Jump to content

Active Directory UDF


water
 Share

Recommended Posts

The Active Directory UDF is still under heavy development and testing.

When all functions are implemented and everything is well tested then version 1.0 will be released.

Until then every new release (e.g. 0.40) might contain script breaking changes.

What do you think about script breaking changes? Do you already have scripts that heavily rely on the UDF?

Please post your opinions.

Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Hi,

I try to add a user in an AD group.

When I use the default script sample, I get an error.

; *****************************************************************************
; Example 1
; Add a user to a specified group.
; *****************************************************************************
#include <AD.au3>
#include <ButtonConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>

; Open Connection to the Active Directory
_AD_Open()

$iReply = MsgBox(308, "Active Directory Functions - Example 1", "This script adds a user to a group." & @CRLF & @CRLF & _
        "Are you sure you want to change the Active Directory?")
If $iReply <> 6 Then Exit

; Enter user account and group
#Region ### START Koda GUI section ### Form=
$Form1 = GUICreate("Active Directory Functions - Example 1", 514, 124)
GUICtrlCreateLabel("Enter the user account (samAccountName):", 8, 10, 231, 17)
GUICtrlCreateLabel("Enter the group name (without leading CN=):", 8, 42, 231, 17)
$lUser = GUICtrlCreateInput(@UserName, 241, 8, 259, 21)
$IGroup = GUICtrlCreateInput("", 241, 40, 259, 21)
$BOK = GUICtrlCreateButton("Assign user to group", 8, 72, 121, 33)
$BCancel = GUICtrlCreateButton("Cancel", 428, 72, 73, 33, BitOR($GUI_SS_DEFAULT_BUTTON, $BS_DEFPUSHBUTTON))
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###

While 1
    $nMsg = GUIGetMsg()
    Switch $nMsg
        Case $GUI_EVENT_CLOSE, $BCancel
            Exit
        Case $BOK
            $sUser = _AD_SamAccountNameToFQDN(GUICtrlRead($lUser))
            $sGroup = _AD_SamAccountNameToFQDN(GUICtrlRead($IGroup))
            ExitLoop
    EndSwitch
WEnd

; Add user to group
$iValue = _AD_AddUserToGroup($sUser, $sGroup)
If $iValue = 1 Then
    MsgBox(64, "Active Directory Functions - Example 1", "User '" & $sUser & "' successfully assigned to group '" & $sGroup & "'")
ElseIf @error = 1 Then
    MsgBox(64, "Active Directory Functions - Example 1", "Group '" & $sGroup & "' does not exist")
ElseIf @error = 2 Then
    MsgBox(64, "Active Directory Functions - Example 1", "User '" & $sUser & "' does not exist")
ElseIf @error = 3 Then
    MsgBox(64, "Active Directory Functions - Example 1", "User '" & $sUser & "' is already a member of group '" & $sGroup & "'")
Else
    MsgBox(64, "Active Directory Functions - Example 1", "Return code '" & @error & "' from Active Directory")
EndIf

; Close Connection to the Active Directory
_AD_Close()

Here are the errors

COM Error Encountered

Scriptline = 403

and

COM Error Encountered

Scriptline = 1718

Thanks,

Link to comment
Share on other sites

Hi TheBib,

could you please give me the COM error codes you receive? This makes traking the error much easier.

And could you please give an example of the data you enter in the GUI?

Line 403 is in the function _IsMemberOf so the user might already be a member of the group.

Thanks

Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Hi!

Thank you so far, good work! :-)

I have some problems with _AD_GetObjectAttribute(),

especially when querying a lot of attributes (30+) for quite a lot of users (300+).

Error:

### COM error! Number: 80020009 ScriptLine: 366 Description: Die Tabelle ist nicht vorhanden.

D:\AUTOIT\Include\Water\AD\AD.au3 (369) : ==> Object referenced outside a "With" statement.:

Local $sAD_LDAPEntry = $oAD_RecordSet.fields(0).value

Local $sAD_LDAPEntry = $oAD_RecordSet.fields(0)^ ERROR

When querying less users (but with the same set of attributes) it works without any errors...

Furthermore I would like to see _AD_GetObjectAttribute() to be able to return valid values

for "accountExpires", "lastLogon", "lastLogonTimestamp", "objectGUID" and "objectSID" (any many more :-)...

