none
Through LDAP unable to read members of the domain admin group from Windows Server 2012 using vbscript RRS feed

  • Question

  • Trying to read domain admin group members through VBScript, but unable to read. Throwing error on user server.

    object not a collection

    error message:nestgroup.vbs(68,4)Microsoft VBscript runtime error:object not a collection

    and this domain admin group contains group members.

    Domain Admins
    >>>>>Denied RODC Password Replication Group
    >>>>>Administrators

    But it's working in my local test Windows Server 2012.

    User Running it from member server. User is having domain admin rights.

    How to check LDAP issue in server or is their anything else?

    Option Explicit
    
    'Get all member of a group INCLUDING members from ALL NESTED groups.
    'Simply call the script with the samAccountName of the group.
    'If the group name contains spaces it should be ENCLOSED IN QUOTES,
    'IE scriptName.vbs "DOMAIN ADMINS"
    
    Dim objGroup
    
    'verify a group name was passed
    If WScript.Arguments.Count <> 1 Then
      WScript.Echo "NO GROUP PASSED"
      WScript.Echo "Usage:  scriptName <groupSamAccountName>"
      WScript.Quit
    End If
    
    'bind to the gorup
    Set objGroup = getGroup(WScript.Arguments(0))
    
    'enumerate the groups members
    enumMembers objGroup, ""
    
    Function getGroup(strGroupName)
      Dim objConn, objRecSet, strQueryString, objRootDSE, strQueryFrom
      Const adsOpenStatic = 3
    
      Set objRootDSE = GetObject("LDAP://RootDSE")
      strQueryFrom = "LDAP://" & objRootDSE.Get("defaultNamingContext")
    
      Set objConn = WScript.CreateObject("ADODB.Connection")
      objConn.Provider = "ADsDSOObject"
      objConn.Open
    
      strQueryString = "SELECT AdsPath FROM '" & strQueryFrom & "' " & _
                       "WHERE samAccountName = '" & strGroupName & "'"
    
      Set objRecSet = WScript.CreateObject("ADODB.Recordset")
    
      objRecSet.Open strQueryString, objConn, adsOpenStatic
    
      If objRecSet.RecordCount = 1 Then
        Set getGroup = GetObject(objRecSet("AdsPath"))
      Else
        WScript.Echo UCase(strGroupName) & " was not found in the domain.(" & objRootDSE.Get("defaultNamingContext") & ")"
        WScript.Quit
      End If
    End Function
    
    Sub enumMembers(ByRef objGroup, strInheritedFrom)
      Dim objMember
    
      For Each objMember In objGroup.Members '<---throwing error by saying "object not a collection"
        If LCase(objMember.class) = "group" Then
          WScript.Echo objMember.SamAccountName
        End If
      Next
    End Sub


    • Edited by lakshjo Friday, July 20, 2018 7:24 AM
    • Moved by Bill_Stewart Tuesday, December 11, 2018 9:18 PM This is not "fix/debug/rewrite this script I found on the Internet" forum
    Thursday, July 19, 2018 1:54 PM

All replies

  • You must post the complete error message.

    You should not be using VBScript anymore.  PowerShell has CmdLets to do these things.


    \_(ツ)_/

    Thursday, July 19, 2018 2:12 PM
  • I don't get your error, even if the group is empty. As suggested, post the complete error message.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, July 19, 2018 2:21 PM
  • Here is the full code to get group members in PowerShell.

    $g = ([adsisearcher]'SamAccountName=testgrp2)').FindOne()
    $group = [adsi]$g.Path
    $group.member


    \_(ツ)_/

    Thursday, July 19, 2018 2:25 PM
  • # Get-GroupMembersRecursive.ps1
    Param
    (
        [parameter(Mandatory=$True)]
        [String]$Group
    )
    $DN = ([adsisearcher]"sAMAccountName=$Group").FindOne().Properties.distinguishedname
    if ($DN) {
        ([adsisearcher]"(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=$DN))").FindAll() | foreach {
            ([adsi]$_.Path).sAMAccountName
        }
    }
    
    # Usage:
    # powershell.exe -File Get-GroupMembersRecursive.ps1 -Group "Domain Admins"

    Thursday, July 19, 2018 5:53 PM
  • Could You provide AD version - domain controllers and domain level. Yes, this error is strange - script should work properly with empty group.

    Are you aware, that You will receive only group names that are members of the group, that You are querying?

    Thursday, July 19, 2018 10:30 PM
  • yes,thats true powershell does this thing.but curently we have working vbscript to fetch user details.its working in other server for only for particular domain its failing.


