Query AD Group Membership

[redfive19]

hi all,

I've searched the forums for something like this. I came across ADFunctions.au3 but I am unsure this is exactly what I need (and I am also getting an error on line 78 of ADFunctions.au3).

I basically want to find out what (group/ou?) attributes are assigned to the current computer object. For instance, I want to be able to run a script on the local machine, have it query that machine's AD group membership, create a new computer object and copy those attributes over to the new computer object. First and foremost, I just want to be able to DISPLAY (echo) the group membership just so I am sure it's correct.

I found some VB Code that's supposed to do just this but I can't make heads or tails of it:

Set objCompt = _
    GetObject("LDAP://cn=Computers,dc=NA,dc=fabrikam,dc=com")
Set objComptCopy = objCompt.Create("computer", "cn=SEA-SQL-01")
objComptCopy.Put "sAMAccountName", "sea-sql-01"
objComptCopy.SetInfo
 
Set objComptTemplate = GetObject _
    ("LDAP://cn=SEA-PM-01,cn=Computers,dc=NA,dc=fabrikam,dc=com")
arrAttributes = Array("description", "location")
 
For Each strAttrib in arrAttributes
    strValue = objComptTemplate.Get(strAttrib)
    objComptCopy.Put strAttrib, strValue
Next
 
objComptCopy.SetInfo

I know I can import it into AutoIt via a variety of ways but can someone please enlighten me as to what it's actually doing and how I can query AD first to make this happen? Thanks ahead of time for all of your help!!!!

-redfive

[lod3n]

What are you trying to do? Just wondering.

[redfive19]

I'm trying to duplicate group membership for new PC's. So if a user has Windows 2000 now and that computer is part of the SALES OU, I want to make sure that the new COMPUTER (running windows XP) will be added to the domain with the same exact group membership (new PC name).

[EndFunc]

Make sure you have the current ADFunctions UDF.

http://www.autoitscript.com/forum/index.ph...st&p=294788

Then use _ADGetObjectAttribute() and maybe try _ADGetGroupMembers()

Read the UDF for syntax and examples.

I'm trying to duplicate group membership for new PC's. So if a user has Windows 2000 now and that computer is part of the SALES OU, I want to make sure that the new COMPUTER (running windows XP) will be added to the domain with the same exact group membership (new PC name).

That shoudn't be diffictult to do using the adfunctions UDF.

Edited March 29, 2007 by EndFunc

[ptrex]

@redfive19

This the translation, but according to me this code doen not get the attribs. But writes it ?!

#include <array.au3>

 $objCompt = ObjGet("LDAP://cn=Computers,dc=NA,dc=fabrikam,dc=com")
 $objComptCopy = $objCompt.Create("computer", "cn=compaq_7010_01")
$objComptCopy.Put ("sAMAccountName", "sea-sql-01")
$objComptCopy.SetInfo()

 $objComptTemplate = ObjGet ("LDAP://cn=SEA-PM-01,cn=Computers,dc=NA,dc=fabrikam,dc=com")
$arrAttributes = _ArrayCreate("description", "location")

For $strAttrib in $arrAttributes
    $strValue = $objComptTemplate.Get($strAttrib)
    $objComptCopy.Put ($strAttrib, $strValue)
Next

$objComptCopy.SetInfo()

Enjoy

ptrex

[VeeDub]

Hi,

I've just been looking at aufunctions.au3 and would appreciate if someone can clarify how the authentication to AD via LDAP works.

It seems to me that no "logon credentials" are provided, if you like, an anonymous connection is made. Am I right about that?

I would be surprised if an anonymous connection would be permitted to perform any (or at least any significant) update or query for that matter, but where is the logon / authentication statements?

VW

[redfive19]

Thank you guys for all of your help. I'm going to try this out and repost.

[EndFunc]

Hi,

I've just been looking at aufunctions.au3 and would appreciate if someone can clarify how the authentication to AD via LDAP works.

It seems to me that no "logon credentials" are provided, if you like, an anonymous connection is made. Am I right about that?

I would be surprised if an anonymous connection would be permitted to perform any (or at least any significant) update or query for that matter, but where is the logon / authentication statements?

VW

You're right and I asked this question along time ago, but never got an answer. Some of these functions will work with out authentication but usually to modify or create something you need authentication. So right now to me it's only usually for tasks that I have access to. But if running from another computer there seems to be no way to authenticate without logging in as yourself. I would sure like that added myself.

