Active Directory Scripts

DrewC45 · May 28, 2009

Could you please run the following code and post the results?
#include <adfunctions.au3>
Global $asUsergroups
_ADGetUserGroups($asUsergroups)
_ArrayDisplay($asUsergroups)

Thanks, that worked for what I was trying to do. I was trying to actually pull the command out and put it in a new script. I am sorry just starting out with the software. I didn't think to do the include with the entire .au3 file.

water · May 29, 2009

You can't copy just a single function from adfunctions.au3. When you look at the UDF you see that some statements are beeing executed before you can call the first function (create the COM object, install the error handler ...).

To reduce the size of your compiled exe just run the obfuscator to remove all unused functions. Ctrl-F7 in Scite tab Obfuscator.

DrewC45 · June 2, 2009

I have ran into another problem trying to get this script to work for me. It does display the list on groups, but they are all jumbled up with the CM=, OU= and DC= in front of each word. I tried to run the _ArrayTrim function to pull the first 3 letters off the front, but It doesn't seem to be doing that. I also do not know the placement of that specific command if it makes a difference.

#include <adfunctions.au3>

#include <array.au3>

Global $asUsergroups

Global $iTrimNum = 3

Global $iDirection = 1

Global $iStart = 0

Global $iEnd = 3

_ADGetUserGroups($asUsergroups)

_ArrayTrim($asUsergroups, $iTrimNum, $iDirection, $iStart, $iEnd)

_Arraydisplay($asUsergroups)

water · June 2, 2009

To get the CN (common name) from the distinguished name (CN=group_name,OU=Organizational Unit,DC=company,DC=com) you could use something like:

#include <adfunctions.au3>
#include <array.au3>
Global $asUsergroups
_ADGetUserGroups($asUsergroups)
For $i = 1 To $asUsergroups[0]
    $Zf = Stringsplit($asUsergroups[$i],"=")
    $Zf = Stringsplit($Zf[2],",")
    $asUsergroups[$i] = $Zf[1]
Next
_Arraydisplay($asUsergroups)

supahfly · June 16, 2009

Hi Guys,

Did anyone tried to create a mailbox? With_ ADUserCreateMailbox function?

Seems not working... no errors are shown..

#include <adfunctions.au3>

$user = "firstname.lastname"
$mdbstore = "Hosted Exchange"
$store = "Shared Customers (MAPI)"
$server = "server11.network.local"
$admingroup = "First Administrative Group"
$domain = "Customer1.com"



_ADUserCreateMailbox($user, $mdbstore, $store, $server, $admingroup, $domain)

Yorn · June 23, 2009

Someone needs to redo or start maintaining this UDF to support Windows Server 2008 Active Directory. It's from 2007 and the original author is gone, if someone else picked it up that'd be a good thing.

There's so many changes/patches and addons like GrayWalker's above that it needs to be a new UDF managed by a regular on the forums.

water · June 23, 2009

Someone needs to redo or start maintaining this UDF to support Windows Server 2008 Active Directory. It's from 2007 and the original author is gone, if someone else picked it up that'd be a good thing.

That's a very good idea!

Is there a single person out there with very good AD knowledge, a W2K8 server and a little bit of spare time?

What do you want to achieve? An UDF that is part of the AutoIt installation package (I think this would take a lot of time) or just another post in the example Scripts where the latest version if the udf is located and some discussion on how to improve it?

I have done some scripts with the adfunctions library but am no AD guru - just a bit of "learning by doing".

Whatever we do, I can offer (little) time and (limited) knowledge

Johny Clelland · June 24, 2009

Someone needs to redo or start maintaining this UDF to support Windows Server 2008 Active Directory. It's from 2007 and the original author is gone, if someone else picked it up that'd be a good thing.
There's so many changes/patches and addons like GrayWalker's above that it needs to be a new UDF managed by a regular on the forums.

Yorn,

I'm sorry I haven't been around for a while (hadn't realised it had been quite so long...)

The function that GrayWalker wrote looks very similar to __ADSamAccountNameToFQDN, only with a restriction that it only works for computers.

