• Products
    • View all products
    • Free trials
  • Solutions
    • All Solutions
    • All Integrations
  • Resources
    • All Resources
    • Learning Hub
  • Trials
  • Support
    • Support Home
    • By Product
      • All Products
      • Active Roles
      • Authentication Services
      • Cloud Access Manager
      • Defender
      • Identity Manager
      • Password Manager
      • Safeguard
      • Starling Identity Analytics & Risk Intelligence
      • Starling Two-Factor Authentication
      • TPAM Appliance
    • Contact Support
      • Overview
      • Customer Service
      • Licensing Assistance
      • Renewal Assistance
      • Technical Support
    • Download Software
    • Knowledge Base
    • My Account
      • My Products
      • My Service Requests
      • My Licenses
      • My Groups
      • My Profile
    • Policies & Procedures
    • Professional Services
    • Technical Documentation
    • One Identity University
    • User Forums
    • Video Tutorials
  • Partners
    • Overview
    • Partner Circle Log In
    • Become a Partner
    • Find a Partner
    • Partner Community
  • Communities
    • Home
    • Blogs
      • Blogs A to Z
      • One Identity Community
      • AD Account Lifecycle Management
      • Cloud
      • Identity Governance & Administration
      • Privileged Access Management
      • syslog-ng Community
    • Forums
      • All Product Forums
      • Active Roles
      • Identity Manager
      • Password Manager
      • Safeguard
      • Unix Access Management
    • Social Networks
      • Facebook
      • LinkedIn
      • Twitter
      • YouTube
One Identity Community
One Identity Community
  • Site
  • User
  • Site
  • Search
  • User
Active Roles Community
Active Roles Community
Wiki Advanced group creation/provision
  • Forum
  • Ideas
  • Wiki
  • More
  • Cancel
  • New
  • -Active Roles Script Center
    • +Active Roles Script Policy Best Practices
    • Active Roles SDK
    • +C#
    • +JavaScript
    • +PowerShell
    • -VBScript
      • VBScript Library source code
      • -VBScript samples
        • A Managed Unit with users which have not logged on for last 90 days
        • Adjust the case of usernames to title case (first letter of each part of the name)
        • Advanced group creation/provision
        • Advanced shared folder creation
        • Bulk policy incompliance fixing
        • Check unique value of an attribute
        • +Computer management
        • +Exchange management
        • Function that converts regular date into integer8 format
        • Get effective policy info list
        • +Group management
        • How to find a request source in script policy
        • How to send emails based on scripts policy parameters and Virtual Attribute values
        • +Permissions Management
        • Policy incompliance reporting & fixing for specified policy
        • Populate values from a SQL database to an AD Attribute
        • Prevent copying an attribute on user copy
        • Prohibite a permission propagation to AD
        • Prohibite an AD native security editing
        • Read large integer date attributes and display them in date and time readable format
        • Read XML Node text or attribute value
        • Read XML Node with Children into DictionaryObject
        • Standalone script that requests built-in password generation policy
        • +User management
        • Validate moving operations
        • +VBScript: Approval

You are currently reviewing an older revision of this page.

  • History View current version

Advanced group creation/provision

Back to Group management

DESCRIPTION

This script sample demostrates the folowing advanced group creation/provision scenario. After a group creation: - a corresponding local folder with the same name will be created on the predefined file server; - the group will get "full control" permissions to the folder - a predefined set of accounts will be members of the group

This script sample has some common parts with script sample from the ARS Script Policy Best Practices


Note This code may use functions from the ARS Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.


SCRIPT

 

'*********************************************************************************

' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,

' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED

' WARRANTIES OF MERCHANTBILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.

'

' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,

' PLEASE CONTACT QUEST PROFESSIONAL SERVICES.

'*********************************************************************************

'

' This code is published on the ActiveRoles Script Center:

' http://communities.quest.com/docs/DOC-9991

'

' This code may use functions from the ARS Script Policy Best Practices:

' http://communities.quest.com/docs/DOC-10016

'

' Please, follow the link to obtain instructions and code for those functions.

'*********************************************************************************

Option Explicit

'---- customizable setting ----

Const strServerName = "SERVER1"

Const strLocalPath = "C:\Folder"

Dim arrPredefinedMembers

arrPredefinedMembers = Array( _

"CN=John Smith,OU=Sales,DC=foocompany,DC=com", _

"CN=Samanta Fox,OU=HR,DC=foocompany,DC=com", _

"CN=Fox Mulder,OU=Research,DC=foocompany,DC=com", _

"CN=James Born,OU=Security,DC=foocompany,DC=com" )

'---- routines ----

Sub onPostCreate(Request)

'-- proceed for group objects only

If (LCase(Request.Class) <> "group") Then Exit Sub

Dim numGroupType, strGroupName

DirObj.GetInfoEx Array("groupType", "name"), 0

numGroupType = DirObj.Get("groupType")

'-- proceed for SECURITY group object only

If ((numGroupType And ADS_GROUP_TYPE_SECURITY_ENABLED) = 0) Then Exit Sub

strGroupName = DirObj.Get("name")

Dim objWMIService, objWShell, nResult

Dim objTrustee, objSecurityDescriptor

Set objWShell = CreateObject("WScript.Shell")

'-- get WMI service on the desired server

Set objWMIService= GetObject("winmgmts:" & _

"{impersonationLevel=impersonate}!" & _

"\\" & strServerName & "\root\cimv2")

'-- create a local folder with group name

nResult = CreateLocalFolder(objWMIService, strLocalPath & "\" & strGroupName)

