Active Directory UDF

HaeMHuK · February 23, 2012

Here it is.

Edited February 23, 2012 by HaeMHuK

water · February 23, 2012

It seems that you first have to delete all contained objects before you can delete the container itself.

Check this MS Technet article.

Or taken from here (Tasks 6-7):

"If you want to delete a container, you must first delete all its children. If these children are containers with objects, you have to recursively delete these containers and their children before you can delete the parent. If you attempt to delete a container object that still has objects in it, you receive an error message that states The directory service can perform the requested operation only on a leaf object.

However, if you attempt to delete a group that still has members or is a member of other groups, the delete call will succeed. The call succeeds because the membership relationships aren't true parent-child relationships within AD."

HaeMHuK · February 23, 2012

Thanks. I've just changed the script. Seems it works fine.

$aObjects = _AD_GetObjectsInOU(_AD_SAMAccountNameToFQDN($sObject), "(&(cn=*))", 1, "distinguishedName", "cn")
If @error > 0 Then
MsgBox(64, "Active Directory Functions - Example 2", "No OUs could be found")
Else
For $i = 1 to UBound($aObjects)-1
  $iSubValue = _AD_DeleteObject($aObjects[$i], _AD_GetObjectClass($aObjects[$i]))
   If $iSubValue = 1 Then
    MsgBox(64, "Active Directory Functions - Example 1", "Object '" & $aObjects[$i] & "' successfully deleted")
   ElseIf @error = 1 Then
    MsgBox(16, "Active Directory Functions - Example 1", "Object '" & $aObjects[$i] & "' does not exist")
   Else
    MsgBox(16, "Active Directory Functions - Example 1", "Return code '" & @error & "' from Active Directory")
   EndIf
Next
  $iValue = _AD_DeleteObject($sObject, _AD_GetObjectClass($sObject))
   If $iValue = 1 Then
    MsgBox(64, "Active Directory Functions - Example 1", "Object '" & $sObject & "' successfully deleted")
   ElseIf @error = 1 Then
    MsgBox(16, "Active Directory Functions - Example 1", "Object '" & $sObject & "' does not exist")
   Else
    MsgBox(16, "Active Directory Functions - Example 1", "Return code '" & @error & "' from Active Directory")
   EndIf
EndIf

Edited February 23, 2012 by HaeMHuK

water · February 23, 2012

Thanks for the script.

I think at the moment its OK that we have a reference for the problem in this forum.

If someone else faces this problem he should be able to find this post and modify his code.

jrscribner · March 8, 2012

I'm working on an AutoIt script that will remove computers from AD if they exist and add a new one as part of our system imaging process (Windows 7). My script works great if I run it on a PC that is a member of the domain but if the PC is not a member of the domain I get an error when adding a computer to AD under certain conditions.

Connected to our 2003 AD Controller there is no problem

Connected to our 2008 R2 AD Controller I get the following error but the account is created.

2012.03.07 18:27:21

-------------------

COM Error Encountered in K1PCName.au3

AD UDF version = 1.2.0

Scriptline = 2441

NumberHex = 80020009

Number = -2147352567

WinDescription = The security ID structure is invalid.

Description =

Source =

HelpFile =

HelpContext = 0

LastDllError = 0

========================================================

Variable Values:

$Domain_UN = "administrator@domain.com"

$Domain_Pass = "MyDomainAdminPassword"

$Domain = "DC=DOMAIN,DC=COM"

$ConfigParam = "CN=Configuration,DC=DOMAIN,DC=COM"

$PCDomain = "OU=W7_LabPCs,DC=DOMAIN,DC=COM"

$sComputer = "LT1599681"

Func AddComputerAD($sComputer)
$iAD_Debug = 3
_AD_Open($Domain_UN, $Domain_Pass, $Domain, $DC, $ConfigParam)If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

; Add Computer object

$iValue = _AD_CreateComputer($PCDomain, $sComputer, "Users")
If $iValue = 1 Then
  Return
ElseIf @error = 1 Then
  MsgBox(64, "Active Directory Functions - Add Computer", "The '" & $PCDomain & "' OU does not exist")
ElseIf @error = 2 Then
  MsgBox(64, "Active Directory Functions - Add Computer", "Computer: '" & $sComputer & "' already exists in Active Directory")
ElseIf @error = 3 Then
  MsgBox(64, "Active Directory Functions - Add Computer", "User/group '" & $PCDomain & "' does not exist")
Else
  MsgBox(64, "Active Directory Functions - Add Computer", "Return code '" & @error & "' from Active Directory")
EndIf
; Close Connection to the Active Directory
_AD_Close()EndFunc

This code is real close to the example code so I'm not sure why it doesn't work. I have code very similar to delete Computers from AD and that one works fine. The line in AD.au3 that is being referenced is: $oAD_Computer.Put("ntSecurityDescriptor", $oAD_SD) if that helps any.