    Friday, July 20, 2018 6:58 AM
  • yes,thats true powershell does this thing.but curently we have working vbscript to fetch user details.its working in other server for only for particular domain its failing.


    Which would tell you that the issue is not caused by the script.


    \_(ツ)_/

    Friday, July 20, 2018 7:01 AM
  • here is the error message

    error message:nestgroup.vbs(68,4)Microsoft VBscript runtime error:object not a collection

    yes your correct powershell does these things but currently we have working vbscript its working fine for other domain,only for particular domain its failing read group members .

    Friday, July 20, 2018 7:22 AM
  • here is the error message

    error message:nestgroup.vbs(68,4)Microsoft VBscript runtime error:object not a collection

    and this domain admin group contains group members.

    Domain Admins
    >>>>>Denied RODC Password Replication Group
    >>>>>Administrators

    currently we have working vbscript it works fine in other domain only for particular

     domain its failing

    any suggestion please

    Friday, July 20, 2018 7:26 AM
  • here is the error message

    error message:nestgroup.vbs(68,4)Microsoft VBscript runtime error:object not a collection

    and this domain admin group contains group members.

    Domain Admins
    >>>>>Denied RODC Password Replication Group
    >>>>>Administrators


    Friday, July 20, 2018 7:26 AM
  • The error is due to a badly designed script that doesn't gracefully handle errors.  It means that no objects were found.

    The error says line 68 but the script posted does not have that many lines.

    The variable objGroup was never found.


    \_(ツ)_/

    Friday, July 20, 2018 7:30 AM
  • its a microsoft windows server 2012 r2

    and its primary domain controler and some member server of that domain

    yes.i need only members of that group.currently issues unable to read group members

    here is the error message

    error message:nestgroup.vbs(68,4)Microsoft VBscript runtime error:object not a collection

    and this domain admin group contains group members.

    Domain Admins
    >>>>>Denied RODC Password Replication Group
    >>>>>Administrators

    currently we have working vbscript it works fine in other domain only for particular

     domain its failing

    any suggestion please

    Friday, July 20, 2018 7:31 AM
  • I repeat - you claim this is working in all but one domain.  That tells us that the issue is not the script.  You will have to do some troubleshooting.

    Suggestion: Use PowerShell to test getting the group.


    \_(ツ)_/

    Friday, July 20, 2018 7:33 AM
  • yes.i will provide you evidence that script  working in our test server

    i ran that script like this
    cscript nestgroup.vbs "Domain admins"

    here is the result:
    Microsoft (R) Windows Script Host Version 5.8
    Copyright (C) Microsoft Corporation. All rights reserved.

    testgroup1
    WiseSoft
    Administradores de organizaci¢n
    test
    SysAdminsA

    its listed out group members of domian admin group.
    but you can see its failing in that domain..i dont now why..:)

    • Edited by lakshjo Friday, July 20, 2018 7:39 AM
    Friday, July 20, 2018 7:38 AM
  • Please contact your Domain Admins or Microsoft support for help with this.  This forum is not a network support forum.


    \_(ツ)_/

    Friday, July 20, 2018 7:40 AM
  • ok sure i will check.
    thanks for help.
    Friday, July 20, 2018 7:46 AM
  • okey :)

    i just posted this script here  to check is their any issue with script.
    thanks for suggestion:)

    • Edited by lakshjo Friday, July 20, 2018 7:50 AM
    Friday, July 20, 2018 7:46 AM
  • not OK, as @jrv said - Your script hasn't got line number 68 - You have only 58 lines. So what is the source of Your error message - I don't think so, that it is script presented at the top, because it is strictly impossible to receive this error. If You want to do the validation - please, present Your current real script.
    Friday, July 20, 2018 8:39 AM
  • ok, here you can see same script.i just formatted the script before posting it here.thats made confusion here

    sorry for that

    here you can see,if you copy it to note pad you can see same number line which throwing error:
    ==================================================
    Option Explicit
     
     
     
    'Get all member of a group INCLUDING members from ALL NESTED groups.
    'Simply call the script with the samAccountName of the group.
    'If the group name contains spaces it should be ENCLOSED IN QUOTES,  
    'IE scriptName.vbs "DOMAIN ADMINS"
     
    Dim objGroup
     
     
    'VERIFY A GROUP NAME WAS PASSED
    If wscript.arguments.count <> 1 Then
      wscript.echo "NO GROUP PASSED"
      wscript.echo "Usage:  scriptName <groupSamAccountName>"
      wscript.quit
    End If
     
     
    'BIND TO THE GORUP   
    Set objGroup = getGroup(wscript.Arguments(0))
     
