Determine OU for login script if's

Dev Shed Forums Sponsor:

February 8th, 2011, 01:52 PM

millercepbs

Registered User

Join Date: Feb 2006

Posts: 277

Time spent in forums: 1 Day 24 m 33 sec
Warnings Level: 10
Number of bans: 1
Reputation Power: 0

Determine OU for login script if's

We're trying to consolidate down to a single login script instead of a different one for each role a user has. I've been able to logically organize it in a manner that it's divided up by OU. Trouble is, I have absolutely no idea how to determind the OU for an if statement.

Reading up some, I've found that it's difficult if you have nested OU's, which we do. We'll have a layout in 3 different basic manners
PC users are: domain > department > users
Terminal server users are: domain > Terminal Server > Access Level
Users that work ON the thin client desktop are: domain > Thin Clients > Users

So really the OU's are the same level away from the domain (grandparent is it?).

So what I'm not sure how to do is to pull the last level of the OU out in order to run a text comparison later. Is it as simple as something like:
Set objParent = GetObject(objUser.Parent)
strParent = objParent.Get("name")
Set objGrandParent = GetObject(objParent.Parent)
strParent = objGrandParent.Get("name")
But then where do you get the actual last OU section from?

Later i'll simply run portions of the script based on that OU data. Something like
if (objOU = "Accounting") then
do this part of the code
else nothing

I'd appreciate any help here. I didn't see anything related to this in the search, but I did look before I posted.

February 9th, 2011, 01:13 PM

Satellite55

Registered User

Join Date: Nov 2010

Posts: 15

Time spent in forums: 2 h 33 m 30 sec
Reputation Power: 0

what is an "OU" ?

February 9th, 2011, 01:26 PM

millercepbs

Registered User

Join Date: Feb 2006

Posts: 277

Time spent in forums: 1 Day 24 m 33 sec
Warnings Level: 10
Number of bans: 1
Reputation Power: 0

Quote:

Originally Posted by Satellite55

what is an "OU" ?

Organizational Unit....how Active Directory organizes everything.

February 9th, 2011, 01:36 PM

Doug G

Grumpier Old Moderator

Dev Shed God 19th Plane (14000 - 14499 posts)

Join Date: Jun 2003

Posts: 14,238

Time spent in forums: 1 Month 4 Weeks 15 h 7 m 57 sec
Reputation Power: 4445

What you can or can't get will depend on what object you're using to query AD. There is nothing built in to asp so I imagine you're using some microsoft WMI stuff which I know nothing about.

If you're writing asp.NET code, you might try the NET forum, this forum is primarily classic asp

__________________
======
Doug G
======
It is a truism of American politics that no man who can win an election deserves to. --Trevanian, from the novel Shibumi

February 9th, 2011, 02:49 PM

millercepbs

Registered User

Join Date: Feb 2006

Posts: 277

Time spent in forums: 1 Day 24 m 33 sec
Warnings Level: 10
Number of bans: 1
Reputation Power: 0

Quote:

Originally Posted by Doug G

VBS, logon scripts. It was under the sub-headings for this category, so that's why I put it here.

February 9th, 2011, 07:08 PM

Doug G

Grumpier Old Moderator

Join Date: Jun 2003

Posts: 14,238

Time spent in forums: 1 Month 4 Weeks 15 h 7 m 57 sec
Reputation Power: 4445

Hopefully someone who knows will jump in ...

February 14th, 2011, 03:00 PM

millercepbs

Registered User

Join Date: Feb 2006

Posts: 277

Time spent in forums: 1 Day 24 m 33 sec
Warnings Level: 10
Number of bans: 1
Reputation Power: 0

Quote:

Originally Posted by Doug G

Hopefully someone who knows will jump in ...

So any ideas at all here? I'm not really sure where to begin since they folks are at two different levels. I wish there was a way to see what the last level was....that's all the info I would need to be able to work the script.

Last edited by millercepbs : February 18th, 2011 at 10:05 AM.

February 24th, 2011, 08:53 AM

millercepbs

Registered User

Join Date: Feb 2006

Posts: 277

Time spent in forums: 1 Day 24 m 33 sec
Warnings Level: 10
Number of bans: 1
Reputation Power: 0

I was able to find something that I think can be altered some. I found a script that can tell you the OU of a computer, so I've altered it to "User", but it doesn't seem to work.