Thanks for any help in advance.

water · March 8, 2012

Maybe this is the case here:

"A common error seen by script writers writing their own ACL manipulation scripts is the dreaded "The security ID structure is invalid" error, or error -2147023559. The number one cause of this error is a trustee that cannot be resolved to a SID."

Could you please use

$Domain_UN = "domainadministrator"

and try again?

jrscribner · March 9, 2012

Changing the $Domain_UN to "domainadministrator" didn't seem to make a difference, I've tried other accounts and it doesn't seem to matter, but I only affects the script if running on a non domain computer connecting to a 2008 R2 DC.

water · March 9, 2012

Looks like the problem is described here. Does this make sense?

water · March 18, 2012

Experimental Version 1.2.1.0 has been released.

For testing purpose only!

Needs 3.3.9.2 beta for the new way the UDF handles COM errors!

For download please see my signature.

blumi · March 28, 2012

Hi all,

I use these great UDF but could need some help please.

I made a small script which reads the email addresses from the member of a group I have choosen.

In this group are members from different domains.

I get only the information from the members who are in the same domain like me.

What can I do?

I did not configure _AD_Open() etc. cause it worked fine until to this problem.

With which values is the _AD_Open() connection established. Data from the pc system (os) or from the logged on user?

Thanks

water · March 28, 2012

Try to access the Global Catalog.

How to access the GC is described here.

HaeMHuK · April 25, 2012

Hi water.

Could you please help me with the script to retrieve the tree of groups and sub groups in OU with count of members.

Member count in a group must be the total count of all members in subgroups. Groups consist users and subgroups.

Something like on screenshot.

I have spent a few days to write it but no good results.

Thanks in advance.

$sTitle = "Active Direcory OU Treeview"
#region ### START Koda GUI section ### Form=
$hSettings = GUICreate($sTitle, 400, 300)
$hTree = GUICtrlCreateTreeView(5, 5, 320, 290, -1, $WS_EX_CLIENTEDGE)
$bSelect = GUICtrlCreateButton("Select OU", 330, 10, 65, 19)
$bExpand = GUICtrlCreateButton("Expand", 330, 30, 65, 19)
$bCollapse = GUICtrlCreateButton("Collapse", 330, 50, 65, 19)
$bExit = GUICtrlCreateButton("Exit", 330, 70, 65, 19)
#endregion ### END Koda GUI section ###
$aObjects = _AD_GetObjectsInOU($sOU, "(name=Group*)", 2, "sAMAccountName,distinguishedName,displayname")
If @error > 0 Then
MsgBox(64, "Active Directory Functions - Example 1", "No OUs could be found")
Else
Local $arr1[1]
$Arr1[0] = "groups"
$generalitem  = _GUICtrlTreeView_Add($hTree, 0, "Group")
  For $i = 1 to UBound($aObjects)-1
    _Arrayadd($arr1, _AD_FQDNToSAMAccountName($aObjects[$i][1]))
$hItem = _GUICtrlTreeView_AddChild($hTree, $generalitem, _AD_FQDNToSAMAccountName($aObjects[$i][1]) & " (" & UBound(_AD_GetGroupMembers($aObjects[$i][1]))-1 & ")")
next
EndIf

Edited April 25, 2012 by HaeMHuK

water · April 25, 2012

Hi HaeMHuK,

Maybe a good idea to enhance my _AD_Example_GetOUTreeView. At the moment it only displays the OU's.

It could be enhanced to accept optional parameters which specify what do return in the array: Only OUs, OUs + members, total count of OUs, total count of members.

But it will take some time.

What do you think?

HaeMHuK · April 25, 2012

Hi HaeMHuK,
Maybe a good idea to enhance my _AD_Example_GetOUTreeView. At the moment it only displays the OU's.
It could be enhanced to accept optional parameters which specify what do return in the array: Only OUs, OUs + members, total count of OUs, total count of members.
But it will take some time.
What do you think?

Hi water. It will be great. It is not very urgent fro me now. Could you please inform me by private message for the results?

Edited April 25, 2012 by HaeMHuK

water · April 25, 2012

Sure, I will keep you informed.

HaeMHuK · April 25, 2012

Hi water!

Finally I've done it. I do not believe.

Sorry for disturbing. Thanks.