Therefore I have modified this function to feed my needs:

Func _AD_GetObjectAttribute2($sAD_SamAccountName, $sAD_Attribute)
    If _AD_ObjectExists($sAD_SamAccountName) = 0 Then Return SetError(1, 0, 0)
    Local $sAD_Query = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(sAMAccountName=" & $sAD_SamAccountName & ");ADsPath;subtree"
    Local $oAD_RecordSet = $oAD_Connection.Execute($sAD_Query) ; Retrieve the FQDN for the object
    Local $sAD_LDAPEntry = $oAD_RecordSet.fields(0).value
    Local $oAD_Object = _AD_ObjGet($sAD_LDAPEntry) ; Retrieve the COM Object for the object
    Local $sAD_Result = $oAD_Object.Get($sAD_Attribute)
    ; ----------
    Select
        Case $sAD_Attribute = "accountExpires" Or $sAD_Attribute = "lastLogon" Or $sAD_Attribute = "lastLogonTimestamp"
            Local $iAD_HighPart = $sAD_Result.HighPart ; Convert IADsLargeInteger parts to 100ns count.
            Local $iAD_LowPart  = $sAD_Result.LowPart ; Convert IADsLargeInteger parts to 100ns count.
            If $iAD_LowPart < 0 Then $iAD_HighPart += 1 ; Compensate for IADsLargeInteger interface error.
            Local   $iAD_Dummy  = $iAD_HighPart * 2 ^ 32
                    $iAD_Dummy += $iAD_LowPart
            If $iAD_Dummy = 0 Then
                $sAD_Result = 0 ; User has never logged on.
            Else
                Local $iAD_Floor = Floor($iAD_Dummy / 10000000) ; Convert 100ns count to integer seconds.
                $sAD_Result = _DateAdd("s", $iAD_Floor, "1601/01/01 00:00:00") ; Convert seconds since 12:00am January 01, 1601 to date string (Coordinated Universal Time (UTC)/Zulu Time).
            EndIf
        Case $sAD_Attribute = "objectGUID"
            Local $xAD_Dummy = DllStructCreate("byte[24]")
            DllStructSetData($xAD_Dummy, 1, $sAD_Result)
            $sAD_Result = _WinAPI_StringFromGUID(DllStructGetPtr($xAD_Dummy))
            $xAD_Dummy  = 0
        Case $sAD_Attribute = "objectSID"
            Local $xAD_Dummy = DllStructCreate("byte[28]")
            DllStructSetData($xAD_Dummy, 1, $sAD_Result)
            $sAD_Result = _Security__SidToStringSid(DllStructGetPtr($xAD_Dummy))
            $xAD_Dummy  = 0
    EndSelect
    ; ----------
    $oAD_Object.PurgePropertyList
    If $iAD_COMError = 3 Then
        $iAD_COMError = 0
        Return SetError(2, 0, 0)
    EndIf
    If IsArray($sAD_Result) Then _ArrayInsert($sAD_Result, 0, UBound($sAD_Result, 1))
    Return $sAD_Result
EndFunc   ;==>_AD_GetObjectAttribute

Any ideas about the COM error?

Greets,

-supersonic.

Edited by supersonic
Link to comment
Share on other sites

Hi supersonic, schöne Grüße,

thanks for using the AD UDF!

"COM Error 80020009: DISP_E_EXCEPTION - Unanticipated error occurred"

This could be everything!

But with many attributes and a lot of users it might be a problem with the amount of queries the DC can't cope with.

You could use a "Sleep(100)" after each call to an _AD_* function but this will considerably slow down your script.

Or you could try function _AD_GetObjectsInOU to get all required data in one go:

_AD_GetObjectsInOU($aAD_Objects, "", ""(&(objectcategory=person)(objectclass=user)(name=*))", 2, "comma-seperated list of attributes to retrieve")

This will return all users in the AD tree with the attributes you specify. Unfortunately it doesn't return multi-valued attributes. You have to use

_AD_GetObjectAttribute() for this attributes.

To get all "deciphered" attributes you could use function _AD_GetObjectProperties. Is this what you need?

Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Hi TheBib,

could you please give me the COM error codes you receive? This makes traking the error much easier.

And could you please give an example of the data you enter in the GUI?

