;; 
;;=====================================================================================----- 
;; 
;;FUNCTION       AdGroupMember() 
;; 
;;ACTION         List or Modify an AD Group's contents 
;; 
;;AUTHOR         Glenn Barnas 
;; 
;;VERSION        1.0  - 2009/12/15 
;; 
;;HISTORY        1.0  - 2009/12/15 - Initial Release 
;; 
;;SYNTAX         AdGroupMember(Action, Group [, Object]) 
;; 
;;PARAMETERS     Action - REQUIRED - Defines what to do 
;;                * LIST	Return list of member DN strings 
;;                * LISTU	Return list of member SAM Account Names (User IDs) 
;;                * ADD 	Add the list of DNs to the group 
;;                * DELETE	Remove the list of DNs from the group 
;;                * REPLACE	Replace the group members with the list of DNs 
;;                * CLEAR	Remove all users from a group 
;; 
;;               Group - REQUIRED - the group DN string, with or without an "LDAP://" prefix. 
;; 
;;               Object - OPTIONAL - Array of object(s) within the group to modify. 
;;               The Object is required for all actions except LIST(U) and CLEAR. 
;;               Array elements should NOT contain an "LDAP://" prefix. 
;; 
;;REMARKS        Utility UDF to read/write AD group membership objects.  
;;		 See the GroupMember UDF for similar capabilities for managing Local 
;;               groups via NTDS 
;; 
;;RETURNS        List/ListU: Array, Int (1=success) on modify actions. 
;;               Action=LIST:   Array of DN strings 
;;               Action=LISTU:  Array of UserID strings 
;;               Action=others: Boolean - 1 (success) or 0 (fail) 
;; 
;;DEPENDENCIES   ADSI 
;; 
;;TESTED WITH    W2K, WXP, W2K3 
;; 
;;EXAMPLES       $GroupDN = 'CN=Domain Users,CN=users,DC=contoso,DC=com' 
;;               $UserDN[0] = 'CN=Doe\, John,CN=Users,DC=contoso,DC=com' 
;;               If AdGroupMember('ADD', $GroupDN, $UserDN) 
; 
Function AdGroupMember($_Action, $_GroupDN, OPTIONAL $_aObjectDN)
 
  Dim $_objGroup				; Group object pointer 
  Dim $_objUser					; User object pointer 
  Dim $_AdsProp					; ADS Action Property value 
  Dim $_aMembers				; Members array 
  Dim $_aTmp, $_I				; temp array, index pointer 
 
  $AdGroupMember = 0				; be pessimistic (assume failure) 
 
  If Left($_GroupDN, 7) <> 'LDAP://'
    $_GroupDN =  'LDAP://' + $_GroupDN		; insure an ADSI query string 
  EndIf
 
  ; instantiate the group connection through ADSI 
  $_objGroup = GetObject($_GroupDN)
  If @ERROR Exit @ERROR EndIf			; exit now if not valid 
 
  ; set the action property and validate the optional parameter 
  Select
   Case $_Action = 'LIST' Or $_Action = 'LISTU'
    $_AdsProp = 0				; n/a 
 
   Case $_Action = 'ADD'
    If VarType($_aObjectDN) < 8192		; Object arg is not an array 
      Exit 87
    EndIf
    $_AdsProp = 3				; append 
 
   Case $_Action = 'DELETE'
    If VarType($_aObjectDN) < 8192		; Object arg is not an array 
      Exit 87
    EndIf
    $_AdsProp = 4				; delete 
 
   Case $_Action = 'REPLACE'
    If VarType($_aObjectDN) < 8192		; Object arg is not an array 
      Exit 87
    EndIf
    $_AdsProp = 2				; update 
 
   Case $_Action = 'CLEAR'
    $_aObjectDN = 0
    $_AdsProp = 1				; Clear 
 
   Case 1
    Exit 87					; invalid verb 
  EndSelect
 
 
  If $_AdsProp					; modify action       
    $_objGroup.PutEx($_AdsProp, 'member', $_aObjectDN)
    $_objGroup.SetInfo
    $AdGroupMember = Not @ERROR
    Exit @ERROR
  Else						; list action 
    $_aMembers = $_objGroup.GetEx('member')
    ; and error -2147352567  here indicates there are no members in the group - not really an error,  
    ; so only exit on other errors. Return an empty array and 0 status on empty groups 
    If @ERROR
      If @ERROR = -2147352567			; no group members 
        $AdGroupMember = ''			; return empty data 
        Exit 0					; exit success 
      Else
        Exit @ERROR				; exit error 
      EndIf
    EndIf
 
    ; have group members, so return the DNs or UIDs 
    If $_Action = 'LISTU'			; return the user IDs 
      Dim $_aTmp[UBound($_aMembers)]
      For $_I = 0 to UBound($_aMembers)
        $_objUser = GetObject('LDAP://' + $_aMembers[$_I])
        $_aTmp[$_i] = $_objUser.sAMAccountName
        $_objUser = 0
      Next
      $AdGroupMember = $_aTmp
      Exit 0
    Else					; return the user DNs 
      $AdGroupMember = $_aMembers
      Exit 0
    EndIf
  EndIf
 
EndFunction