VBS logon script not enumerating memberOf attribute in AD

When you create a user in AD and assing a login script to do something based on memberOf attribute and you assign only one group to that user you will run in a strange situation.

User is a member of the group, has all privileges, windows sees them but when you use logon vbs script it seems to not work. When you implement

On Error Resume Next

in your script you won’t get any error output.

But the problem is with memberOf attribute itself:

According to this: http://www.rlmueller.net/MemberOf.htm if memberOf has only one group (apart from primary group) it is stored as String and not as Variant(). VBS “for each” expects an array, and when it finds String it raises an error. When you have on error resume next (like me) in your VBS you won’t get any errors.

My simple fix for this error was assinging every user a second group, thus when you added proper group to the user, vbs scripts saw 2 groups and returned variant() instead of string 🙂

Above link provides deep explanation of that behaviour and some fixes for it.

Very good reading.


By |2015-09-22T13:57:10+00:00September 1st, 2014|Active Directory, Errors and fixes, Microsoft, Windows Server|0 Comments

About the Author:

I am passionate about Systems Administration. I like to face new challenges and test new environments.Windows and Linux Debian boxes (both physical and virtual) are my favourites. I like solving problems related to Windows Server roles and services as well as Linux but some distributions in particular. I'm not considering myself as Linux master but surely, I always do my best to fit the needs. On the other hand I consider myself as a Windows Server Professional and in terms of WS and Windows Desktops I always follow best practices, good advices and opinions from other admins.

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.