Active Directory UDF

Wooltown · January 26, 2010

Nice job, at the moment I don't have use for it, but I think I will in near future. If I will have use for it, I will gladly help with test and development.

water · January 26, 2010

The Active Directory UDF is still under heavy development and testing.

When all functions are implemented and everything is well tested then version 1.0 will be released.

Until then every new release (e.g. 0.40) might contain script breaking changes.

What do you think about script breaking changes? Do you already have scripts that heavily rely on the UDF?

Please post your opinions.

Edited January 27, 2010 by water

TheBib · January 28, 2010

Hi,

I try to add a user in an AD group.

When I use the default script sample, I get an error.

; *****************************************************************************
; Example 1
; Add a user to a specified group.
; *****************************************************************************
#include <AD.au3>
#include <ButtonConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>

; Open Connection to the Active Directory
_AD_Open()

$iReply = MsgBox(308, "Active Directory Functions - Example 1", "This script adds a user to a group." & @CRLF & @CRLF & _
        "Are you sure you want to change the Active Directory?")
If $iReply <> 6 Then Exit

; Enter user account and group
#Region ### START Koda GUI section ### Form=
$Form1 = GUICreate("Active Directory Functions - Example 1", 514, 124)
GUICtrlCreateLabel("Enter the user account (samAccountName):", 8, 10, 231, 17)
GUICtrlCreateLabel("Enter the group name (without leading CN=):", 8, 42, 231, 17)
$lUser = GUICtrlCreateInput(@UserName, 241, 8, 259, 21)
$IGroup = GUICtrlCreateInput("", 241, 40, 259, 21)
$BOK = GUICtrlCreateButton("Assign user to group", 8, 72, 121, 33)
$BCancel = GUICtrlCreateButton("Cancel", 428, 72, 73, 33, BitOR($GUI_SS_DEFAULT_BUTTON, $BS_DEFPUSHBUTTON))
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###

While 1
    $nMsg = GUIGetMsg()
    Switch $nMsg
        Case $GUI_EVENT_CLOSE, $BCancel
            Exit
        Case $BOK
            $sUser = _AD_SamAccountNameToFQDN(GUICtrlRead($lUser))
            $sGroup = _AD_SamAccountNameToFQDN(GUICtrlRead($IGroup))
            ExitLoop
    EndSwitch
WEnd

; Add user to group
$iValue = _AD_AddUserToGroup($sUser, $sGroup)
If $iValue = 1 Then
    MsgBox(64, "Active Directory Functions - Example 1", "User '" & $sUser & "' successfully assigned to group '" & $sGroup & "'")
ElseIf @error = 1 Then
    MsgBox(64, "Active Directory Functions - Example 1", "Group '" & $sGroup & "' does not exist")
ElseIf @error = 2 Then
    MsgBox(64, "Active Directory Functions - Example 1", "User '" & $sUser & "' does not exist")
ElseIf @error = 3 Then
    MsgBox(64, "Active Directory Functions - Example 1", "User '" & $sUser & "' is already a member of group '" & $sGroup & "'")
Else
    MsgBox(64, "Active Directory Functions - Example 1", "Return code '" & @error & "' from Active Directory")
EndIf

; Close Connection to the Active Directory
_AD_Close()

Here are the errors

COM Error Encountered

Scriptline = 403

and

COM Error Encountered

Scriptline = 1718

Thanks,

water · January 28, 2010

Hi TheBib,

could you please give me the COM error codes you receive? This makes traking the error much easier.

And could you please give an example of the data you enter in the GUI?

Line 403 is in the function _IsMemberOf so the user might already be a member of the group.

Thanks

Edited January 28, 2010 by water

supersonic · January 28, 2010

Hi!

Thank you so far, good work! :-)

I have some problems with _AD_GetObjectAttribute(),

especially when querying a lot of attributes (30+) for quite a lot of users (300+).

Error:

### COM error! Number: 80020009 ScriptLine: 366 Description: Die Tabelle ist nicht vorhanden.

D:\AUTOIT\Include\Water\AD\AD.au3 (369) : ==> Object referenced outside a "With" statement.:

Local $sAD_LDAPEntry = $oAD_RecordSet.fields(0).value

Local $sAD_LDAPEntry = $oAD_RecordSet.fields(0)^ ERROR

When querying less users (but with the same set of attributes) it works without any errors...

Furthermore I would like to see _AD_GetObjectAttribute() to be able to return valid values

for "accountExpires", "lastLogon", "lastLogonTimestamp", "objectGUID" and "objectSID" (any many more :-)...

