Sign in to follow this  
Followers 0

Active Directory UDF - Help & Support

782 posts in this topic

Posted (edited)

This is the "General Help and Support" thread for the Active Directory UDF.

The UDF itself can be downloaded here.

So if you have any questions, suggestions or errors please post here.

Edited by water

Share this post


Link to post
Share on other sites



Posted (edited)

Version 0.34 has been released.

For download please see signature.

Edited by water

Share this post


Link to post
Share on other sites

Posted

Hi Water,

currently I am investigating the error;

in an other sample script it works pretty well... :D

Thank you for the the enhanced version of _AD_GetObjectProperties();

it should be part of the next upcoming release... :huggles:

When I see more clearly I will inform you...

Greets,

-supersonic.

Share this post


Link to post
Share on other sites

Posted

it should be part of the next upcoming release...

It will be part of version 0.35 :D

For now you can replace the function I attached in the AD UDF.

Share this post


Link to post
Share on other sites

Posted

Hi Water,

I can't believe it:

It's not a problem of any functions within AD.au3... it's a problem of GUICtrlCreateListViewItem()!!!

When adding 15+ items to a ListView with GUICtrlCreateListViewItem() the script stops somewhere.

Greets,

-supersonic.

Share this post


Link to post
Share on other sites

Posted (edited)

Hi supersonic,

to add a lot of items to a ListView you could:

_GUICtrlListView_BeginUpdate()
_GUICtrlListView_AddArray()
_GUICtrlListView_EndUpdate()
Edited by water

Share this post


Link to post
Share on other sites

Posted (edited)

Is there a way to use $GUI_BKCOLOR_LV_ALTERNATE with _GUICtrlListView_AddArray()???

--- I startet a new thread: http://www.autoitscript.com/forum/index.php?showtopic=109326

Edited by supersonic

Share this post


Link to post
Share on other sites

Posted (edited)

Version 0.35 has been released. Contains some script breaking changes so I wanted to release it rather quick.

For download please see signature.

Edited by water

Share this post


Link to post
Share on other sites

Posted (edited)

Hi Water,

I have some problems using _AD_IsMemberOf().

In our script some actions will only happen when an user is member of a dedicated group.

Therefore _AD_IsMemberOf() works fine. But some actions apply to all users of the domain

so I use "Domain Users" (= "Domänen-Benutzer") to check for. This is also the primary domain

group for all users.

When I change the primary domain group then _AD_IsMemberOf() works well with "Domain Users",

e. g. _AD_IsMemberOf("Domänen-Benutzer", @Username). When I re-set "Domain Users" as primary

domain group _AD_IsMemberOf() return 0.

Some days ago I described the same behaviour using the function _AD_GetUserGroups().

It is possible - and does it make sense to you (I hope so :huggles: ) - to enhance these

functions also to take notice of the primary domain group the user belongs to?

Sure, I could use _AD_GetUserPrimaryGroup() as a work around. But often this isn't

very practical...

Maybe you can help me out... :D

Greets,

-supersonic.

As the function _AD_GetUserGroups has a flag to include the Primary Group in the result I think a similar flag for _AD_IsMemberOf makes sense.

What do you think?

Edited by water

Share this post


Link to post
Share on other sites

Posted

This would be fine... :D

Share this post


Link to post
Share on other sites

Posted

Is it possible to add such flag to _AD_GetGroupMembers() in order to list all members of primary domain groups?

Share this post


Link to post
Share on other sites

Posted (edited)

Could you replace the _AD_IsMemberOf function in the AD.au3 with this code:

