Determining users NT Groups

This returns the groups and users for a particular machine, how about the
users in a Domain group? We are wanting to create domain groups (not sure
if that is the right nomenclature) and use them as the security groups we
check for access to a pages on a local intranet.

The idea is instead of having to maintain users, groups and security settings
in a database indicating who has access to what pages; we use NT domain groups.
Then, using NT Challenge Response, we can check to see if the user hitting
a page is in the NT domain group that has rights to this page, if not then
send them back to their previous page or show a "nice" access denied page.
Our users are scattered throughout the US and we would like the local IS
groups to add the proper users to the groups, so we don't have to maintain
the large user-rights list.

"Michael Howard" <mikehow@microsoft.com> wrote:
>
>sure you can use ADSI - but we aware that you may need certain privs/rights
>to achieve this. the following code is from my book:
>
>strComputer = "MyServer" ' Use '.' for the local computer.
>Set oComp = GetObject("WinNT://" & strComputer & ",computer")
>oComp.Filter = Array("group")
>
>For Each group In oComp
> WScript.echo group.Name
> iCount = 0
> For Each member in group.members
> WScript.echo " " & member.Name
> iCount = iCount + 1
> Next
> If iCount = 0 Then WScript.echo " <none>"
>Next
>
>what are you trying to achieve?
>
>"DCarter" <daniel.carter@anhesuer-busch.com> wrote:
>>
>>Through VB code or ASP code is there a way to determine the NT Groups that
>>a user belongs to?
>

actually, it's not QUITE as simple as all this - as this code does not take
into consideration any restricting SIDs in the user's token. if this is NT4,
then that's ok - there's no such thing as restricting SIDs in NT4, but on
Win2000 it can be problematic. there's an api in WIn2000 you can call named
CheckGroupMembership() that will do the work for you.

"Eli Allen" <eallen@bcpl.net> wrote:
>From: http://www.windows-script.com/
><quotedStuff>
>How do I detect what groups a user belongs to?
>
>dsRoot = "WinNT://domain/userid"
>set wshShell = Wscript.CreateObject("Wscript.Shell")
>set dsObj = GetObject(dsRoot)
>For Each Prop In dsobj.groups
> wshshell.popup Prop.Name
>Next 'Prop
></quotedStuff>
>
>That should do it.
>--
>Eli Allen
>eallen@bcpl.net
>
>
>
>"DCarter" <daniel.carter@anhesuer-busch.com> wrote in message
>news:3a9e60ba$1@news.dev-archive.com...
>>
>> This returns the groups and users for a particular machine, how about
the
>> users in a Domain group? We are wanting to create domain groups (not
sure
>> if that is the right nomenclature) and use them as the security groups
we
>> check for access to a pages on a local intranet.
>>
>> The idea is instead of having to maintain users, groups and security
>settings
>> in a database indicating who has access to what pages; we use NT domain
>groups.
>> Then, using NT Challenge Response, we can check to see if the user
>hitting
>> a page is in the NT domain group that has rights to this page, if not
then
>> send them back to their previous page or show a "nice" access denied page.
>> Our users are scattered throughout the US and we would like the local
IS
>> groups to add the proper users to the groups, so we don't have to maintain
>> the large user-rights list.
>>
>>
>> "Michael Howard" <mikehow@microsoft.com> wrote:
>> >
>> >sure you can use ADSI - but we aware that you may need certain
>privs/rights
>> >to achieve this. the following code is from my book:
>> >
>> >strComputer = "MyServer" ' Use '.' for the local computer.
>> >Set oComp = GetObject("WinNT://" & strComputer & ",computer")
>> >oComp.Filter = Array("group")
>> >
>> >For Each group In oComp
>> > WScript.echo group.Name
>> > iCount = 0
>> > For Each member in group.members
>> > WScript.echo " " & member.Name
>> > iCount = iCount + 1
>> > Next
>> > If iCount = 0 Then WScript.echo " <none>"
>> >Next
>> >
>> >what are you trying to achieve?
>> >
>> >"DCarter" <daniel.carter@anhesuer-busch.com> wrote:
>> >>
>> >>Through VB code or ASP code is there a way to determine the NT Groups
>that
>> >>a user belongs to?
>> >
>>
>
>

the problem is - you may be in group A, however, you may also have a restricting
sid which resicts A on acl checks. while the user is STILL a member of A,
ACL checks may behave differently owing the restricted SID.

