'=========================================================================
' GroupModifyManager.vbs
' VERSION: 1.0
' AUTHOR: Brian Steinmeyer
' EMAIL: sigkill@sigkillit.com
' WEB: https://sigkillit.com
' DATE: 1/4/2013
' COMMENTS: This will set the manager for a group and optionally allow them
' to update group membership. Set the manager by specificying the LDAP path
' or DN of the user you want to set. Set the group to modify by specifying
' the LDAP path or DN of a specific group; you can also set this to an OU
' to make bulk changes. Last, specify whether the manager can update the
' group membership by setting the True/False value.
' EXAMPLE: Modify a Specific Group's Manager and Allow Them to Update Membership
' Dim strManager: strManager = "LDAP://CN=John Doe,OU=User,DC=domain,DC=com"
' Dim strGroupPath: strGroupPath = "LDAP://CN=Testgroup,OU=Groups,DC=domain,DC=com"
' Dim blnUpdateMembership: blnUpdateMembership = True
' EXAMPLE: Modify a Specific Group's Manager and Do Not Allow Them to Update Membership
' Dim strManager: strManager = "LDAP://CN=John Doe,OU=User,DC=domain,DC=com"
' Dim strGroupPath: strGroupPath = "LDAP://CN=Testgroup,OU=Groups,DC=domain,DC=com"
' Dim blnUpdateMembership: blnUpdateMembership = False
' EXAMPLE: Bulk Modify All Group's Managers in an OU and Allow Them to Update Membership
' Dim strManager: strManager = "LDAP://CN=John Doe,OU=User,DC=domain,DC=com"
' Dim strGroupPath: strGroupPath = "LDAP://OU=Groups,DC=domain,DC=com"
' Dim blnUpdateMembership: blnUpdateMembership = True
'=========================================================================
Option Explicit
' ------ START CONFIGURATION ------
Dim strManager: strManager = "LDAP://CN=John Doe,OU=User,DC=domain,DC=com"
Dim strGroupPath: strGroupPath = "LDAP://OU=Groups,DC=domain,DC=com"
Dim blnUpdateMembership: blnUpdateMembership = True
' ------ END CONFIGURATION ------
Dim strLogName: strLogName = Replace(WScript.ScriptName,".vbs",".txt")
Call Logger(strLogName, "", True)
Call ModifyManger(strGroupPath, strManager, blnUpdateMembership, strLogName)
Wscript.Echo "Finished"
Private Sub ModifyManger(groupPath, groupManager, groupUpdateMembership, groupLogName)
On Error Resume Next
'Ensure DN not ADS Path
groupPath = Replace(groupPath,"LDAP://","",1,1,1)
groupManager = Replace(groupManager,"LDAP://","",1,1,1)
'Constants/Variables to Set Manager Update List Access
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_ACEFLAG_INHERIT_ACE = &H00002 'Not Needed but Kept it here for Reference
Const ADS_ACEFLAG_DONT_INHERIT_ACE = &H0
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H01
Const ADS_OBJECT_WRITE_MEMBERS = "{BF9679C0-0DE6-11D0-A285-00AA003049E2}"
Dim objSecurityDescriptor, objDACL, objUser, objACE
'Connect to AD
Dim objConnection: Set objConnection = CreateObject("ADODB.Connection")
Dim objCommand: Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000 'Override the Return 1000 Results Default
Const ADS_SCOPE_SUBTREE = 2
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 'Include Sub OU's
objCommand.CommandText = "SELECT ADsPath FROM 'LDAP://" & strGroupPath & "' WHERE objectClass='group'"
Dim objRecordSet: Set objRecordSet = objCommand.Execute
If Not objRecordSet.RecordCount > 0 Then
Call Logger(groupLogName, "Error No Groups Found Quitting Script!", False)
Exit Sub
End If
objRecordSet.MoveFirst
Dim objGroup
Do Until objRecordSet.EOF
Call Logger(groupLogName, objRecordSet.Fields("ADsPath").Value & vbCrLf & "**********************************************", False)
Set objGroup = GetObject(objRecordSet.Fields("ADsPath").Value)
objGroup.Put "managedBy", groupManager
objGroup.SetInfo
If Err.Number <> 0 Then
Err.Clear
Call Logger(groupLogName, "Error Updating Manager to: " & groupManager, False)
Else
Call Logger(groupLogName, "Success Updating Manager to: " & groupManager, False)
If groupUpdateMembership = True Then
'Allow Manager to Update Member List
Call Logger(groupLogName, "Allow Manager to Update Member List: True", False)
Set objSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")
Set objDACL = objSecurityDescriptor.DiscretionaryACL
Set objUser = GetObject("LDAP://" & objGroup.Get("managedBy"))
Set objACE = CreateObject("AccessControlEntry")
objACE.Trustee = "snapretail\" & objUser.Get("sAMAccountName")
objACE.AccessMask = ADS_RIGHT_DS_WRITE_PROP
objACE.AceFlags = ADS_ACEFLAG_DONT_INHERIT_ACE
objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE.objectType = ADS_OBJECT_WRITE_MEMBERS
objDACL.AddAce(objACE)
objSecurityDescriptor.DiscretionaryACL = objDACL
objGroup.Put "ntSecurityDescriptor", Array(objSecurityDescriptor)
objGroup.SetInfo
If Err.Number <> 0 Then
Err.Clear
Call Logger(groupLogName, "Error Allowing Manager to Update Member List", False)
Else
Call Logger(groupLogName, "Success Allowing Manager to Update Member List", False)
End If
End If
End If
Call Logger(groupLogName, "" & vbCrLf, False)
objRecordSet.MoveNext
Loop
On Error Goto 0
End Sub
Private Sub Logger(fileName, logMessage, blnNewLog)
On Error Resume Next
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject")
Dim scriptPath: scriptPath = Left(WScript.ScriptFullName,InstrRev(WScript.ScriptFullName,"\"))
Dim logName
If InStr(1,fileName,"\",1) > 0 Then
logName = fileName
If objFSO.DriveExists(objFSO.GetDriveName(logName)) Then
If StrComp(objFSO.GetExtensionName(logName), "", 1) = 0 Then
If Not objFSO.FolderExists(logName) Then
If objFSO.FolderExists(objFSO.GetParentFolderName(logName)) Then
objFSO.CreateFolder logName 'Create Folder In Current Path
Exit Sub
Else
Call Logger(objFSO.GetParentFolderName(logName), logMessage, blnNewLog) 'Recurse Creating Parent Folder
Call Logger(logName, logMessage, blnNewLog) 'Recurse Creating Current Folder
Exit Sub
End If
End If
Else
If Not objFSO.FileExists(logName) Then
If Not objFSO.FolderExists(objFSO.GetParentFolderName(logName)) Then
Call Logger(objFSO.GetParentFolderName(logName), logMessage, blnNewLog) 'Recurse Creating Parent Folder
Call Logger(logName, logMessage, blnNewLog) 'Recurse Creating Current Folder
End If
End If
End If
End If
Else
logName = scriptPath & fileName
End If
Dim logFile
If blnNewLog = True Then
Set logFile = objFSO.CreateTextFile(logName, True)
Else
If objFSO.FileExists(logName) Then
Set logFile = objFSO.OpenTextFile(logName, ForAppending, True)
Else
Set logFile = objFSO.CreateTextFile(logName, True)
End If
End If
logFile.WriteLine logMessage
logFile.Close
Set objFSO = Nothing
On Error Goto 0
End Sub