; #FUNCTION# ====================================================================================================================
; Name...........: _AD_IsMemberOf
; Description ...: Returns 1 if the user is a member of the group.
; Syntax.........: _AD_IsMemberOf($sAD_Group[, $sAD_User = @Username[, $fAD_IncludePrimaryGroup = 0]])
; Parameters ....: $sAD_Group - Group to be checked for membership. Can be specified as sAMAccountName or Fully Qualified Domain Name (FQDN)
; 	$sAD_User - Optional: User to be checked for membership in group $sAD_Group. Can be specified as sAMAccountName or Fully Qualified Domain Name (FQDN) (default = @UserName)
; 	$fAD_IncludePrimaryGroup - Optional: check the primary group too if the user is no member of the specified group (default = 0)
; Return values .: Success - 1, Specified user is a member of the specified group
; 	Failure - 0, @error set
; 	|0 - $sAD_User is not a member of $sAD_Group
; 	|1 - $sAD_Group does not exist
; 	|2 - $sAD_User does not exist
; Author ........: Jonathan Clelland
; Modified.......: Thomas Rupp
; Remarks .......:
; Related .......: _AD_GetUserGroups, _AD_GetUserPrimaryGroup, _AD_RecursiveGetMemberOf
; Link ..........:
; Example .......: Yes
; ===============================================================================================================================
Func _AD_IsMemberOf($sAD_Group, $sAD_User = @UserName, $fAD_IncludePrimaryGroup = False)

	If _AD_ObjectExists($sAD_Group) = 0 Then Return SetError(1, 0, 0)
	If _AD_ObjectExists($sAD_User) = 0 Then Return SetError(2, 0, 0)
	If StringMid($sAD_User, 3, 1) <> "=" Then $sAD_User = _AD_SamAccountNameToFQDN($sAD_User) ; sAMAccountName provided
	If StringMid($sAD_Group, 3, 1) <> "=" Then $sAD_Group = _AD_SamAccountNameToFQDN($sAD_Group) ; sAMAccountName provided
	Local $oAD_Group = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Group)
	Local $iAD_Result = $oAD_Group.IsMember("LDAP://" & $sAD_HostServer & "/" & $sAD_User)
	; Check Primary Group if user isn't a member of the specified group and the flag is set
	If $iAD_Result = 0 And $fAD_IncludePrimaryGroup Then $iAD_Result = (_AD_GetUserPrimaryGroup($sAD_User) = $sAD_Group)
	; Abs is necessary to make it work for AutoIt versions < 3.3.2.0 with bug #1068
	Return Abs($iAD_Result)

EndFunc ;==>_AD_IsMemberOf

And then change your code to:

$IResult = _AD_IsMemberOf("your group", "your user", 1)

This should check the primary group when the user is no member of the specified group.

Edited by water

Share this post


Link to post
Share on other sites

Posted

Is it possible to add such flag to _AD_GetGroupMembers() in order to list all members of primary domain groups?

I don't think so.

I'm not aware of any query to get a list of all primary groups used in the domain. And if you query some of the groups you even get an empty list as with "Domain Users".

The only safe way (i know at the moment of) to query the primary domain groups is to query every user and generate a list yourself.

Share this post


Link to post
Share on other sites

Posted

A bit of searching the internet showed that the primary group "Domain Users" has the primaryGroupID 513.

So if you search for all other users you then can query the primary group of each of this users.

$aObjects = _AD_GetObjectsInOU("", "(&(objectCategory=person)(objectClass=user)(!primaryGroupID=513))", 2, "sAMAccountName,primaryGroupID")

Returns a list of all users (SAMAccountName and primaryGroupID) which don't have the default primary group "Domain Users".

Share this post


Link to post
Share on other sites

Posted (edited)

Thank you for the quick update... :D

You added:

If $iAD_Result = 0 And $fAD_IncludePrimaryGroup Then $iAD_Result = (_AD_GetUserPrimaryGroup($sAD_User) = $sAD_Group)

As described in the docs _AD_GetUserPrimaryGroup() returns the FQDN.

But $sAD_Group is (or will be converted to) a samAccountName...

It seems that a FDQN will be compared with an samAccountName!?

Am I wrong?

Greets,

-supersonic.

Edited by supersonic

Share this post


Link to post
Share on other sites

Posted

Am I wrong?

Yes :D

In _AD_IsMemberOf the two parameters have to be in FQDN format or - if specified in SAMAccountName format - are converted to FQDN. So the specified line compares FQDN with FQDN.

I've tested it in my environemnt and it works just fine.

Share this post


Link to post
Share on other sites

Posted

Hi Water,

yes, I was wrong! :mellow:

Will be the modifications part of the next version?

Share this post


Link to post
Share on other sites

Posted

Will be the modifications part of the next version?

Yes.

If I find some spare time I might release the new version this weekend.

