Ok let’s do another nested group script.
This script enumerates the lastlogon of all members of a nested group.
Attention: the lastlogontimestamp attribute has a treshold of 2 weeks, so recently added users might not occur in the output of the script.

Follow the next steps to run the script (no admin rights needed):

• copy and paste the script in your favorite text editor
• change the distinguished name of the nested group to your group distinguished name
• save the script (for example c:tempenumeratenestedgrouplastlogon.vbs)
• open a command prompt
• go to “c:temp”
• give “cscript enumeratenestedgrouplastlogon.vbs” (without quotes) and enter

The script:

' Name : enumeratenestedgrouplastlogon.vbs
' Description : script to enumerate the lastlogon of all users of a nested group
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 13-04-2010
' Level: intermediate

intBias = TimeZoneBias
strTargetGroupDN = "LDAP://CN=testgroup,OU=Groups,DC=test,DC=org"
EnumNestedgroup strTargetGroupDN
Sub EnumNestedgroup(strGroupDN)
	Set objGroup = GetObject(strGroupDN)
	For Each objMember in objGroup.Members
		If (LCase(objMember.Class) = "group") Then
			EnumNestedgroup objMember.AdsPath
		ElseIf TypeName(objMember.lastLogonTimeStamp) <> "Empty" Then
			Set objDate = objMember.lastLogonTimeStamp
			If (Err.Number <> 0) Then
				dtmDate = #1/1/1601#
			Else
				dtmDate = ((((objDate.Highpart * (2^32)) + objDate.LowPart)/(600000000 - intBias))/1440) + #1/1/1601#
			End If
			Set objDate = Nothing
			Wscript.Echo objMember.DisplayName & " ; " & objMember.Mail & " ; " & dtmDate
		End If
	Next
	Set objGroup = Nothing
End Sub

Function TimeZoneBias
	strComputer = "."
	Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\" & strComputer & "rootcimv2")
	Set colTimeZone = objWMIService.ExecQuery("Select * from Win32_TimeZone")
	For Each objTimeZone in colTimeZone
		TimeZoneBias = objTimeZone.Bias
	Next
	Set colTimeZone = Nothing
	Set objWMIService = Nothing
End Function

When you have problems/questions please post a reply or give a ‘star’ rating.

Happy scripting.

Best regards,

Dirk Adamsky – Deludi BV

Script for today is a mutation of my previous enumerate nested group script.
The script enumerates all nested group users with a citrix token.

Follow the next steps to run the script (no admin rights needed):

• copy and paste the script in your favorite text editor
• change the distinguished name of the nested group to your group distinguished name
• save the script (for example c:tempenumeratenestedgrouptokens.vbs)
• open a command prompt
• go to “c:temp”
• give “cscript enumeratenestedgrouptokens.vbs” (without quotes) and enter

The script:

' Name : enumeratenestedgrouptokens.vbs
' Description : script to enumerate the citrix tokens of a nested group
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 13-04-2010
' Level: intermediate
strTargetGroupDN = "LDAP://CN=testgroup,OU=groups,DC=test,DC=org"
EnumNestedgroup strTargetGroupDN
Sub EnumNestedgroup(strGroupDN)
	Set objGroup = GetObject(strGroupDN)
	For Each objMember in objGroup.Members
		If (LCase(objMember.Class) = "group") Then
			EnumNestedgroup objMember.AdsPath
		ElseIf objMember.[securecomputingCom2000-SafeWord-UserID] <> "" Then
			Wscript.Echo objMember.DisplayName & " ; " & objMember.Mail & " ; " & objMember.[securecomputingCom2000-SafeWord-UserID]
		End If
	Next
	Set objGroup = Nothing
End Sub

When you have problems/questions please post a reply or give a ‘star’ rating.

Happy scripting.

Best regards,

Dirk Adamsky – Deludi BV

This script enumerates all Citrix tokens in Active Directory.

Follow the next steps (no admin rights needed):

• open your favorite text editor
• copy and paste the script into the editor
• save the script (for example c:tempcitrixtokens.vbs)
• open a command prompt
• go to “c:temp”
• give “cscript citrixtokens.vbs” (without quotes) and enter

The script:

' Name : citrixtokens.vbs
' Description : script to enumerate citrix tokens
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 11-01-2010

Option Explicit
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes, strCN, arrToken, strToken
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strUserDN, objUser, protocolSettings, strMail

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"

' Filter on user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "mail,cn,securecomputingCom2000-SafeWord-UserID"

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
    On Error Resume Next
    If adoRecordset.Fields("securecomputingCom2000-SafeWord-UserID").Actualsize <> 0 Then
        strCN = adoRecordset.Fields("cn").Value
        strMail = adoRecordset.Fields("mail").Value
        arrToken = adoRecordset.Fields("securecomputingCom2000-SafeWord-UserID").Value
        For each strToken in arrToken
            If strToken > 0 Then
                Wscript.echo strMail & " ; " & strCN & " ; " & strToken
            End If
        Next
    End if
    'Move to the next record in the recordset.
    adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close

Set adoRecordset = Nothing
Set objRootDSE = Nothing
Set adoConnection = Nothing
Set adoCommand = Nothing