WMI Group Member Query

[cluM09]

Hi all!

I have written a script to connect to the domain over the VPN connection after the user has logged onto his machine.

I need to map the network drive(s) for the user who belongs to a specific group, and I need to enumreate user's group membership using the WMI query. However, I cannot enumerate the group member using the WMI query.

The error message I got from the script is: AuthWithVPN4.vbs(25, 1) (null): 0x8004103A , where line 25 starts with "For Each objGroup In colGroups."

Any help will be greatly appreciated!

The code is sa follows:
Option Explicit
Dim strDomain, objLogon, oShell, objCancelled, strUserName, strPassword, strComputer
Dim objLocator, objWMIService, colGroups, objGroup

strDomain = "MyDomain"
Set objLogon = CreateObject("PassDlg.LogonDialog")
objLogon.ShowDialog "Enter Username and Password"
objlogon.AllowBlankUsername = False
objLogon.AllowBlankPassword = False
objCancelled = objLogon.Canceled
strUserName = objLogon.Username
strPassword = objLogon.Password
If objCancelled Then
WScript.quit
End If

'Establish domain credential with the domain controller
strComputer = "shelby"
Set objLocator = CreateObject( "WbemScripting.SWbemLocator" )
Set objWMIService = objLocator.ConnectServer( strComputer, "root/cimv2", strDomain &"\"& strUserName, strPassword )
objWMIService.Security_.impersonationlevel = 3

'Enumearte groups a user is member of
Set colGroups = objWMIService.ExecQuery( "Associators of {Win32_Group.Domain='& strDomain, Name='& strUserName} Where ResultClass = Win32_Group" )
For Each objGroup In colGroups
Wscript.Echo objGroup.Name
Next

Thanks!

CluM09

 

[PHV]

You may try to replace this:
Set colGroups = objWMIService.ExecQuery( "Associators of {Win32_Group.Domain='& strDomain, Name='& strUserName} Where ResultClass = Win32_Group" )
By this:
Set colGroups = objWMIService.ExecQuery( "Associators of {Win32_Group.Domain='" & strDomain & "', Name='" & strUserName & "'} Where ResultClass = Win32_Group" )

Hope This Helps, PH.
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884 or FAQ222-2244

 

[cluM09]

Thank PHV for the comment! However, the script still cannot enumerate the groups. It still gives the same error message as before.

CluM09

 

[tsuji]

cluM09 wrote:
>enumerate the group member using the WMI query
and
>"Associators of {Win32_Group.Domain='& strDomain, Name='& strUserName} Where ResultClass = Win32_Group"

Name property here is the group name, not username. And I don't think it is what you want.

But, from your script though problematic, I would guess you want to "enumerate the groups which the user is member of"? See, can't even figure out what you want actually.

Try this?

squery="Associators of {win32_user.name='" & strUserName & "'} where AssocClass=win32_groupuser ResultRole=GroupComponent"
Set colGroups = objWMIService.ExecQuery(squery)

- tsuji

 

[cluM09]

tsuji,

Thanks for the comment! Yes, what I want to do is to enumerate the groups in which a user is a member of. But even with the syntax you provided, the script still fails to enumerate the groups.

The error occurs at line "For Each objGroup In colGroups" with the error of "AuthWithVPN4.vbs(25, 1) (null): 0x80041010"

Could it be that somthing was wrong with the For loop that I used?

CluM09

 

[mrmovie]

why use a jcb to crack a nut?
Why not use the WinNT provider? or am i silly and you are using WMI due to security/passed constraints?

 

[cluM09]

mrmovie,

As I indicated at the beginning, this script is used for authentication over a VPN connection where the user has already logged onto the workstation before a network connection is established with the logon server's network.

If the user has the network connection to the logon server prior to the logon process, this script is unnecessary.

Only WMI impersonation that allows the group member enumeration to occur with proper user name and password supplied by the user. Therefore, WMI authentication credential is the only way that can provide the enumeration to occur over such a network connection.

Thanks for comment!

CluM09

 

[tsuji]

cluM09,

Approach using assoc query may need re-conceiving. I think it is viable. In the meantime try this.

squery="select * from win32_groupuser where " & _
    "PartComponent=""win32_account.domain='" & strDomain & "'" & _
        ", name='" & strUserName & "'"""
set cgrpusr=objWMIService.execquery(squery)
for each ogrpusr in cgrpusr
    set ogrp=objWMIService.get(ogrpusr.GroupComponent)
    wscript.echo ogrp.name
next
set ogrp=nothing
set cgrpusr=nothing

- tsuji

 

[cluM09]

tsuji,

Thanks for the comment! It still does not work. When I just try to query all groups in the domain with the code below, it works:

Set colGroups = objWMIService.ExecQuery("SELECT * FROM Win32_Group")
For Each objGroup In colGroups
Wscript.Echo objGroup.Name
Next

But this is not what I want. I want only the groups in which the user belongs. Could it be that we should not refer to the domain again in this query since we already got the authentication through the code above it as shown below?

Set objLocator = CreateObject( "WbemScripting.SWbemLocator" )
Set objWMIService = objLocator.ConnectServer( strComputer, "root/cimv2", strDomain &"\"& strUserName, strPassword )
objWMIService.Security_.impersonationlevel = 3

CluM09

 

[cluM09]

tsuji,

Thanks for pointing me to the right direction!

I searched for the syntax for the Win32_Group on the internet, and I have found the following combination that works. The URL is

http://www.webfrustration.com/showthread.php?t=22020.

Set colGroups = objWMIService.ExecQuery("ASSOCIATORS OF {Win32_UserAccount.Name='" & strUserName & _
"',Domain='" & strDomain & "'} WHERE ResultClass = Win32_Group")

For Each objGroup In colGroups
Wscript.Echo "Group: " & objGroup.Name
Next

Thanks again for your help!

CluM09

 

[tsuji]

cluM09,

Right thing to do! Thanks for sharing.

- tsuji

 

[mrmovie]

yeah, a good post on a subject which i might be looking at shortly, heres a star