Active Directory UDF - General
The Active Directory UDF offers functions to control and manipulate Microsoft Active Directory. This page describes the Active Directory UDF in general.
The Active Directory UDF is based upon this concept:
- Open a connection to the AD, do all the work then close the connection
- Access one domain at a time. Cross domain scripts are not possible with this UDF
- Access the Global Catalog to search the complete forest
- Access to the Active Directory can be made secure using SSL for both the domain and the Global Catalog
You have to run version 126.96.36.199 of AutoIt or newer.
Every script calls at least the following functions:
_AD_Open() ; Open a connection to the Active Directory _AD_* ; Any function that queries or alters the Active Directory _AD_Close() ; Close the connection
Open a connection
There are multiple ways to open a connection to the Active Directory.
Only one connection can be open at any time. This means you can't connect to two domains at the same time. You have to connect to the first domain, do all the work, close the connection and open the connection to the second domain. This is true for the Global Catalog as well.
To current domain
No additional information is needed if you want to connect to the domain the computer is already a member of. _AD_Open uses the credentials of the currently logged in user to connect to the domain. If the currently logged in user doesn't have the required privileges you can specify the credentials of a different user.
Open an AD connection to the domain the computer has logged in and use the windows logon credentials:
$iResult = _AD_Open()
Open an AD connection to the domain the computer has logged in and specify the credentials to use. The UserID has to be in one of the following formats (assume the samAccountName = DJ and the domain name = microsoft):
Windows Login Name e.g. "DJ" NetBIOS Login Name e.g. "microsoft\DJ" User Principal Name e.g. "DJ@microsoft.com"
The following examples are equivalent:
$iResult = _AD_Open("DJ", "password of DJ") $iResult = _AD_Open("microsoft\DJ", "password of DJ") $iResult = _AD_Open("DJ@microsoft.com", "password of DJ")
If you want to connect to a specific Domain Controller in the domain then simply specify the HostServer.
$iResult = _AD_Open("DJ", "password of DJ", "", "DC1.domain.com") ; setting alternate credentials $iResult = _AD_Open("", "", "", "DC1.domain.com") ; using the windows login credentials
To another domain
Much more information is needed if you want to connect to a different domain than the computer is already a member of. You have to specify DNSDomain, HostServer and Configuration. If you don't specify alternate credentials then the credentials of the currently logged in windows user are used.
Examples of the needed parameters:
$sAD_DNSDomainParam = Active Directory domain name e.g. "DC=subdomain,DC=example,DC=com" $sAD_HostServerParam = Name of Domain Controller e.g. "servername.subdomain.example.com" $sAD_ConfigurationParam = Configuration naming context e.g. "CN=Configuration,DC=subdomain,DC=example,DC=com"
Open an AD connection to another domain and use the windows logon credentials:
$iResult = _AD_Open("", "", "DC=subdomain,DC=example,DC=com", "servername.subdomain.example.com", "CN=Configuration,DC=subdomain,DC=example,DC=com")
Open an AD connection to another domain and specify alternate credentials:
$iResult = _AD_Open("DJ", "password of DJ", "DC=subdomain,DC=example,DC=com", "servername.subdomain.example.com", "CN=Configuration,DC=subdomain,DC=example,DC=com")
More information on how to specify credentials can be found here.
From a workgroup
If your computer is not connected to any domain you have to provide the same information as if connecting to another domain. How to connect to another domain is described here.
To a Global Catalog
If you want to connect to a Global Catalog - so the search functions work on the whole forest and not just on a single domain - you have to append port number 3268 to the HostServer parameter.
$iResult = _AD_Open("", "", "", "DC1.company.com:3268")
All functions now access the Global Catalog. Every search function now returns results for the whole forest not just the domain.
In a forest there can be multiple Global Catalogs. To get a list of Global Catalogs connect to the domain and use _AD_ListDomainControllers.
$iResult = _AD_Open() $aDCs = _AD_ListDomainControllers() For $iIndex = 1 to $aDCs If $aDCs[$iIndex] = True Then ConsoleWrite("DC " & $aDCs[$iIndex] & " is a Global Catalog") Next _AD_Close()
To a Domain Controller
If you want to use SSL and/or password encryption when you connect to a Domain Controller you have to set parameter 6 of _AD_Open.
Valid entries are:
1 = Sets the connection property "Encrypt Password" to True to encrypt userid and password 2 = The channel is encrypted using Secure Sockets Layer (SSL). AD requires that the Certificate Server be installed to support SSL 3 = Combination of 1 and 2
$iResult = _AD_Open("", "", "", "", "", 2) ; Uses SSL to connect to a Domain Controller of the current domain
To a Global Catalog
If you want to use SSL for your connection to the Global Catalog use port 3269 instead of 3268.
_AD_Open sets the return value to 0 and @error plus @extended to denote what kind of error occurred.
On Windows Vista and later - if you specified the UserID as NetBIOS Login Name or User Principal Name - you can get additional information about the error. _AD_GetlastADSIError will return an array of additional information:
$iResult = _AD_Open() If @error <> 0 Then $aError = _AD_GetlastADSIError() _ArrayDisplay($aError, "Error occurred when running _AD_Open") Exit EndIf
This could look like:
 5  2148074248 - ADSI error code (decimal)  80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0 - Unicode string that describes the error  LDAP Provider - name of the provider that raised the error  52e - Win32 error code extracted from element  Logon failure: unknown user name or bad password - description of the Win32 error code as returned by _WinAPI_FormatMessage
Some of the Win32 error codes you can see:
525 = user not found 52e = invalid credentials 530 = not permitted to logon at this time 532 = password expired 533 = account disabled 701 = account expired 773 = user must reset password
To get detailed error information about COM errors you can set variable $iAD_Debug. The following values can be used:
1 = Uses ConsoleWrite to display the COM error message. Therefore doesn't work for compiled scripts 2 = Uses MsgBox to display the COM error message 3 = Uses FileWrite to write (append) the COM error message to file "AD_Debug.txt" in the current directory
If you set $iAD_Debug = 3 then you can set variable $sAD_DebugFile to the path and filename of the log file. Default = @ScriptDir & "\AD_Debug.txt".
The following example parses the commandline and sets debugging to "MsgBox" when command line parameter one is set to "/debug" or "-debug".
If $CmdLine And ($CmdLine = "/debug" Or $CmdLine = "-debug") Then $iAD_Debug = 2
There are many functions in the UDF that allow to query the Active Directory. The most important functions are:
- _AD_GetObjectsInOU: This function uses LDAP to query objects (users, computers ...) in the whole domain or a subtree
Tips & Tricks
- The UDF does not support the "granular password policy" feature implemented with Windows Server 2008. Invalid results for all password related functions might be returned
- Keyword "Default": You can't use the keyword "Default" to omit parameters in a function call as the UDF does not support this keyword
- If you run Windows Vista or higher, UAC is enabled and you use functions that change the AD then you might need to insert #RequireAdmin into your script
- The SamAccountName of a computer is the computername with a trailing "$" e.g. @ComputerName & "$"
- Special characters: If you call a function with a Fully Qualified Domain Name (FQDN) as parameter you as a user have to make sure that all special characters ("\/#,+<>;=) are escaped with a preceding backslash. You can call function _AD_FixSpecialChars(String, 1) to escape or _AD_FixSpecialChars(string, 0) to unescape the special characters