Code:

 OPTION EXPLICIT
DIM objNetwork
DIM UserName
DIM ou

' Get the UserName of PC
set objNetwork = createobject("Wscript.Network")
UserName = objNetwork.UserName

' Call function to find OU from computer name
ou = getOUByUserName(UserName)

wscript.echo ou


function getOUByUserName(byval UserName)
	' *** Function to find ou/container of user object from username ***
	
	DIM namingContext, ldapFilter, ou
	DIM cn, cmd, rs
	DIM objRootDSE
	
	' Bind to the RootDSE to get the default naming context for
	' the domain.  e.g. dc=wisesoft,dc=co,dc=uk
	set objRootDSE = getobject("LDAP://RootDSE")
	namingContext = objRootDSE.Get("defaultNamingContext")
	set objRootDSE = nothing

	' Construct an ldap filter to search for a user object
	' anywhere in the domain with a name of the value specified.
	ldapFilter = "<LDAP://" & namingContext & _
 	">;(&(objectCategory=User)(name=" & UserName & "))" & _
	";distinguishedName;subtree"

	' Standard ADO code to query database
	set cn = createobject("ADODB.Connection")
	set cmd = createobject("ADODB.Command")

	cn.open "Provider=ADsDSOObject;"
	cmd.activeconnection = cn
	cmd.commandtext = ldapFilter
	
	set rs = cmd.execute

	if rs.eof <> true and rs.bof <> true then
		ou = rs(0)
		' Convert distinguished name into OU.
		' e.g. cn=CLIENT01,OU=WiseSoft_Computers,dc=wisesoft,dc=co,dc=uk
		' to: OU=WiseSoft_Computers,dc=wisesoft,dc=co,dc=uk
		ou = mid(ou,instr(ou,",")+1,len(ou)-instr(ou,","))
		getOUByUserName = ou

	end if

	rs.close
	cn.close

end function

The ldap filter seems to be the main part that isn't working...setting the filter to the User category.

Code:

ldapFilter = "<LDAP://" & namingContext & _
 	">;(&(objectCategory=User)(name=" & UserName & "))" & _
	";distinguishedName;subtree"

Since "User" is the objectCategory, I'm not sure why it doesn't work. Basically, if you set that back to "Computer", even with my other varibables changes left to "user", it works to get the computer OU's. So i'm a bit confused....or is the object distinguished differently in AD than "User"?

May 16th, 2011, 01:39 PM

jrp

Registered User

Join Date: May 2011

Posts: 1

Time spent in forums: 29 m 9 sec
Reputation Power: 0

Not sure if you've found a solution for what you were working on or not, but all I did to determine the OU was to tear apart the ADSystemInfo.Username value.

Code:

'Set up Active Directory Connections
Set ADSysInfo = CreateObject("ADSystemInfo")
'Get FQDN
strUser = ADSysInfo.UserName

x = instr(strUser,"OU")
If x > 0 then
	OU = right(strUser,Len(strUser) - x - 2)
	x = instr(OU,",")
	PriOU = left(OU, x - 1)
	OU = Right(OU, Len(OU) - x)
	x = instr(OU,"OU")
	If x > 0 then
		OU = right(OU,Len(OU) - x - 2)
		x = instr(OU,",")
		SecOU = left(OU, x - 1)
	Else
		SecOU = "None"
	End If
Else
	PriOU = "None"
End If

The value for PriOU then becomes the lowest OU in the tree and SecOU becomes the next level up. This allows me to handle options for more than one OU, such as when a department has a sub-dept that needs it's own mappings as well as the department mappings.

#10

May 16th, 2011, 03:11 PM

millercepbs

Registered User

Join Date: Feb 2006

Posts: 277

Time spent in forums: 1 Day 24 m 33 sec
Warnings Level: 10
Number of bans: 1
Reputation Power: 0

I'll give it a shot...i thought the thread had been forgotten!

Um, well did an echo on what the script above returns and it's a numeric value. That's all fine, but I have no way of knowing what OU a '13' belongs to. Any ideas on that?

Last edited by millercepbs : May 16th, 2011 at 03:30 PM.

#11

May 16th, 2011, 03:35 PM

millercepbs

Registered User

Join Date: Feb 2006

Posts: 277

Time spent in forums: 1 Day 24 m 33 sec
Warnings Level: 10
Number of bans: 1
Reputation Power: 0

Nevermind, it helps to have an echo read off the right variable...ie priou secou.

THANKS!

Determine OU for login script if's

Developer Shed Advertisers and Affiliates