    WScript.Echo "from function getGroup():objGroup"& TypeName(objGroup)
    If IsEmpty(objGroup) Then
        wscript.echo "yes,object contain value"
    Else
        wscript.echo  "No,object doesnot contain value"
    End If

    'ENUMERATE THE GROUPS MEMBERS
    enumMembers objGroup, ""
     
         
     
    Function getGroup(strGroupName)
      Dim objConn, objRecSet, strQueryString, objRootDSE, strQueryFrom
      Const adsOpenStatic = 3
     
     
       Set objRootDSE = GetObject("LDAP://RootDSE")
       strQueryFrom = "LDAP://" & objRootDSE.get("defaultNamingContext")
     
       Set objConn = wscript.CreateObject("ADODB.Connection")
       objConn.Provider = "ADsDSOObject"
       objConn.Open
     
       strQueryString = "SELECT AdsPath FROM '" & strQueryFrom & "' " & _  
                "WHERE samAccountName = '" & strGroupName & "'"
     
       Set objRecSet = wscript.CreateObject("ADODB.Recordset")
     
       objRecSet.Open strQueryString, objConn, adsOpenStatic
     
        If objRecSet.recordCount = 1 Then
          wscript.echo "adspath="& objRecSet("AdsPath")
          Set getGroup = GetObject(objRecSet("AdsPath"))
        Else
          wscript.echo ucase(strGroupName) & " was not found in the domain.(" & objRootDSE.get("defaultNamingContext") & ")"
          wscript.quit
        End If
    End Function
     
     
    Sub enumMembers(byRef objGroup, strInheritedFrom)
     Dim objMember
     
       For Each objMember In objGroup.Members
         If lcase(objMember.class) = "group" Then
        wscript.echo objMember.samAccountName
       End If
     
     
     Next
    End Sub

    Friday, July 20, 2018 9:30 AM
  • # Get-GroupMembersRecursive.ps1
    Param
    (
        [parameter(Mandatory=$True)]
        [String]$Group
    )
    $DN = ([adsisearcher]"sAMAccountName=$Group").FindOne().Properties.distinguishedname
    if ($DN) {
        ([adsisearcher]"(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=$DN))").FindAll() | foreach {
            ([adsi]$_.Path).sAMAccountName
        }
    }
    
    # Usage:
    # powershell.exe -File Get-GroupMembersRecursive.ps1 -Group "Domain Admins"

    its worked in our test servers
    lets see with user.thanks for help

    Friday, July 20, 2018 10:03 AM
  • What exactly is the purpose of your script? In the beginning it says: 'Get all member of a group INCLUDING members from ALL NESTED groups. But as far as I can tell it will only find groups that are direct members of the group in question. It will not list any users.
    Friday, July 20, 2018 1:27 PM
  • What exactly is the purpose of your script? In the beginning it says: 'Get all member of a group INCLUDING members from ALL NESTED groups. But as far as I can tell it will only find groups that are direct members of the group in question. It will not list any users.

    yes actually initially i want to check that its nested group also.But when script started failing i modified that at least i can read direct group members of that "domain admins" group.
    i will tell you actual scenario in main script script unable to read members of that domain admin group and as well as nested group.
    for testing purpose i  am using this script to check the issue.
    but i am unable to figure out the issue of as script failing read group members domain admin group.


    i hope this statement will be clear for you.

    Friday, July 20, 2018 2:07 PM
  • I'm sorry, I have read your statement several times but am still none the wiser. Did you want a list of users or groups? Your script will list direct members, but only group objects. My script will list all members recursively, but only user objects.
    Friday, July 20, 2018 2:44 PM
  • I'm sorry, I have read your statement several times but am still none the wiser. Did you want a list of users or groups? Your script will list direct members, but only group objects. My script will list all members recursively, but only user objects.

    i need only list of groups.not users.

    and i modified your code to work with group  and its worked in our test servers.

    aram ( [parameter(Mandatory=$True)] [String]$Group ) $DN = ([adsisearcher]"sAMAccountName=$Group").FindOne().Properties.distinguishedname if ($DN) { ([adsisearcher]"(&(objectClass=group)(memberOf:1.2.840.113556.1.4.1941:=$DN))").FindAll() | foreach { /*this place i added as group instead of user its works*\

    ([adsi]$_.Path).sAMAccountName } } # Usage: # powershell.exe -File Get-GroupMembersRecursive.ps1 -Group "Domain Admins"


    • Edited by lakshjo Monday, July 23, 2018 9:24 AM
    Monday, July 23, 2018 9:21 AM
  • Here You have script that dumps all nested groups:

