DESCRIPTION
This script sample demostrates the folowing advanced group creation/provision scenario. After a group creation: - a corresponding local folder with the same name will be created on the predefined file server; - the group will get "full control" permissions to the folder - a predefined set of accounts will be members of the group
This script sample has some common parts with script sample from the ARS Script Policy Best Practices
Note This code may use functions from the ARS Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.
SCRIPT
'*********************************************************************************
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTBILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
' PLEASE CONTACT QUEST PROFESSIONAL SERVICES.
'*********************************************************************************
'
' This code is published on the ActiveRoles Script Center:
' http://communities.quest.com/docs/DOC-9991
'
' This code may use functions from the ARS Script Policy Best Practices:
' http://communities.quest.com/docs/DOC-10016
'
' Please, follow the link to obtain instructions and code for those functions.
'*********************************************************************************
Option Explicit
'---- customizable setting ----
Const strServerName = "SERVER1"
Const strLocalPath = "C:\Folder"
Dim arrPredefinedMembers
arrPredefinedMembers = Array( _
"CN=John Smith,OU=Sales,DC=foocompany,DC=com", _
"CN=Samanta Fox,OU=HR,DC=foocompany,DC=com", _
"CN=Fox Mulder,OU=Research,DC=foocompany,DC=com", _
"CN=James Born,OU=Security,DC=foocompany,DC=com" )
'---- routines ----
Sub onPostCreate(Request)
'-- proceed for group objects only
If (LCase(Request.Class) <> "group") Then Exit Sub
Dim numGroupType, strGroupName
DirObj.GetInfoEx Array("groupType", "name"), 0
numGroupType = DirObj.Get("groupType")
'-- proceed for SECURITY group object only
If ((numGroupType And ADS_GROUP_TYPE_SECURITY_ENABLED) = 0) Then Exit Sub
strGroupName = DirObj.Get("name")
Dim objWMIService, objWShell, nResult
Dim objTrustee, objSecurityDescriptor
Set objWShell = CreateObject("WScript.Shell")
'-- get WMI service on the desired server
Set objWMIService= GetObject("winmgmts:" & _
"{impersonationLevel=impersonate}!" & _
"\\" & strServerName & "\root\cimv2")
'-- create a local folder with group name
nResult = CreateLocalFolder(objWMIService, strLocalPath & "\" & strGroupName)
If (nResult <> 0) Then
Err.Raise 1, "Local folder creation error = " & nResult
Exit Sub
End If
'-- create a trustee for the group
Set objTrustee = CreateTrusteeForObject(objWMIService, DirObj)
'-- create a FULL CONTROL security descriptor
Set objSecurityDescriptor = CreateSecurityDescriptorForLocalFolder(objWMIService, objTrustee)
'-- apply the descriptor to the local folder
nResult = SetPermissionsToLocalFolder(objWMIService, strLocalPath, objSecurityDescriptor)
If (nResult <> 0) Then
Err.Raise 1, "Local folder permissions applying error = " & nResult
Exit Sub
End If
DirObj.Put "member", arrPredefinedMembers
DirObj.SetInfo
End Sub
'******************************************************************
' CreateLocalFolder - creates a new local folder
' ----------
' objWMIService - WMI serice instance
' strLocalPath - path to local folder, for ex.: "C:\MyFolder"
' ----------
' return value - Error code. O for OK
Function CreateLocalFolder(ByRef objWMIService, ByVal strLocalPath)
Dim objProcess, nProcessId, nResult
Set objProcess = objWMIService.Get("Win32_Process")
' --- try to start a process for a folder creation
nResult = objProcess.Create("cmd.exe /c md " & strLocalPath, Null, Null, nProcessId)
If (nResult <> 0) Then
CreateLocalFolder = nResult
Exit Function
End If
Dim arrItems, objItem, boolFound
' --- wait for folder creation completion
Do While (True)
Set arrItems = objWMIService.ExecQuery("SELECT * FROM Win32_Process WHERE ProcessId=" & nProcessId)
boolFound = False
For Each objItem In arrItems
boolFound = True
Exit For
Next
If (boolFound = False) Then Exit Do
Loop
CreateLocalFolder = 0
End Function
'******************************************************************
' SetPermissionsToLocalFolder - set a permission to local folder
' ----------
' objWMIService - WMI serice instance
' strLocalFolderPath - path to local folder, for ex.: "C:\MyFolder"
' objPermissions - Win32_SecurityDescriptor WMI object with permissions
' ----------
' return value - Error code. O for OK
Function SetPermissionsToLocalFolder(ByRef objWMIService, _
ByVal strLocalPath, ByRef objSecurityDescriptor)
Dim objLocalFolder
Set objLocalFolder = objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strLocalPath & "'")
SetPermissionsToLocalFolder = objLocalFolder.SetSecurityDescriptor(objSecurityDescriptor)
End Function
'******************************************************************
' CreateSecurityDescriptorForLocalFolder - creates a security descriptor
' for local NTFS folder and trustee
' ----------
' objWMIService - WMI serice instance
' objTrustee - trustee
' ----------
' return value - created security descriptor
Function CreateSecurityDescriptorForLocalFolder (ByRef objWMIService, ByRef objTrustee)
Dim objSecDescriptor, arrDACL
Set objSecDescriptor = objWMIService.Get("Win32_SecurityDescriptor").SpawnInstance_()
objSecDescriptor.Properties_.Item("ControlFlags") = 4 + 1024 '** SE_DACL_PRESENT | SE_DACL_AUTO_INHERITED
objSecDescriptor.Properties_.Item("DACL") = Array(CreateACE(objWMIService, objTrustee, 2032127, 3, 0)) '** full control
Set CreateSecurityDescriptorForLocalFolder = objSecDescriptor
End Function
'******************************************************************
' CreateACE - creates a Win32_Ace instance with desired access
' ----------
Function CreateACE (ByRef objWMIService, ByRef objTrustee, _
ByVal nAccessMask, ByVal nAceFlags, ByVal nAceType)
If (Not IsObject(objTrustee)) Then Exit Function
Dim objAce
Set objAce = objWMIService.Get("Win32_Ace").SpawnInstance_()
objAce.Properties_.Item("AccessMask") = nAccessMask
objAce.Properties_.Item("AceFlags") = nAceFlags
objAce.Properties_.Item("AceType") = nAceType
objAce.Properties_.Item("Trustee") = objTrustee
Set CreateACE = objAce
End Function
'******************************************************************
' CreateTrusteeForObject - creates a Win32_Trustee instance from AD object
' ----------
Function CreateTrusteeForObject (ByRef objWMIService, ByRef objObject)
If (Not IsObject(objObject)) Then Exit Function
Dim objTrustee
Set objTrustee = objWMIService.Get("Win32_Trustee").SpawnInstance_()
Call objObject.GetInfoEx(Array("edsaDomainNetbiosName", "sAMAccountName", "objectSid"), 0)
objTrustee.Domain = objObject.Get("edsaDomainNetbiosName")
objTrustee.Name = objObject.Get("sAMAccountName")
objTrustee.Properties_.Item("SID") = objObject.Get("objectSid")
Set CreateTrusteeForObject = objTrustee
End Function
'****** end of code ***********************************************
'***** END OF CODE ***************************************************************
COMPATIBILITY
Script compatible with the following version(s): <Not specified>