I have attached the version of ADFunctions that I currently use. I'm not sure how different it is from the original versions, I suspect it may cause some problems with people's existing code. I've tried to include what's been updated, but to be honest I haven't been great at keeping track of changes in this particular script.

The most notable changes recently were to the Recursive GroupMembers and MemberOf functions, as they return slightly different data now (the results are still DNs, with inherited groups after '|' chars, but the list contains all of them now, not just the 'first' inherited group)

Unfortunately I do not have access to W2k8 yet, so i can't develop anything in that direction. I am more than happy for someone else to take that particular task on ;-)

Please feel free to play with this latest version and let me know if you have any problems.

I promise I will try to respond to anything on this forum a little quicker this time.

Cheers,

Johny.

Latest Version -- Link

Edited June 24, 2009 by Johny Clelland

rogerd2u · June 24, 2009

Here are a "few" things I would love to have added to this GREAT script:

1.) Ability to check AD to see if user account is locked out (due to too many unsuccessful log in attempts); If locked out, ability to unlock the account

2.) Take a specific (disabled) AD user account and check to see if the user is in any security or distribution groups. If so, remove them from all those groups

3.) Create a list of all disabled AD user accounts and check to see if the users are in any security or distribution groups. If so, remove them from all those groups (mass update for request #2)

4.) Create a function that will force a password change for a specified user -- sets the "User must change password at next login" checkbox.

5.) Create a function that will force a password change (at next login) for a specified OU -- sets the "User must change password at next login" checkbox. (OU mass update for request #4)

6.) Create a function that will force a password change for all users within a specified OU -- giving the ability to set the password to a variable callout.

Thank you in advance for your consideration!

Yorn,
I'm sorry I haven't been around for a while (hadn't realised it had been quite so long...)
The function that GrayWalker wrote looks very similar to __ADSamAccountNameToFQDN, only with a restriction that it only works for computers.
I have attached the version of ADFunctions that I currently use. I'm not sure how different it is from the original versions, I suspect it may cause some problems with people's existing code. I've tried to include what's been updated, but to be honest I haven't been great at keeping track of changes in this particular script.
The most notable changes recently were to the Recursive GroupMembers and MemberOf functions, as they return slightly different data now (the results are still DNs, with inherited groups after '|' chars, but the list contains all of them now, not just the 'first' inherited group)
Unfortunately I do not have access to W2k8 yet, so i can't develop anything in that direction. I am more than happy for someone else to take that particular task on ;-)
Please feel free to play with this latest version and let me know if you have any problems.
I promise I will try to respond to anything on this forum a little quicker this time.
Cheers,
Johny.

water · June 24, 2009

Before we start adding new functions I would suggest to reunite the extended code written by Johny (version 3.3) and the current version available from this forum (3.1.6).

Starting with this new code base we can incorporate new functions and changes made necessary by W2K8 Active Directory.

If time doesn't matter I would be happy to start working on this new code base.

Johny Clelland · June 24, 2009

Any chance you could point me in the direction of a link to the latest version on the forum? The search doesn't seem to find 3.1.6 anywhere :-(

Before we start adding new functions I would suggest to reunite the extended code written by Johny (version 3.3) and the current version available from this forum (3.1.6).
Starting with this new code base we can incorporate new functions and changes made necessary by W2K8 Active Directory.
If time doesn't matter I would be happy to start working on this new code base.

water · June 24, 2009

Here it is: Link

Johny Clelland · June 24, 2009

Thanks.

Attached is my suggested vesion 3.3.1. UPDATE - Updated to 3.3.2 to remove a reference to an external include file (DoProgress.au3)

It has the additions by KenE, and my recent updates. The only thing I haven't included is the _ADComputerExists function, as it is not required. The claim is that _ADObjectExists doesn't work for computer objects, but it does. You just need to note that the SamAccountName of a computer account is the computer's name with a '$' on the end, so to check for a computer you use;

If _ADObjectExists("mycomputer$") Then

MsgBox(0,"","MyComputer exists!")

Else

MsgBox(0,"","MyComputer doesn't exist :-(")

Endif

I've had a couple of requests about unlocks and password resets which i'm planning to add as well.

Cheers,

Johny.

