Jump to content

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here. X
X


Photo

Query AD Group Membership


  • Please log in to reply
15 replies to this topic

#1 redfive19

redfive19

    Adventurer

  • Active Members
  • PipPip
  • 105 posts

Posted 29 March 2007 - 06:40 PM

hi all,
I've searched the forums for something like this. I came across ADFunctions.au3 but I am unsure this is exactly what I need (and I am also getting an error on line 78 of ADFunctions.au3).

I basically want to find out what (group/ou?) attributes are assigned to the current computer object. For instance, I want to be able to run a script on the local machine, have it query that machine's AD group membership, create a new computer object and copy those attributes over to the new computer object. First and foremost, I just want to be able to DISPLAY (echo) the group membership just so I am sure it's correct.

I found some VB Code that's supposed to do just this but I can't make heads or tails of it:

Set objCompt = _     GetObject("LDAP://cn=Computers,dc=NA,dc=fabrikam,dc=com") Set objComptCopy = objCompt.Create("computer", "cn=SEA-SQL-01") objComptCopy.Put "sAMAccountName", "sea-sql-01" objComptCopy.SetInfo   Set objComptTemplate = GetObject _     ("LDAP://cn=SEA-PM-01,cn=Computers,dc=NA,dc=fabrikam,dc=com") arrAttributes = Array("description", "location")   For Each strAttrib in arrAttributes     strValue = objComptTemplate.Get(strAttrib)     objComptCopy.Put strAttrib, strValue Next   objComptCopy.SetInfo


I know I can import it into AutoIt via a variety of ways but can someone please enlighten me as to what it's actually doing and how I can query AD first to make this happen? Thanks ahead of time for all of your help!!!!

-redfive







#2 lod3n

lod3n

    Another day, another mind-boggling adventure!

  • Active Members
  • PipPipPipPipPipPip
  • 874 posts

Posted 29 March 2007 - 08:56 PM

What are you trying to do? Just wondering.

#3 redfive19

redfive19

    Adventurer

  • Active Members
  • PipPip
  • 105 posts

Posted 29 March 2007 - 09:06 PM

I'm trying to duplicate group membership for new PC's. So if a user has Windows 2000 now and that computer is part of the SALES OU, I want to make sure that the new COMPUTER (running windows XP) will be added to the domain with the same exact group membership (new PC name).

#4 EndFunc

EndFunc

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 436 posts

Posted 29 March 2007 - 11:01 PM

Make sure you have the current ADFunctions UDF.

http://www.autoitscript.com/forum/index.ph...st&p=294788

Then use _ADGetObjectAttribute() and maybe try _ADGetGroupMembers()

Read the UDF for syntax and examples.

I'm trying to duplicate group membership for new PC's. So if a user has Windows 2000 now and that computer is part of the SALES OU, I want to make sure that the new COMPUTER (running windows XP) will be added to the domain with the same exact group membership (new PC name).


That shoudn't be diffictult to do using the adfunctions UDF.

Edited by EndFunc, 29 March 2007 - 11:03 PM.

EndFuncAutoIt is the shiznit. I love it.

#5 ptrex

ptrex

    Universalist

  • MVPs
  • 2,420 posts

Posted 30 March 2007 - 08:33 AM

@redfive19

This the translation, but according to me this code doen not get the attribs. But writes it ?!

#include <array.au3>  $objCompt = ObjGet("LDAP://cn=Computers,dc=NA,dc=fabrikam,dc=com")  $objComptCopy = $objCompt.Create("computer", "cn=compaq_7010_01") $objComptCopy.Put ("sAMAccountName", "sea-sql-01") $objComptCopy.SetInfo()  $objComptTemplate = ObjGet ("LDAP://cn=SEA-PM-01,cn=Computers,dc=NA,dc=fabrikam,dc=com") $arrAttributes = _ArrayCreate("description", "location") For $strAttrib in $arrAttributes     $strValue = $objComptTemplate.Get($strAttrib)     $objComptCopy.Put ($strAttrib, $strValue) Next $objComptCopy.SetInfo()



Enjoy

ptrex

#6 VeeDub

VeeDub

    Polymath

  • Active Members
  • PipPipPipPip
  • 202 posts

Posted 31 March 2007 - 06:26 AM

Hi,

I've just been looking at aufunctions.au3 and would appreciate if someone can clarify how the authentication to AD via LDAP works.

It seems to me that no "logon credentials" are provided, if you like, an anonymous connection is made. Am I right about that?

I would be surprised if an anonymous connection would be permitted to perform any (or at least any significant) update or query for that matter, but where is the logon / authentication statements?

VW

#7 redfive19

redfive19

    Adventurer

  • Active Members
  • PipPip
  • 105 posts

Posted 02 April 2007 - 02:17 PM

Thank you guys for all of your help. I'm going to try this out and repost.

#8 EndFunc

EndFunc

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 436 posts

Posted 02 April 2007 - 03:02 PM

Hi,

I've just been looking at aufunctions.au3 and would appreciate if someone can clarify how the authentication to AD via LDAP works.

It seems to me that no "logon credentials" are provided, if you like, an anonymous connection is made. Am I right about that?

I would be surprised if an anonymous connection would be permitted to perform any (or at least any significant) update or query for that matter, but where is the logon / authentication statements?

VW


You're right and I asked this question along time ago, but never got an answer. Some of these functions will work with out authentication but usually to modify or create something you need authentication. So right now to me it's only usually for tasks that I have access to. But if running from another computer there seems to be no way to authenticate without logging in as yourself. I would sure like that added myself.
EndFuncAutoIt is the shiznit. I love it.

