returns the groups and users for a particular machine, how about

    the
    >> users in a Domain group? We are wanting to create domain groups (not

    sure
    >> if that is the right nomenclature) and use them as the security groups

    we
    >> check for access to a pages on a local intranet.
    >>
    >> The idea is instead of having to maintain users, groups and security

    >settings
    >> in a database indicating who has access to what pages; we use NT domain

    >groups.
    >> Then, using NT Challenge Response, we can check to see if the user

    >hitting
    >> a page is in the NT domain group that has rights to this page, if not

    then
    >> send them back to their previous page or show a "nice" access denied page.
    >> Our users are scattered throughout the US and we would like the local

    IS
    >> groups to add the proper users to the groups, so we don't have to maintain
    >> the large user-rights list.
    >>
    >>
    >> "Michael Howard" <mikehow@microsoft.com> wrote:
    >> >
    >> >sure you can use ADSI - but we aware that you may need certain

    >privs/rights
    >> >to achieve this. the following code is from my book:
    >> >
    >> >strComputer = "MyServer" ' Use '.' for the local computer.
    >> >Set oComp = GetObject("WinNT://" & strComputer & ",computer")
    >> >oComp.Filter = Array("group")
    >> >
    >> >For Each group In oComp
    >> > WScript.echo group.Name
    >> > iCount = 0
    >> > For Each member in group.members
    >> > WScript.echo " " & member.Name
    >> > iCount = iCount + 1
    >> > Next
    >> > If iCount = 0 Then WScript.echo " <none>"
    >> >Next
    >> >
    >> >what are you trying to achieve?
    >> >
    >> >"DCarter" <daniel.carter@anhesuer-busch.com> wrote:
    >> >>
    >> >>Through VB code or ASP code is there a way to determine the NT Groups

    >that
    >> >>a user belongs to?
    >> >

    >>

    >
    >



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center