Here it is: Link

adfunctions.au3

Edited July 1, 2009 by Johny Clelland

rogerd2u · June 25, 2009

Thanks for picking this project back up, Johny! Having this utility has saved me countless hours. I look forward to the added requests, and appreciate your time and effort!

I've had a couple of requests about unlocks and password resets which i'm planning to add as well.
Cheers,
Johny.

Yorn · June 26, 2009

Yes, I appreciate maintaining this. I have limited Windows 2008 access. Most of the functionality works the same, it's just that there were some changes over the years (AutoIT code changes) that caused issues with several of the functions from 2006. I too had patched mine but after looking at Johnny's I think it's probably better to just use his with the later versions of AutoIT.

Edited June 26, 2009 by Yorn

Prophet · July 7, 2009

Ive been working with the older/original version over the last couple of days myself. Its a really useful library, im gonna try this new version out.

In the meantime, i have a couple of remarks/questions.

I have been building a add computer to domain script. Now because of certain details in our organization, this script had to do more then just add a computer to a domain.

So I ran into a little trouble with doing domain query's from the non domain machine. First of all the adfunctions lib errors in initialization, no surprise. Second it doesn't allow for query's with different credentials everywhere.

Now ive been diving in ADODB.Connection, which is the object used for creating most of the connection used, and it does support it. The code i used is.

Global $objConnection = ObjCreate("ADODB.Connection")               ; Create COM object to AD
$objConnection.ConnectionString = "Provider=ADsDSOObject"           ; Set Service providertype
$objConnection.Properties("User ID") = $Domain & "\" & $adUsername      ; Authenticate User
$objConnection.Properties("Password") = $adPassword                 ; Authenticate User
$objConnection.Properties("Encrypt Password") = 1                   ; Set encryption for passwords
$objConnection.Properties("ADSI Flag") = 1                          ; 1 = Use Kerbos for authentification
$objConnection.Open("Active Directory Provider")                    ; Open connection

Now this also made me realize that this library doesn't build secure connections to ad, ofcourse i cant find the freaking msdn page where i found all the info anymore!, but i remember it saying that default was without security. Now this may not be a problem from a domain machine as username and password are not needed, but it is something too watch out for. Ill keep trying to find the freaking msdn page.

Im not sure how this would fit into the lib, i have copied the functions i need to my script, and changed them a little. The lib does support different credentials where object.functions support it, through $alt_userid. May not even be all that usefull, since its made to use on domain pc's. but you may wanna check the security settings.

As a side note: $objConnection.Provider = "ADsDSOObject" seems to work just aswell as $objConnection.ConnectionString = "Provider=ADsDSOObject" im not sure what the difference is yet

Johny Clelland · July 9, 2009

Hi Prophet,

Always nice to hear good things about my scripts :-)

On the note of alternative logon credentials, the Functions library has two ways of dealing with this.

Firstly, look at _ADAlternativeLogon on line 1852. That does the equivalent of your code below, although as you have pointed out it is not secure (I'll add this to the next version).

Secondly, to enable _ADObjGet to use alternative credentials, simply set the Global variables $alt_userid and $alt_password to the relevant ID. I'm not sure if this logon is secure or not, there's a BitOr in there which may or may not be for secure connections. It's that long since I wrote those bits of code I'm not certain what that last argument does.

Hope this helps, and thanks for the suggestions about making it secure. I'm not sure what to do about running it on a non-domain PC, as I never thought you would need to use it outside of a domain.

Cheers,

Johny.

Ive been working with the older/original version over the last couple of days myself. Its a really useful library, im gonna try this new version out.
In the meantime, i have a couple of remarks/questions.

I have been building a add computer to domain script. Now because of certain details in our organization, this script had to do more then just add a computer to a domain.