#9 redfive19

redfive19

    Adventurer

  • Active Members
  • PipPip
  • 105 posts

Posted 05 April 2007 - 06:07 PM

Couldn't you just do a RunAsSet?

#10 Jos

Jos

    Je maintiendrai

  • Developers
  • 23,434 posts

Posted 05 April 2007 - 06:16 PM

Hi,

I've just been looking at aufunctions.au3 and would appreciate if someone can clarify how the authentication to AD via LDAP works.

It seems to me that no "logon credentials" are provided, if you like, an anonymous connection is made. Am I right about that?

I would be surprised if an anonymous connection would be permitted to perform any (or at least any significant) update or query for that matter, but where is the logon / authentication statements?

VW



You're right and I asked this question along time ago, but never got an answer. Some of these functions will work with out authentication but usually to modify or create something you need authentication. So right now to me it's only usually for tasks that I have access to. But if running from another computer there seems to be no way to authenticate without logging in as yourself. I would sure like that added myself.


Not sure I understand this question but am pretty sure that the credentials of the useraccount running the script are used. When this is not an AD account it will try to access by means of the guest account but most installations disable the Guest account for security reasons ...

Visit the SciTE4AutoIt3 Download page for the latest versions                                                                 Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)


#11 redfive19

redfive19

    Adventurer

  • Active Members
  • PipPip
  • 105 posts

Posted 05 April 2007 - 07:33 PM

Yeah you know it's weird, I'm going to need to run this from a PE environment so I will not be logged on an account that will have domain admin rights. EndFunc's previous post mentioned that he tried the RunAsSet to no avail. Does anyone know if you can login to an account that has rights to run the entire script?

#12 Jos

Jos

    Je maintiendrai

  • Developers
  • 23,434 posts

Posted 05 April 2007 - 08:45 PM

Yeah you know it's weird, I'm going to need to run this from a PE environment so I will not be logged on an account that will have domain admin rights. EndFunc's previous post mentioned that he tried the RunAsSet to no avail. Does anyone know if you can login to an account that has rights to run the entire script?

How was that tried ? Restart the script with Admin credential using RunAsSet() And Run() ?

Visit the SciTE4AutoIt3 Download page for the latest versions                                                                 Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)


#13 redfive19

redfive19

    Adventurer

  • Active Members
  • PipPip
  • 105 posts

Posted 05 April 2007 - 09:20 PM

I'm unsure. I hope EndFunc can shed some light on how he ran it. I'm still waiting for QA domain access to test it in my script.

#14 VeeDub

VeeDub

    Polymath

  • Active Members
  • PipPipPipPip
  • 202 posts

Posted 06 April 2007 - 11:03 AM

You're right and I asked this question along time ago, but never got an answer. Some of these functions will work with out authentication but usually to modify or create something you need authentication. So right now to me it's only usually for tasks that I have access to. But if running from another computer there seems to be no way to authenticate without logging in as yourself. I would sure like that added myself.

This may help http://www.autoitscript.com/forum/index.ph...st&p=314230

If not I need to do some work with AD and I'll need to authenticate, but I have other tasks that I need to complete before hand, so I may not get to look at this for a while yet.

Certainly with authentication in a "work" environment aufunctions.au3 offers many possibilities to automate tasks but unfortunately without authentication it's use is somewhat more limited.

VW

#15 redfive19

redfive19

    Adventurer

  • Active Members
  • PipPip
  • 105 posts

Posted 13 April 2007 - 02:01 PM

Okay I've made some progress on this....I'm still trying to figure out how to remove a group from a computer object. Here's my code:

$legcompname='CN=TESTBOX1,OU=Computers,OU=Corporate,OU=HomeOffice,DC=test,DC=test,DC=com' IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'OUPATH', $legcompname) $strComputerPath = "LDAP://" & $legcompname  $objComputer = ObjGet($strComputerPath) $x=1 For $strGroup in $objComputer.MemberOf ()     $strGroupPath = "LDAP://" & $strGroup      $objGroup = ObjGet($strGroupPath)      IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'OldGroupName' & $x, $objGroup.CN); Writes group name(s) to legsysinfo.ini in format GroupName1, GroupName2, GroupName3, etc.      If IniRead('c:\distribution\exe\GroupINFO.ini', 'OLDGROUP', $objGroup.CN, '') = 'FALSE' Then         IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'OldGroupName' & $x & '_DEL', 'TRUE')         IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'NewGroupName' & $x, 'NA')     ElseIf IniRead('c:\distribution\exe\GroupINFO.ini', 'OLDGROUP', $objGroup.CN, '') = 'TRUE' Then         IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'OldGroupName' & $x & '_DEL', 'FALSE')     ElseIf IniRead('c:\distribution\exe\GroupINFO.ini', 'OLDGROUP', $objGroup.CN, '') = 'NEWGROUP' Then         IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'OldGroupName' & $x & '_DEL', 'TRUE')         $newgroup = IniRead('c:\distribution\exe\GroupINFO.ini', 'NEWGROUP', 'NEWGROUP.' & $objGroup.CN, '')         IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'NewGroupName' & $x, $newgroup)         EndIf     $x = $x + 1 Next


What I'm trying to do is, if an old group does not exist in the new domain structure, to remove that group from the computer object. Furthermore, if an old group is being replaced by a new group, to remove that group from the computer object and add the computer object to the group that it replaces. I'm logging all of this activity in a .INI file as you can see. Any help would be greatly appreciated! Thank you!

#16 redfive19

redfive19

    Adventurer

  • Active Members
  • PipPip
  • 105 posts

Posted 16 April 2007 - 06:30 PM

/bump




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users