If (nResult <> 0) Then

Err.Raise 1, "Local folder creation error = " & nResult

Exit Sub

End If

'-- create a trustee for the group

Set objTrustee = CreateTrusteeForObject(objWMIService, DirObj)

'-- create a FULL CONTROL security descriptor

Set objSecurityDescriptor = CreateSecurityDescriptorForLocalFolder(objWMIService, objTrustee)

'-- apply the descriptor to the local folder

nResult = SetPermissionsToLocalFolder(objWMIService, strLocalPath, objSecurityDescriptor)

If (nResult <> 0) Then

Err.Raise 1, "Local folder permissions applying error = " & nResult

Exit Sub

End If

DirObj.Put "member", arrPredefinedMembers

DirObj.SetInfo

End Sub

'******************************************************************

' CreateLocalFolder - creates a new local folder

' ----------

' objWMIService - WMI serice instance

' strLocalPath - path to local folder, for ex.: "C:\MyFolder"

' ----------

' return value - Error code. O for OK

Function CreateLocalFolder(ByRef objWMIService, ByVal strLocalPath)

Dim objProcess, nProcessId, nResult

Set objProcess = objWMIService.Get("Win32_Process")

' --- try to start a process for a folder creation

nResult = objProcess.Create("cmd.exe /c md " & strLocalPath, Null, Null, nProcessId)

If (nResult <> 0) Then

CreateLocalFolder = nResult

Exit Function

End If

Dim arrItems, objItem, boolFound

' --- wait for folder creation completion

Do While (True)

Set arrItems = objWMIService.ExecQuery("SELECT * FROM Win32_Process WHERE ProcessId=" & nProcessId)

boolFound = False

For Each objItem In arrItems

boolFound = True

Exit For

Next

If (boolFound = False) Then Exit Do

Loop

CreateLocalFolder = 0

End Function

'******************************************************************

' SetPermissionsToLocalFolder - set a permission to local folder

' ----------

' objWMIService - WMI serice instance

' strLocalFolderPath - path to local folder, for ex.: "C:\MyFolder"

' objPermissions - Win32_SecurityDescriptor WMI object with permissions

' ----------

' return value - Error code. O for OK

Function SetPermissionsToLocalFolder(ByRef objWMIService, _

ByVal strLocalPath, ByRef objSecurityDescriptor)

Dim objLocalFolder

Set objLocalFolder = objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strLocalPath & "'")

SetPermissionsToLocalFolder = objLocalFolder.SetSecurityDescriptor(objSecurityDescriptor)

End Function

'******************************************************************

' CreateSecurityDescriptorForLocalFolder - creates a security descriptor

' for local NTFS folder and trustee

' ----------

' objWMIService - WMI serice instance

' objTrustee - trustee

' ----------

' return value - created security descriptor

Function CreateSecurityDescriptorForLocalFolder (ByRef objWMIService, ByRef objTrustee)

Dim objSecDescriptor, arrDACL

Set objSecDescriptor = objWMIService.Get("Win32_SecurityDescriptor").SpawnInstance_()

objSecDescriptor.Properties_.Item("ControlFlags") = 4 + 1024 '** SE_DACL_PRESENT | SE_DACL_AUTO_INHERITED

objSecDescriptor.Properties_.Item("DACL") = Array(CreateACE(objWMIService, objTrustee, 2032127, 3, 0)) '** full control

Set CreateSecurityDescriptorForLocalFolder = objSecDescriptor

End Function

'******************************************************************

' CreateACE - creates a Win32_Ace instance with desired access

' ----------

Function CreateACE (ByRef objWMIService, ByRef objTrustee, _

ByVal nAccessMask, ByVal nAceFlags, ByVal nAceType)

If (Not IsObject(objTrustee)) Then Exit Function

Dim objAce

Set objAce = objWMIService.Get("Win32_Ace").SpawnInstance_()

objAce.Properties_.Item("AccessMask") = nAccessMask

objAce.Properties_.Item("AceFlags") = nAceFlags

objAce.Properties_.Item("AceType") = nAceType

objAce.Properties_.Item("Trustee") = objTrustee

Set CreateACE = objAce

End Function

'******************************************************************

' CreateTrusteeForObject - creates a Win32_Trustee instance from AD object

' ----------

Function CreateTrusteeForObject (ByRef objWMIService, ByRef objObject)

If (Not IsObject(objObject)) Then Exit Function

Dim objTrustee

Set objTrustee = objWMIService.Get("Win32_Trustee").SpawnInstance_()

Call objObject.GetInfoEx(Array("edsaDomainNetbiosName", "sAMAccountName", "objectSid"), 0)

objTrustee.Domain = objObject.Get("edsaDomainNetbiosName")

objTrustee.Name = objObject.Get("sAMAccountName")

objTrustee.Properties_.Item("SID") = objObject.Get("objectSid")

Set CreateTrusteeForObject = objTrustee

End Function

'****** end of code ***********************************************

'***** END OF CODE ***************************************************************

COMPATIBILITY

Script compatible with the following version(s): <Not specified>

Back to Group management

  • Company
    • About Us
    • Buy
    • Careers
    • Contact Us
    • News
  • Resources
    • Blogs
    • Customer Stories
    • Documents
    • Events
    • Videos
  • Support
    • Professional Services
    • Renew Support
    • Technical Support
    • One Identity University
    • Support Service
  • Social Networks
    • Facebook
    • Instagram
    • LinkedIn
    • Twitter
    • YouTube
  • © 2025 One Identity LLC. ALL RIGHTS RESERVED.
  • Legal
  • Terms of Use
  • Privacy
  • Community Feedback & Support
  • Cookie Preference Center