    Option Explicit 
     
    'Get all member of a group INCLUDING members from ALL NESTED groups. 
    'Simply call the script with the samAccountName of the group. 
    'If the group name contains spaces it should be ENCLOSED IN QUOTES,  
    'IE scriptName.vbs "DOMAIN ADMINS" 
     
    'VERIFY A GROUP NAME WAS PASSED 
    If wscript.arguments.count <> 1 Then 
      wscript.echo "NO GROUP PASSED" 
      wscript.echo "Usage:  scriptName <groupSamAccountName>" 
      wscript.quit 
    End If 
     
    getGroup WScript.Arguments(0) 
         
     
    Function getGroup(ByVal strGroupName) 
        Const adsOpenStatic = 3 
    
        'BIND TO THE GORUP   
        dim objRootDSE: Set objRootDSE = GetObject("LDAP://RootDSE") 
        dim strQueryFrom: strQueryFrom = "LDAP://" & objRootDSE.get("defaultNamingContext") 
     
        dim objConn: Set objConn = wscript.CreateObject("ADODB.Connection") 
        objConn.Provider = "ADsDSOObject" 
        objConn.Open 
     
        dim strQueryString: strQueryString = "SELECT AdsPath FROM '" & strQueryFrom & "' " & _  
                "WHERE samAccountName = '" & strGroupName & "'" 
     
        dim objRecSet: Set objRecSet = wscript.CreateObject("ADODB.Recordset") 
     
        objRecSet.Open strQueryString, objConn, adsOpenStatic 
     
        If objRecSet.recordCount = 1 Then 
            'wscript.echo "adspath="& objRecSet("AdsPath")
            dim objGroup: Set objGroup = GetObject(objRecSet("AdsPath"))
    
            dim objMember: For Each objMember In objGroup.Members 
                If lcase(objMember.class) = "group" Then 
                    wscript.echo objMember.sAMAccountName 
                    getGroup objMember.sAMAccountName
                End If 
            next 
        Else 
            'wscript.echo ucase(strGroupName) & " was not found in the domain.(" & objRootDSE.get("defaultNamingContext") & ")" 
            'wscript.quit 
        End If 
    End Function 'getGroup
    Just copy/paste the script and verify.


    • Edited by e-micra Tuesday, July 24, 2018 11:40 AM
    Tuesday, July 24, 2018 11:39 AM
  • Here You have script that dumps all nested groups:

    Option Explicit 
     
    'Get all member of a group INCLUDING members from ALL NESTED groups. 
    'Simply call the script with the samAccountName of the group. 
    'If the group name contains spaces it should be ENCLOSED IN QUOTES,  
    'IE scriptName.vbs "DOMAIN ADMINS" 
     
    'VERIFY A GROUP NAME WAS PASSED 
    If wscript.arguments.count <> 1 Then 
      wscript.echo "NO GROUP PASSED" 
      wscript.echo "Usage:  scriptName <groupSamAccountName>" 
      wscript.quit 
    End If 
     
    getGroup WScript.Arguments(0) 
         
     
    Function getGroup(ByVal strGroupName) 
        Const adsOpenStatic = 3 
    
        'BIND TO THE GORUP   
        dim objRootDSE: Set objRootDSE = GetObject("LDAP://RootDSE") 
        dim strQueryFrom: strQueryFrom = "LDAP://" & objRootDSE.get("defaultNamingContext") 
     
        dim objConn: Set objConn = wscript.CreateObject("ADODB.Connection") 
        objConn.Provider = "ADsDSOObject" 
        objConn.Open 
     
        dim strQueryString: strQueryString = "SELECT AdsPath FROM '" & strQueryFrom & "' " & _  
                "WHERE samAccountName = '" & strGroupName & "'" 
     
        dim objRecSet: Set objRecSet = wscript.CreateObject("ADODB.Recordset") 
     
        objRecSet.Open strQueryString, objConn, adsOpenStatic 
     
        If objRecSet.recordCount = 1 Then 
            'wscript.echo "adspath="& objRecSet("AdsPath")
            dim objGroup: Set objGroup = GetObject(objRecSet("AdsPath"))
    
            dim objMember: For Each objMember In objGroup.Members 
                If lcase(objMember.class) = "group" Then 
                    wscript.echo objMember.sAMAccountName 
                    getGroup objMember.sAMAccountName
                End If 
            next 
        Else 
            'wscript.echo ucase(strGroupName) & " was not found in the domain.(" & objRootDSE.get("defaultNamingContext") & ")" 
            'wscript.quit 
        End If 
    End Function 'getGroup
    Just copy/paste the script and verify.



    thanks i will check.
    thanks for help.
    Wednesday, July 25, 2018 1:27 PM