[redfive19]

Couldn't you just do a RunAsSet?

[Jos]

Hi,

I've just been looking at aufunctions.au3 and would appreciate if someone can clarify how the authentication to AD via LDAP works.

It seems to me that no "logon credentials" are provided, if you like, an anonymous connection is made. Am I right about that?

I would be surprised if an anonymous connection would be permitted to perform any (or at least any significant) update or query for that matter, but where is the logon / authentication statements?

VW

You're right and I asked this question along time ago, but never got an answer. Some of these functions will work with out authentication but usually to modify or create something you need authentication. So right now to me it's only usually for tasks that I have access to. But if running from another computer there seems to be no way to authenticate without logging in as yourself. I would sure like that added myself.

Not sure I understand this question but am pretty sure that the credentials of the useraccount running the script are used. When this is not an AD account it will try to access by means of the guest account but most installations disable the Guest account for security reasons ...

[redfive19]

Yeah you know it's weird, I'm going to need to run this from a PE environment so I will not be logged on an account that will have domain admin rights. EndFunc's previous post mentioned that he tried the RunAsSet to no avail. Does anyone know if you can login to an account that has rights to run the entire script?

[Jos]

Yeah you know it's weird, I'm going to need to run this from a PE environment so I will not be logged on an account that will have domain admin rights. EndFunc's previous post mentioned that he tried the RunAsSet to no avail. Does anyone know if you can login to an account that has rights to run the entire script?

How was that tried ? Restart the script with Admin credential using RunAsSet() And Run() ?

[redfive19]

I'm unsure. I hope EndFunc can shed some light on how he ran it. I'm still waiting for QA domain access to test it in my script.

[VeeDub]

You're right and I asked this question along time ago, but never got an answer. Some of these functions will work with out authentication but usually to modify or create something you need authentication. So right now to me it's only usually for tasks that I have access to. But if running from another computer there seems to be no way to authenticate without logging in as yourself. I would sure like that added myself.

This may help http://www.autoitscript.com/forum/index.ph...st&p=314230

If not I need to do some work with AD and I'll need to authenticate, but I have other tasks that I need to complete before hand, so I may not get to look at this for a while yet.

Certainly with authentication in a "work" environment aufunctions.au3 offers many possibilities to automate tasks but unfortunately without authentication it's use is somewhat more limited.

VW

[redfive19]

Okay I've made some progress on this....I'm still trying to figure out how to remove a group from a computer object. Here's my code:

$legcompname='CN=TESTBOX1,OU=Computers,OU=Corporate,OU=HomeOffice,DC=test,DC=test,DC=com'
IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'OUPATH', $legcompname)
$strComputerPath = "LDAP://" & $legcompname 
 $objComputer = ObjGet($strComputerPath) 
$x=1
For $strGroup in $objComputer.MemberOf ()
    $strGroupPath = "LDAP://" & $strGroup 
     $objGroup = ObjGet($strGroupPath)
     IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'OldGroupName' & $x, $objGroup.CN); Writes group name(s) to legsysinfo.ini in format GroupName1, GroupName2, GroupName3, etc.
     If IniRead('c:\distribution\exe\GroupINFO.ini', 'OLDGROUP', $objGroup.CN, '') = 'FALSE' Then
        IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'OldGroupName' & $x & '_DEL', 'TRUE')
        IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'NewGroupName' & $x, 'NA')
    ElseIf IniRead('c:\distribution\exe\GroupINFO.ini', 'OLDGROUP', $objGroup.CN, '') = 'TRUE' Then
        IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'OldGroupName' & $x & '_DEL', 'FALSE')
    ElseIf IniRead('c:\distribution\exe\GroupINFO.ini', 'OLDGROUP', $objGroup.CN, '') = 'NEWGROUP' Then
        IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'OldGroupName' & $x & '_DEL', 'TRUE')
        $newgroup = IniRead('c:\distribution\exe\GroupINFO.ini', 'NEWGROUP', 'NEWGROUP.' & $objGroup.CN, '')
        IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'NewGroupName' & $x, $newgroup)
        EndIf
    $x = $x + 1
Next

What I'm trying to do is, if an old group does not exist in the new domain structure, to remove that group from the computer object. Furthermore, if an old group is being replaced by a new group, to remove that group from the computer object and add the computer object to the group that it replaces. I'm logging all of this activity in a .INI file as you can see. Any help would be greatly appreciated! Thank you!

[redfive19]

/bump