DESCRIPTION
This script sample demostrates the folowing advanced group creation/provision scenario. After a group creation: - a corresponding local folder with the same name will be created on the predefined file server; - the group will get "full control" permissions to the folder - a predefined set of accounts will be members of the group
SCRIPT
'*********************************************************************************
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
' PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.
'*********************************************************************************
Option Explicit
'---- customizable setting ----
Const strServerName = "SERVER1"
Const strLocalPath = "C:\Folder"
Dim arrPredefinedMembers
arrPredefinedMembers = Array( _
"CN=John Smith,OU=Sales,DC=foocompany,DC=com", _
"CN=Samanta Fox,OU=HR,DC=foocompany,DC=com", _
"CN=Fox Mulder,OU=Research,DC=foocompany,DC=com", _
"CN=James Born,OU=Security,DC=foocompany,DC=com" )
'---- routines ----
Sub onPostCreate(Request)
'-- proceed for group objects only
If (LCase(Request.Class) <> "group") Then Exit Sub
Dim numGroupType, strGroupName
DirObj.GetInfoEx Array("groupType", "name"), 0
numGroupType = DirObj.Get("groupType")
'-- proceed for SECURITY group object only
If ((numGroupType And ADS_GROUP_TYPE_SECURITY_ENABLED) = 0) Then Exit Sub
strGroupName = DirObj.Get("name")
Dim objWMIService, objWShell, nResult
Dim objTrustee, objSecurityDescriptor
Set objWShell = CreateObject("WScript.Shell")
'-- get WMI service on the desired server
Set objWMIService= GetObject("winmgmts:" & _
"{impersonationLevel=impersonate}!" & _
"\\" & strServerName & "\root\cimv2")
'-- create a local folder with group name
nResult = CreateLocalFolder(objWMIService, strLocalPath & "\" & strGroupName)
If (nResult <> 0) Then
Err.Raise 1, "Local folder creation error = " & nResult
Exit Sub
End If
'-- create a trustee for the group
Set objTrustee = CreateTrusteeForObject(objWMIService, DirObj)
'-- create a FULL CONTROL security descriptor
Set objSecurityDescriptor = CreateSecurityDescriptorForLocalFolder(objWMIService, objTrustee)
'-- apply the descriptor to the local folder
nResult = SetPermissionsToLocalFolder(objWMIService, strLocalPath, objSecurityDescriptor)
If (nResult <> 0) Then
Err.Raise 1, "Local folder permissions applying error = " & nResult
Exit Sub
End If
DirObj.Put "member", arrPredefinedMembers
DirObj.SetInfo
End Sub
'******************************************************************
' CreateLocalFolder - creates a new local folder
' ----------
' objWMIService - WMI serice instance
' strLocalPath - path to local folder, for ex.: "C:\MyFolder"
' ----------
' return value - Error code. O for OK
Function CreateLocalFolder(ByRef objWMIService, ByVal strLocalPath)
Dim objProcess, nProcessId, nResult
Set objProcess = objWMIService.Get("Win32_Process")
' --- try to start a process for a folder creation
nResult = objProcess.Create("cmd.exe /c md " & strLocalPath, Null, Null, nProcessId)
If (nResult <> 0) Then
CreateLocalFolder = nResult
Exit Function
End If
Dim arrItems, objItem, boolFound
' --- wait for folder creation completion
Do While (True)
Set arrItems = objWMIService.ExecQuery("SELECT * FROM Win32_Process WHERE ProcessId=" & nProcessId)
boolFound = False
For Each objItem In arrItems
boolFound = True
Exit For
Next
If (boolFound = False) Then Exit Do
Loop
CreateLocalFolder = 0
End Function
'******************************************************************
' SetPermissionsToLocalFolder - set a permission to local folder
' ----------
' objWMIService - WMI serice instance
' strLocalFolderPath - path to local folder, for ex.: "C:\MyFolder"
' objPermissions - Win32_SecurityDescriptor WMI object with permissions
' ----------
' return value - Error code. O for OK
Function SetPermissionsToLocalFolder(ByRef objWMIService, _
ByVal strLocalPath, ByRef objSecurityDescriptor)
Dim objLocalFolder
Set objLocalFolder = objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strLocalPath & "'")
SetPermissionsToLocalFolder = objLocalFolder.SetSecurityDescriptor(objSecurityDescriptor)
End Function
'******************************************************************
' CreateSecurityDescriptorForLocalFolder - creates a security descriptor
' for local NTFS folder and trustee
' ----------
' objWMIService - WMI serice instance
' objTrustee - trustee
' ----------
' return value - created security descriptor
Function CreateSecurityDescriptorForLocalFolder (ByRef objWMIService, ByRef objTrustee)
Dim objSecDescriptor, arrDACL
Set objSecDescriptor = objWMIService.Get("Win32_SecurityDescriptor").SpawnInstance_()
objSecDescriptor.Properties_.Item("ControlFlags") = 4 + 1024 '** SE_DACL_PRESENT | SE_DACL_AUTO_INHERITED
objSecDescriptor.Properties_.Item("DACL") = Array(CreateACE(objWMIService, objTrustee, 2032127, 3, 0)) '** full control
Set CreateSecurityDescriptorForLocalFolder = objSecDescriptor
End Function
'******************************************************************
' CreateACE - creates a Win32_Ace instance with desired access
' ----------
Function CreateACE (ByRef objWMIService, ByRef objTrustee, _
ByVal nAccessMask, ByVal nAceFlags, ByVal nAceType)
If (Not IsObject(objTrustee)) Then Exit Function
Dim objAce
Set objAce = objWMIService.Get("Win32_Ace").SpawnInstance_()
objAce.Properties_.Item("AccessMask") = nAccessMask
objAce.Properties_.Item("AceFlags") = nAceFlags
objAce.Properties_.Item("AceType") = nAceType
objAce.Properties_.Item("Trustee") = objTrustee
Set CreateACE = objAce
End Function
'******************************************************************
' CreateTrusteeForObject - creates a Win32_Trustee instance from AD object
' ----------
Function CreateTrusteeForObject (ByRef objWMIService, ByRef objObject)
If (Not IsObject(objObject)) Then Exit Function
Dim objTrustee
Set objTrustee = objWMIService.Get("Win32_Trustee").SpawnInstance_()
Call objObject.GetInfoEx(Array("edsaDomainNetbiosName", "sAMAccountName", "objectSid"), 0)
objTrustee.Domain = objObject.Get("edsaDomainNetbiosName")
objTrustee.Name = objObject.Get("sAMAccountName")
objTrustee.Properties_.Item("SID") = objObject.Get("objectSid")
Set CreateTrusteeForObject = objTrustee
End Function
'***** END OF CODE ***************************************************************