"Eli Allen" <eallen@bcpl.net> wrote:
>You can set a restriction to prevent someone from being in a workgroup?
So
>if Workgroup A contains a smaller workgroup B and user C is in workgroup
B
>you can keep them out of workgroup A? But if that was true should ADSI
be
>able to tell the actual workgroups a member is part of?
>
>Or are you referring to something else he was talking about? It sounds
like
>he just wants very basic ACLs set at the workgroup level and the users just
>exist in a workgroup without any special privileges.
>--
>Eli Allen
>eallen@bcpl.net
>
>"Michael Howard" <mikehow@microsoft.com> wrote in message
>news:3aa02c02$1@news.dev-archive.com...
>>
>> actually, it's not QUITE as simple as all this - as this code does not
>take
>> into consideration any restricting SIDs in the user's token. if this is
>NT4,
>> then that's ok - there's no such thing as restricting SIDs in NT4, but
on
>> Win2000 it can be problematic. there's an api in WIn2000 you can call
>named
>> CheckGroupMembership() that will do the work for you.
>>
>>
>> "Eli Allen" <eallen@bcpl.net> wrote:
>> >From: http://www.windows-script.com/
>> ><quotedStuff>
>> >How do I detect what groups a user belongs to?
>> >
>> >dsRoot = "WinNT://domain/userid"
>> >set wshShell = Wscript.CreateObject("Wscript.Shell")
>> >set dsObj = GetObject(dsRoot)
>> >For Each Prop In dsobj.groups
>> > wshshell.popup Prop.Name
>> >Next 'Prop
>> ></quotedStuff>
>> >
>> >That should do it.
>> >--
>> >Eli Allen
>> >eallen@bcpl.net
>> >
>> >
>> >
>> >"DCarter" <daniel.carter@anhesuer-busch.com> wrote in message
>> >news:3a9e60ba$1@news.dev-archive.com...
>> >>
>> >> This returns the groups and users for a particular machine, how about
>> the
>> >> users in a Domain group? We are wanting to create domain groups (not
>> sure
>> >> if that is the right nomenclature) and use them as the security groups
>> we
>> >> check for access to a pages on a local intranet.
>> >>
>> >> The idea is instead of having to maintain users, groups and security
>> >settings
>> >> in a database indicating who has access to what pages; we use NT domain
>> >groups.
>> >> Then, using NT Challenge Response, we can check to see if the user
>> >hitting
>> >> a page is in the NT domain group that has rights to this page, if not
>> then
>> >> send them back to their previous page or show a "nice" access denied
>page.
>> >> Our users are scattered throughout the US and we would like the local
>> IS
>> >> groups to add the proper users to the groups, so we don't have to
>maintain
>> >> the large user-rights list.
>> >>
>> >>
>> >> "Michael Howard" <mikehow@microsoft.com> wrote:
>> >> >
>> >> >sure you can use ADSI - but we aware that you may need certain
>> >privs/rights
>> >> >to achieve this. the following code is from my book:
>> >> >
>> >> >strComputer = "MyServer" ' Use '.' for the local computer.
>> >> >Set oComp = GetObject("WinNT://" & strComputer & ",computer")
>> >> >oComp.Filter = Array("group")
>> >> >
>> >> >For Each group In oComp
>> >> > WScript.echo group.Name
>> >> > iCount = 0
>> >> > For Each member in group.members
>> >> > WScript.echo " " & member.Name
>> >> > iCount = iCount + 1
>> >> > Next
>> >> > If iCount = 0 Then WScript.echo " <none>"
>> >> >Next
>> >> >
>> >> >what are you trying to achieve?
>> >> >
>> >> >"DCarter" <daniel.carter@anhesuer-busch.com> wrote:
>> >> >>
>> >> >>Through VB code or ASP code is there a way to determine the NT Groups
>> >that
>> >> >>a user belongs to?
>> >> >
>> >>
>> >
>> >
>>
>
>