Share this post


Link to post
Share on other sites

Posted

Version 0.36 has been released.

For download please see signature.

Share this post


Link to post
Share on other sites

Posted (edited)

Hello All,

does anyone has some issue with the function "_AD_IsObjectLocked()" because this function always return 0 for me?

Thx

Works fine for me on locked objects.

Did you try the example script for _AD_IsObjectLocked? It first gets a list of locked objects and then uses _AD_IsObjectLocked on the first found object.

Or run _AD_GetObjectsLocked.au3 to get a list of all locked objects and check if your object is included.

Did you test the @error returned by _AD_IsObjectLocked in your script?

; Return values .: Success - 1, Specified object is locked
; 	Failure - 0, sets @error to:
; 	|0 - $sAD_Object is not locked
; 	|1 - $sAD_Object could not be found

If you check a computer remember to append a "$" to the samaccountname - see the remarks in the helpfile for _AD_IsObjectLocked.

Edited by water

Share this post


Link to post
Share on other sites

Posted

Works fine for me on locked objects.

Did you try the example script for _AD_IsObjectLocked? It first gets a list of locked objects and then uses _AD_IsObjectLocked on the first found object.

Or run _AD_GetObjectsLocked.au3 to get a list of all locked objects and check if your object is included.

Did you test the @error returned by _AD_IsObjectLocked in your script?

; Return values .: Success - 1, Specified object is locked
; 	Failure - 0, sets @error to:
; 	|0 - $sAD_Object is not locked
; 	|1 - $sAD_Object could not be found

If you check a computer remember to append a "$" to the samaccountname - see the remarks in the helpfile for _AD_IsObjectLocked.

Hello water,

yes i tried the expample. It doesn't work.

_AD_GetObjectsLocked.au3 return "no objects locked".

I try this function on user account and it return 0 and @error is always at 0 too whereas the account is really locked.

_AD_UnlockObject works fine.

I don't know where to search.

Thx for your help

Share this post


Link to post
Share on other sites

Posted (edited)

Hello water,

yes i tried the expample. It doesn't work.

_AD_GetObjectsLocked.au3 return "no objects locked".

I try this function on user account and it return 0 and @error is always at 0 too whereas the account is really locked.

_AD_UnlockObject works fine.

I don't know where to search.

Thx for your help

If _AD_GetObjectsLocked doesn't find any locked objects then there are no locked objects in your AD.:mellow:

What makes you think that the user account is locked?

Could you please try _AD_GetObjectsDisabled? Maybe the user account isn't locked but disabled.

Another try: Download Sysinternals Active Directory Explorer. No installation required, just run the exe. Check if the user account is locked (attribute lockouttime has to be set). If the user account is disabled then the UserAccountControl is set to 514 (= normal account + disabled)

Edited by water

Share this post


Link to post
Share on other sites

Posted (edited)

The function _AD_IsObjectLocked always return me that the account is not locked. when i verify with dsa.msc, it's really locked.

When i run _AD_UnlockObject on the same account it's working.

I tried adexplorer and userAccountControl is set to 512 and badpasswdcount is set to 3.

No one, had the same problem?

Edited by neric77

Share this post


Link to post
Share on other sites

Posted

I tried adexplorer and userAccountControl is set to 512 and badpasswdcount is set to 3.

512 means: Normal account. If it is locked it is BitOred with 0x10. A normal account which is locked hast 512+16 = 528.

If you get 512 as userAccountControl then the user isn't locked.

_AD_UnlockObject doesn't return an error when the object isn't locked before.

What does dsa.msc show (screenshot)? What's the value of userAccountControl? And what is the value of lockouttime?

Share this post


Link to post
Share on other sites

Posted (edited)

512 means: Normal account. If it is locked it is BitOred with 0x10. A normal account which is locked hast 512+16 = 528.

If you get 512 as userAccountControl then the user isn't locked.

_AD_UnlockObject doesn't return an error when the object isn't locked before.

What does dsa.msc show (screenshot)? What's the value of userAccountControl? And what is the value of lockouttime?

dsa.msc

adexplorer

Edited by neric77

Share this post


Link to post
Share on other sites
This topic is now closed to further replies.
Sign in to follow this  
Followers 0