Therefore I have modified this function to feed my needs:

Func _AD_GetObjectAttribute2($sAD_SamAccountName, $sAD_Attribute)
    If _AD_ObjectExists($sAD_SamAccountName) = 0 Then Return SetError(1, 0, 0)
    Local $sAD_Query = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(sAMAccountName=" & $sAD_SamAccountName & ");ADsPath;subtree"
    Local $oAD_RecordSet = $oAD_Connection.Execute($sAD_Query) ; Retrieve the FQDN for the object
    Local $sAD_LDAPEntry = $oAD_RecordSet.fields(0).value
    Local $oAD_Object = _AD_ObjGet($sAD_LDAPEntry) ; Retrieve the COM Object for the object
    Local $sAD_Result = $oAD_Object.Get($sAD_Attribute)
    ; ----------
    Select
        Case $sAD_Attribute = "accountExpires" Or $sAD_Attribute = "lastLogon" Or $sAD_Attribute = "lastLogonTimestamp"
            Local $iAD_HighPart = $sAD_Result.HighPart ; Convert IADsLargeInteger parts to 100ns count.
            Local $iAD_LowPart  = $sAD_Result.LowPart ; Convert IADsLargeInteger parts to 100ns count.
            If $iAD_LowPart < 0 Then $iAD_HighPart += 1 ; Compensate for IADsLargeInteger interface error.
            Local   $iAD_Dummy  = $iAD_HighPart * 2 ^ 32
                    $iAD_Dummy += $iAD_LowPart
            If $iAD_Dummy = 0 Then
                $sAD_Result = 0 ; User has never logged on.
            Else
                Local $iAD_Floor = Floor($iAD_Dummy / 10000000) ; Convert 100ns count to integer seconds.
                $sAD_Result = _DateAdd("s", $iAD_Floor, "1601/01/01 00:00:00") ; Convert seconds since 12:00am January 01, 1601 to date string (Coordinated Universal Time (UTC)/Zulu Time).
            EndIf
        Case $sAD_Attribute = "objectGUID"
            Local $xAD_Dummy = DllStructCreate("byte[24]")
            DllStructSetData($xAD_Dummy, 1, $sAD_Result)
            $sAD_Result = _WinAPI_StringFromGUID(DllStructGetPtr($xAD_Dummy))
            $xAD_Dummy  = 0
        Case $sAD_Attribute = "objectSID"
            Local $xAD_Dummy = DllStructCreate("byte[28]")
            DllStructSetData($xAD_Dummy, 1, $sAD_Result)
            $sAD_Result = _Security__SidToStringSid(DllStructGetPtr($xAD_Dummy))
            $xAD_Dummy  = 0
    EndSelect
    ; ----------
    $oAD_Object.PurgePropertyList
    If $iAD_COMError = 3 Then
        $iAD_COMError = 0
        Return SetError(2, 0, 0)
    EndIf
    If IsArray($sAD_Result) Then _ArrayInsert($sAD_Result, 0, UBound($sAD_Result, 1))
    Return $sAD_Result
EndFunc   ;==>_AD_GetObjectAttribute

Any ideas about the COM error?

Greets,

-supersonic.

Edited January 28, 2010 by supersonic

water · January 28, 2010

Hi supersonic, schöne Grüße,

thanks for using the AD UDF!

"COM Error 80020009: DISP_E_EXCEPTION - Unanticipated error occurred"

This could be everything!

But with many attributes and a lot of users it might be a problem with the amount of queries the DC can't cope with.

You could use a "Sleep(100)" after each call to an _AD_* function but this will considerably slow down your script.

Or you could try function _AD_GetObjectsInOU to get all required data in one go:

_AD_GetObjectsInOU($aAD_Objects, "", ""(&(objectcategory=person)(objectclass=user)(name=*))", 2, "comma-seperated list of attributes to retrieve")

This will return all users in the AD tree with the attributes you specify. Unfortunately it doesn't return multi-valued attributes. You have to use

_AD_GetObjectAttribute() for this attributes.

To get all "deciphered" attributes you could use function _AD_GetObjectProperties. Is this what you need?

Edited January 28, 2010 by water

TheBib · January 28, 2010

Hi TheBib,
could you please give me the COM error codes you receive? This makes traking the error much easier.
And could you please give an example of the data you enter in the GUI?
Line 403 is in the function _IsMemberOf so the user might already be a member of the group.
Thanks

Hi Water,

Thank you for your reply...

I just check about the data, and I found my mistake : I enter only the groupname and not all the distinghishedName.

Is it right ?

But I receive a new error : user 'CN=my_user,OU=Other,OU=Test,DC=my_domain,DC=lan' does not exist.

I just enter the SamAccountName (my_user) so the program can find this account (it return the distinghishedName...)

Can you help me ?

Regards,

water · January 28, 2010

HiTheBib,

my bad.

Could you please change the code of the example script?

The line should read:

$iValue = _AD_AddUserToGroup($sGroup, $sUser)

The error was caused by the wrong order of the parameters. First the group then the user.

