Language dependant values: add a user to Computers/Domain-Admins

  • Thread starter Thread starter Torsten Valentin
  • Start date Start date
T

Torsten Valentin

In the past I got some help from the people in this forum. I needed to add a
user to the group "Builtin/Admins", while I didn't know abot the language
version the DC is running. I got a hint to add the user using the well known
SID of that group. That worked pretty well and the following VB-code just
did what I wanted:
Set grp = GetObject("LDAP://" & GetDomainServer &
"/<SID=01020000000000052000000020020000>") ' SID for Builtin/Admins
grp.Add ("LDAP://CN=" & UserName & "," & Location)
'GetDomainServer, UserName and Location have been provided by other
functions and are strings
Now I need to add a user to the group "Users/Domain-Admins" as well. But
"Users/Domain-Admins" does not have a well known SID like "Builtin/Admins"
as far as I know, so it seems like I cannot just convert the SID into the
HEX-stringized format and go like above.
Can anybody give me a hint, how to add a user to that group in a language
independant way?
Thanks in advance!
Regards,
T.
 
Can anybody give me a hint, how to add a user to that group in a language
If you use the CMD.EXE command processor

net group "Domain Admins" "UserName" /ADD /domain
Click to expand...

"Domain Admins" is language dependant. For example in a German Windows
version, this group is called "Domänen Admins" and the command will
therefore fail. Indeed, this is the problem!

T.
 
Hi,

See this link:

http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/
windows2000/techinfo/reskit/en-us/distrib/dsce_ctl_xgqv.asp

Each domain has a "Domain Admins" group with a decimal sid of the form:

S-1-5-21-1004336348-1177238915-682003330-512

where the "512" is the relative ID (RID). All "Domain Admins" groups have
this RID, while

21-1004336348-1177238915-682003330

is specific to the domain. Now, you can't bind to SID's in this decimal form
(in W2k), so the SID for "Domain Admins" will be of the hex form:

010500000000000515000000xxxxxxxxxxxxxxxxxxxxxxxx00020000

where you need to retrieve the domain specific hex string
"xxxxxxxxxxxxxxxxxxxxxxxx". The way the hex bytes are transformed, the
decimal "512" converts to hex "0002". All users in the domain will have this
same string in their SID's, but have a different RID. I'm trying to find a
clean way to determine this string, without relying on ADsSecurity.dll,
which will probably not be registered on the client.

One way would be to retrieve the objectSid of the current user and convert
to the hex form. This will work even if the user is Administrator. For
example (assuming the client is W2k or above, so ADSystemInfo is available):

Option Explicit
Dim objUser, objSysInfo, strSid, objDomainAdmins, strAdmin

Set objSysInfo = CreateObject("ADSystemInfo")
Set objUser = GetObject("LDAP://" & objSysInfo.UserName)
strSid = OctetToHexStr(objUser.objectSid)
strAdmin = Mid(strSid, 1, 48) & "00020000"
Set objDomainAdmins = GetObject("LDAP://<SID=" & strAdmin & ">")

Function OctetToHexStr(arrbytOctet)
' Function to convert OctetString (byte array) to Hex string.

Dim k
OctetToHexStr = ""
For k = 1 To Lenb(arrbytOctet)
OctetToHexStr = OctetToHexStr _
& Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
Next
End Function

So far I haven't found a cleaner way. Documentation on this is obscure. The
terminology I use is my own.
 
Hi,

I found what I think is a better way to get the SID of the "Domain Admins"
group. The SID of the domain object, in the hex format, is in the form:

010400000000000515000000xxxxxxxxxxxxxxxxxxxxxxxx

where the string "xxxxxxxxxxxxxxxxxxxxxxxx" is the domain specific string we
need. In fact, the complete SID can be used, except that the beginning
"0104" must be replaced with "0105". For example:

Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
Set objDomain = GetObject("LDAP://" & strDNSDomain)
strSid = OctetToHexStr(objDomain.objectSid)
strAdmin = "0105" & Mid(strSid, 5) & "00020000"

Set objDomainAdmins = GetObject("LDAP://<SID=" & strAdmin & ">")

where the function OctetToHexStr is the same as before. The advantage here
is that you can determine the current domain programmatically. If you are
dealing with another domain, you just need to be able to bind to the domain.
Then you can find the domain specific portion of the SID and append the RID
for the "Domain Admins" group.

--
Richard
Microsoft MVP Scripting and ADSI
http://www.rlmueller.net
 
Back
Top