Line 403 is in the function _IsMemberOf so the user might already be a member of the group.

Thanks

Hi Water,

Thank you for your reply...

I just check about the data, and I found my mistake : I enter only the groupname and not all the distinghishedName.

Is it right ?

But I receive a new error : user 'CN=my_user,OU=Other,OU=Test,DC=my_domain,DC=lan' does not exist.

I just enter the SamAccountName (my_user) so the program can find this account (it return the distinghishedName...)

Can you help me ?

Regards,

Link to comment
Share on other sites

HiTheBib,

my bad.

Could you please change the code of the example script?

The line should read:

$iValue = _AD_AddUserToGroup($sGroup, $sUser)

The error was caused by the wrong order of the parameters. First the group then the user.

The format of both parameters to be entered in the gui is the sAMAccountname.

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

HiTheBib,

my bad.

Could you please change the code of the example script?

The line should read:

$iValue = _AD_AddUserToGroup($sGroup, $sUser)

The error was caused by the wrong order of the parameters. First the group then the user.

The format of both parameters to be entered in the gui is the sAMAccountname.

Hi Water

It work !!!

Very nice !!!

Thank you very much !!!

Link to comment
Share on other sites

Water,

thank you for the clue to use _AD_GetObjectsInOU() + _AD_GetObjectProperties(). It works like a charm... :D

Does it make sense to you to enhance _AD_GetObjectProperties() with some part of the code I posted above

to return "readable" SIDs and GUIDs?

Greets,

-supersonic.

Link to comment
Share on other sites

Does it make sense to you to enhance _AD_GetObjectProperties() with some part of the code I posted above

to return "readable" SIDs and GUIDs?

Sure, I'm always glad to get improvemetns for the UDF. I'll have alook and hope to implement it over the weekend.

Maybe I can release a new version quite soon.

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Water,

I'm trying to get all members of a group. Therefore I use _AD_GetGroupMembers().

Generally it works but when querying the group "Domänen-Benutzer" the function

returns without results. That's impossible, this group contains 300+ users...

Other groups (e. g. "Domänen-Admins") works without any problems...

A code snippet I use:

$aTmp1[2] = "Domänen-Benutzer"
_AD_GetGroupMembers($aTmp2, _AD_SamAccountNameToFQDN($aTmp1[2]))

In this case the function _AD_SamAccountNameToFQDN() returns the right value:

"Domänen-Benutzer" -> "CN=Domänen-Benutzer,CN=Users,DC=de01,DC=itvollmann,DC=com"

... please, can you help me out?

Greets,

-supersonic.

Edited by supersonic
Link to comment
Share on other sites

Hi supersonic,

I think it has to do with the Umlaut a ("ä") in the Groupname. Could you please try it with

$aTmp1[2] = "Domanen-Benutzer"
_AD_GetGroupMembers($aTmp2, _AD_SamAccountNameToFQDN($aTmp1[2]))

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Hi supersonic,

seems to be a problem with character encoding. When you open your script with a DOS editor you don't see the character "ä" but something different.

Here is a (german) site that explains this behaviour a bit. But it seems to be good practice to avoid special characters in AD (see this galileo book).

So the best to avoid future problems would be to rename the group.

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Hi supersonic,

at the moment _AD_GetObjectAttribute returns the attributes undecoded whereas _AD_GetObjectProperties decodes as many attributes as possible.

I've inserted your code to decrypt objectGUID and objectSID into _AD_GetObjectProperties.

Can you life with _AD_GetObjectAttribute not decoding the attribute values and using _AD_GetObjectProperties if you need decoded values?

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Hi supersonic,

very strange that "Domänen-Admins" works and "Domänen-Benutzer" doesn't.

Could you download the Sysinternals (now M$) tool ADExplorer and check if there are any differences?

This KB article explains how AD works with Umlauts.

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Water,

I've downloaded ADExplorer.

I can't believe it: there is no "member" attribute for "Domänen-Benutzer"!

Do you have an explanation? Looking in "Users und Groups" on the domain controller

lists 300+ user for the group...

Strange, strange, strange... :D

Link to comment
Share on other sites

I'm no AD guru but our group "Domain Users" is empty as well. FQDN is CN=Domain Users,OU=System_Groups,DC=company,DC=country

It seems to be OK. Please see this article.

Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...