The format of both parameters to be entered in the gui is the sAMAccountname.

TheBib · January 28, 2010

HiTheBib,

my bad.
Could you please change the code of the example script?
The line should read:
$iValue = _AD_AddUserToGroup($sGroup, $sUser)
The error was caused by the wrong order of the parameters. First the group then the user.
The format of both parameters to be entered in the gui is the sAMAccountname.

Hi Water

It work !!!

Very nice !!!

Thank you very much !!!

supersonic · January 28, 2010

Water,

thank you for the clue to use _AD_GetObjectsInOU() + _AD_GetObjectProperties(). It works like a charm...

Does it make sense to you to enhance _AD_GetObjectProperties() with some part of the code I posted above

to return "readable" SIDs and GUIDs?

Greets,

-supersonic.

water · January 29, 2010

Does it make sense to you to enhance _AD_GetObjectProperties() with some part of the code I posted above
to return "readable" SIDs and GUIDs?

Sure, I'm always glad to get improvemetns for the UDF. I'll have alook and hope to implement it over the weekend.

Maybe I can release a new version quite soon.

supersonic · January 29, 2010

Water,

I'm trying to get all members of a group. Therefore I use _AD_GetGroupMembers().

Generally it works but when querying the group "Domänen-Benutzer" the function

returns without results. That's impossible, this group contains 300+ users...

Other groups (e. g. "Domänen-Admins") works without any problems...

A code snippet I use:

$aTmp1[2] = "Domänen-Benutzer"
_AD_GetGroupMembers($aTmp2, _AD_SamAccountNameToFQDN($aTmp1[2]))

In this case the function _AD_SamAccountNameToFQDN() returns the right value:

"Domänen-Benutzer" -> "CN=Domänen-Benutzer,CN=Users,DC=de01,DC=itvollmann,DC=com"

... please, can you help me out?

Greets,

-supersonic.

Edited January 29, 2010 by supersonic

water · January 29, 2010

Hi supersonic,

I think it has to do with the Umlaut a ("ä") in the Groupname. Could you please try it with

$aTmp1[2] = "Domanen-Benutzer"
_AD_GetGroupMembers($aTmp2, _AD_SamAccountNameToFQDN($aTmp1[2]))

supersonic · January 29, 2010

Hi Water,

no luck...

Even _AD_GetObjectProperties("Domänen-Benutzer") or

_AD_GetObjectProperties("Domanen-Benutzer") returns without any "member"-entries...

water · January 29, 2010

Hi supersonic,

seems to be a problem with character encoding. When you open your script with a DOS editor you don't see the character "ä" but something different.

Here is a (german) site that explains this behaviour a bit. But it seems to be good practice to avoid special characters in AD (see this galileo book).

So the best to avoid future problems would be to rename the group.

water · January 29, 2010

Hi supersonic,

at the moment _AD_GetObjectAttribute returns the attributes undecoded whereas _AD_GetObjectProperties decodes as many attributes as possible.

I've inserted your code to decrypt objectGUID and objectSID into _AD_GetObjectProperties.

Can you life with _AD_GetObjectAttribute not decoding the attribute values and using _AD_GetObjectProperties if you need decoded values?

supersonic · January 29, 2010

Hi Water,

1) Yes I can (live with it)!

2) Renaming build-in domain groups like "Domänen-Benutzer", etc. isn't a real solution.

For the group "Domänen-Admins" it works well... Strange...

Have you working code in this case?

water · January 29, 2010

Hi supersonic,

very strange that "Domänen-Admins" works and "Domänen-Benutzer" doesn't.

Could you download the Sysinternals (now M$) tool ADExplorer and check if there are any differences?

This KB article explains how AD works with Umlauts.

supersonic · January 29, 2010

Water,

I've downloaded ADExplorer.

I can't believe it: there is no "member" attribute for "Domänen-Benutzer"!

Do you have an explanation? Looking in "Users und Groups" on the domain controller

lists 300+ user for the group...

Strange, strange, strange...

water · January 29, 2010

I'm no AD guru but our group "Domain Users" is empty as well. FQDN is CN=Domain Users,OU=System_Groups,DC=company,DC=country

It seems to be OK. Please see this article.

Edited January 29, 2010 by water

Sign In

Active Directory UDF

Recommended Posts

Wooltown

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

water

BrewManNH

mnorland

Posted Images

water

TheBib

water

supersonic

water

TheBib

water

TheBib

supersonic

water

supersonic

water

supersonic

water

water

supersonic

water

supersonic

water

Similar Content

adding a variable inside a PowerShell command

AD - Active Directory UDF

Compare Active Directory Groups

Using the PowerShell Group Policy Module with AutoIt

Active Directory - Need to search where user is/was logged

Browse

AutoIt Resources

Release

Beta