So I ran into a little trouble with doing domain query's from the non domain machine. First of all the adfunctions lib errors in initialization, no surprise. Second it doesn't allow for query's with different credentials everywhere.
Now ive been diving in ADODB.Connection, which is the object used for creating most of the connection used, and it does support it. The code i used is.
Global $objConnection = ObjCreate("ADODB.Connection")               ; Create COM object to AD
$objConnection.ConnectionString = "Provider=ADsDSOObject"           ; Set Service providertype
$objConnection.Properties("User ID") = $Domain & "\" & $adUsername      ; Authenticate User
$objConnection.Properties("Password") = $adPassword                 ; Authenticate User
$objConnection.Properties("Encrypt Password") = 1                   ; Set encryption for passwords
$objConnection.Properties("ADSI Flag") = 1                          ; 1 = Use Kerbos for authentification
$objConnection.Open("Active Directory Provider")                    ; Open connection
Now this also made me realize that this library doesn't build secure connections to ad, ofcourse i cant find the freaking msdn page where i found all the info anymore!, but i remember it saying that default was without security. Now this may not be a problem from a domain machine as username and password are not needed, but it is something too watch out for. Ill keep trying to find the freaking msdn page.

Im not sure how this would fit into the lib, i have copied the functions i need to my script, and changed them a little. The lib does support different credentials where object.functions support it, through $alt_userid. May not even be all that usefull, since its made to use on domain pc's. but you may wanna check the security settings.

As a side note: $objConnection.Provider = "ADsDSOObject" seems to work just aswell as $objConnection.ConnectionString = "Provider=ADsDSOObject" im not sure what the difference is yet

Prophet · July 13, 2009

Aah nice you already build that into the connection.

About non domain machines

You could initialize the UDF differently, by checking if $objRootDSE is a valid object, and choosing 2 ways of preceding.

for example

Global $objRootDSE = ObjGet("LDAP://RootDSE")
If IsObj($objRootDSE) = 1 Then
    Global $strDNSDomain = $objRootDSE.Get("defaultNamingContext") ; Retrieve the current AD domain name
    Global $strHostServer = $objRootDSE.Get("dnsHostName") ; Retrieve the name of the connected DC
    Global $strConfiguration = $objRootDSE.Get("ConfigurationNamingContext") ; Retrieve the Configuration naming context
Else
    ;set the variables by manually
EndIf

But im not sure its worth the effort, in most cases you wont need it.

devilman16 · August 21, 2009

Hello Johny Clelland,

first I want to thank you for your great work.

I am using Autoit since a year I think, but just started with using it in AD.

I am using your latest version 3.3.2 and started with a small script for changing our Users Out Of Office reply wich works like a charm.

Now my new project is to work on an automated User creation, and there are my first problems.

First I think the description for _ADCreateUser and _ADCreateGroup is wrong when it comes to the OU where the user has to be created.

The format is described like:

line 190 and 220: $userou = OU to create the group in. Form is "sampleou=ou, sampleparent=ou, sampledomain1=dc, sampledomain2=dc, sampledomain3=dc"

But its not working for me, instead the description of _ADAudit seams to be the right one also for _ADCreate...:

line 1928: Takes the ou, in the form "ou=Users, ou=Department, dc=mycompany, dc=com"

But if I am trying this:

$userou = "ou=Users, ou=Department, dc=mycompany, dc=com"
$user = "josemair"
$fname = "Josef"
$lname = "Mair"
$description = "this is a Autoit test"
$result = _ADCreateUser($userou, $user, $fname, $lname, $description = "User")

Then I get the user in the right OU with right username but the user is disabled with description "FALSE" and the fname and lname is not in the right field:

Posted Image

Can you help me in this point?

I am using Server 2003 as DC.

Thanks a lot.

Mcgruff30 · August 31, 2009

Hi Guys,

Did anyone tried to create a mailbox? With_ ADUserCreateMailbox function?

Seems not working... no errors are shown..

#include <adfunctions.au3>

$user = "firstname.lastname"
$mdbstore = "Hosted Exchange"
$store = "Shared Customers (MAPI)"
$server = "server11.network.local"
$admingroup = "First Administrative Group"
$domain = "Customer1.com"



_ADUserCreateMailbox($user, $mdbstore, $store, $server, $admingroup, $domain)

Supahfly;

Did you ever get this working? I'm trying to accomplish this and came across your post. Didn't know if you had solved the problem already.

Any help would be greatly appreciated.

Thanks.

Active Directory Scripts

Recommended Posts

Link to comment

Share on other sites

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Johny Clelland

water

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members