2009-03-09

VBScript: Add Forefront Client Security computers to AD security group

We are deploying Microsoft Forefront Client Security (FCS) step by step, and for deployment of policies, we have ended up using an AD security group (we did not want to deploy to an OU as this automatically installs FCS, and we need to uninstall F-Secure first).

I have made some startup scripts and a script for manuall installation that adds the computer account to the group. But, sometimes, this fails (the computer might not have network working at the moment, or someone installs the client without the script and forgets to add to the group).

I have previously shown how to monitor FSC, and by doing this dive into the OnePoint database, I was able to make a script that checks all registered computers.

The prerequisits for using this script is to have a ODBC DSN configured (this is quite simple, and the only thing I did, was to make sure it point at the right database server and uses the OnePoint database as the default database).

As before, I have uploaded the script at my website :

' Add all computers from Mom's OnePoint database to an AD group
'
' Copyright (c) 2009 Rune Nordbøe Skillingstad <rune.skillingstad@ntnu.no>
'
' Make sure you have added an ODBC DSN for your MOM database
'
' This program is free software; you can redistribute it and/or modify
' it under the terms of the GNU General Public License as published by
' the Free Software Foundation; version 2 dated June, 1991.
'
' This program is distributed in the hope that it will be useful, but
' WITHOUT ANY WARRANTY; without even the implied warranty of
' MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
' General Public License for more details.
'
' You should have received a copy of the GNU General Public License
' along with this program; if not, write to the Free Software
' Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
' USA.
'
Option Explicit

On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2
Dim objConnection, objRecordSet
Dim objADConnection, objADCommand, objADRecordSet
Dim objDomainGroup
Dim strDSN, strDomain, strDomainGroup
Dim isVersbose, cnt

' Change these settings to reflect your AD domain and Forefront configuration
strDSN = "OnePoint"
strDomain = "DC=domain,DC=no"
strDomainGroup = "CN=L_Computer_Forefront,OU=Groups," & strDomain
' If you want to display computers missing, set this to True
isVersbose = False

Set objConnection = CreateObject("ADODB.Connection")
Set objRecordSet = CreateObject("ADODB.Recordset")
Set objADConnection = CreateObject("ADODB.Connection")
Set objADCommand = CreateObject("ADODB.Command")
Set objDomainGroup = GetObject("LDAP://" & strDomainGroup)

cnt = 0

objADConnection.Provider = "ADsDSOObject"
objADConnection.Open "Active Directory Provider"
Set objADCommand.ActiveConnection = objADConnection

objConnection.Open "DSN=" & strDSN & ";"
objRecordSet.Open "SELECT Name FROM Computer ORDER BY Name", _
objConnection, 3, 3
objRecordSet.MoveFirst
Do Until objRecordset.EOF
objADCommand.CommandText = _
"Select ADsPath from 'LDAP://" & strDomain & "' " _
& "Where objectClass='Computer' " _
& "AND Name = '" & objRecordset.Fields("Name").Value & "'"
objADCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

Set objADRecordSet = objADCommand.Execute
Do Until objADRecordSet.EOF
If(objDomainGroup.IsMember(objADRecordSet.Fields("ADsPath").Value) = False) Then
objDomainGroup.Add(objADRecordSet.Fields("ADsPath").Value)
If isVerbose Then
WScript.Echo objRecordset.Fields("Name").Value
End If
cnt = cnt + 1
End If
objADRecordSet.MoveNext
Loop
objRecordSet.MoveNext
Loop

objRecordSet.Close
objConnection.Close
objADRecordSet.Close
objADConnection.Close
Set objRecordset = Nothing
Set objConnection = Nothing
Set objADRecordSet = Nothing
Set objADCommand = Nothing
Set objADConnection = Nothing
Set objDomainGroup = Nothing

WScript.Echo cnt & " computers added to group"

No comments:

Post a Comment