' --------------------------------------------- '
' -----  Jakob H. Heidelberg @ 19-06-2007 ----- '
' -----      www.windowsecurity.com       ----- '
' ----- - - - - - - - - - - - - - - - - - ----- '
' -----           Version: 2.00           ----- '
' -----    Last rev. date: 19-06-2007     ----- '
' --------------------------------------------- '

'Error handling
 On Error Resume Next

'-------'
' USAGE '
'-------'
'ShadowGroup.vbs "strTargetOU" "strShadowGrp"
'Eg.: ShadowGroup.vbs "OU=Test,DC=Contoso,DC=Local" "cn=Shadow,OU=Test,DC=Contoso,DC=Local"

'Constants
  Const ADS_PROPERTY_APPEND = 3
  Const ADS_PROPERTY_DELETE = 4

'Declare variables
  Dim strTargetOU
  Dim strShadowGrp

'Get input from Arguments
  If Wscript.Arguments.Count = 2 Then
    Dim objArgs : Set objArgs = WScript.Arguments
    strTargetOU  = objArgs(0)
    strShadowGrp = objArgs(1)
  Else
    MsgBox "Wrong number of arguments!"
    WScript.Quit
  End If

'Create dictionary for users in OU
  Set dictOUUsers = CreateObject("Scripting.Dictionary")
  dictOUUsers.CompareMode = TextMode

'Create dictionary for users in Group
  Set dictGrpUsers = CreateObject("Scripting.Dictionary")
  dictGrpUsers.CompareMode = TextMode

'Get OU
  Dim oTargetOU
  Set oTargetOU = GetObject("LDAP://" & strTargetOU)
  oTargetOU.Filter = Array("user")

'Get Users from OU (not Sub OU's)
  Dim usr
  For Each usr in oTargetOU 
    'Add hte user to a dictionary object
    dictOUUsers.Add usr.distinguishedName, usr.distinguishedName
  Next
  Set oTargetOU = Nothing

'Get Users from Group
  Dim mbr
  Set objGroup = GetObject("LDAP://" & strShadowGrp)
    objGroup.GetInfo
    arrMemberOf = objGroup.GetEx("member")
    For Each mbr in arrMemberOf
      'Add the user to a dictionary object
      dictGrpUsers.Add mbr, mbr
     Next
   Set objGroup = Nothing

'Add user to Group
  Dim OUUser
  For Each OUUser in dictOUUsers.Items
    If Not dictGrpUsers.Exists(OUUser) Then
      'Place user into Group
      Set objGroup = GetObject("LDAP://" & strShadowGrp)
        objGroup.PutEx ADS_PROPERTY_APPEND,"member",Array(OUUser)
        objGroup.SetInfo
      Set objGroup = Nothing
    End If
  Next
  
'Remove user from Group
  Dim GrpUser
  For Each GrpUser in dictGrpUsers.Items
    If Not dictOUUsers.Exists(GrpUser) Then
      'Remove
      Set objGroup = GetObject("LDAP://" & strShadowGrp) 
        objGroup.PutEx ADS_PROPERTY_DELETE,"member",Array(GrpUser)
        objGroup.SetInfo
      Set objGroup = Nothing
    End If
  Next

'Close dictionary objects
  Set dictOUUsers = Nothing
  Set dictGrpUsers = Nothing