#include <AD.au3>
#include <GuiConstantsEx.au3>
#include <GuiTreeView.au3>
#include <GuiImageList.au3>
#include <WindowsConstants.au3>
; Open Connection to the Active Directory
_AD_Open()
$sOU = "OU=FlexNet,OU=Services,OU=KBP,OU=Groups,DC=synapse,DC=com"
$sTitle = "Active Direcory OU Treeview"
#region ### START Koda GUI section ### Form=
$hSettings = GUICreate($sTitle, 400, 300)
$hTree = GUICtrlCreateTreeView(5, 5, 320, 290, -1, $WS_EX_CLIENTEDGE)
$bSelect = GUICtrlCreateButton("Select", 330, 10, 65, 19)
$bExpand = GUICtrlCreateButton("Expand", 330, 30, 65, 19)
$bCollapse = GUICtrlCreateButton("Collapse", 330, 50, 65, 19)
$bExit = GUICtrlCreateButton("Exit", 330, 70, 65, 19)
#endregion ### END Koda GUI section ###
$aObjects = _AD_GetObjectsInOU($sOU, "(name=FLEXNET-SAM*)", 2, "sAMAccountName,distinguishedName,displayname")
If @error > 0 Then
  MsgBox(64, "Active Directory Functions - Example 1", "No OUs could be found")
Else
  Local $aMembers[1] = [""]
  Local $hSubItem[999]
  $hItem  = _GUICtrlTreeView_Add($hTree, 0, "UA")
   For $x = 1 to UBound($aObjects)-1
    _Arrayadd($aMembers, _AD_FQDNToSAMAccountName($aObjects[$x][1]))
    $hSubItem[$x] = _GUICtrlTreeView_AddChild($hTree, $hItem, _AD_FQDNToSAMAccountName($aObjects[$x][1]) & " (" & _AD_GetGroupMembersCount($aObjects[$x][1]) & ")")
   Next
   For $y = 1 to UBound($aObjects)-1
    $aSubMembers = _AD_GetGroupMembers($aMembers[$y])
     For $z = 1 to UBound($aSubMembers)-1
      _GUICtrlTreeView_AddChild($hTree, $hSubItem[$y], _AD_FQDNToSAMAccountName($aSubMembers[$z]) & " (" & _AD_GetGroupMembersCount($aSubMembers[$z]) & ")")    
     Next
   Next
EndIf
GUISetState()
While 1
$Msg = GUIGetMsg()
Switch $Msg
  Case $GUI_EVENT_CLOSE, $bExit
   ExitLoop
  Case $bExpand
   _GUICtrlTreeView_Expand($hTree)
  Case $bCollapse
   _GUICtrlTreeView_Expand($hTree, 0, False)
  Case $bSelect
   $hSelection = _GUICtrlTreeView_GetSelection($hTree)
   $sSelection = _GUICtrlTreeView_GetText($hTree, $hSelection)
   MsgBox(64, $sTitle & " - Selected OU", "Name: " & $sSelection & @CRLF & "FQDN: " & $sOU)
EndSwitch
WEnd
_AD_Close()

_AD_GetGroupMembersCount

Func _AD_GetGroupMembersCount($sAD_Group)
If _AD_ObjectExists($sAD_Group) = 0 Then Return SetError(1, 0, "")
If StringMid($sAD_Group, 3, 1) <> "=" Then $sAD_Group = _AD_SamAccountNameToFQDN($sAD_Group) ; sAMAccountName provided
Local $aAD_Members, $iMembersCount
$aAD_Members = _AD_GetGroupMembers($sAD_Group)
  For $iCount = 1 to UBound($aAD_Members)-1
   $aAD_SubMembers = _AD_GetGroupMembers($aAD_Members[$iCount])
   If _AD_GetObjectClass($aAD_Members[$iCount]) = "user" Then $iMembersCount += 1
   $iMembersCount = $iMembersCount + UBound($aAD_SubMembers)-1
  Next
If _AD_GetObjectClass($sAD_Group) = "user" Then $iMembersCount += 1
If $iMembersCount = "" Then $iMembersCount = UBound($aAD_Members)-1
Return $iMembersCount
EndFunc

water · April 25, 2012

Thanks a lot for the code.

I'm sure it will be useful for the TreeView example script and maybe a function will find it's way into the UDF. If that happens you will find your name in the list of contributors

HaeMHuK · April 25, 2012

OK. Thanks.

BrewManNH · April 25, 2012

I searched the thread, but didn't see if this had been posted before. Using version 1.2.0 I ran the example function _AD_GetAllOUs(), I noticed that the "Computers" OU didn't show up in the list of OUs. So I tried it again using "$aOUs = _AD_GetAllOUs("OU=Computers,DC=domain,DC=com")" and I get back an error stating that the OU can't be found. Is this normal or is the default OU "Computers", for some reason not listable by this function?

water · April 25, 2012

Here the computer OU is named "OU=Computer_Accounts".

If you run the example script the first output should be a list of all OUs. Is there a "computer" OU?

if you run example script _AD_GetObjectProperties the third example shows all properties of your computer. What's the OU in the "distinguishedName" property?

Sign In

Active Directory UDF

Recommended Posts

HaeMHuK

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

water

BrewManNH

mnorland

Posted Images

water

HaeMHuK

water

jrscribner

water

jrscribner

water

water

blumi

water

HaeMHuK

water

HaeMHuK

water

HaeMHuK

water

HaeMHuK

BrewManNH

water

Similar Content

adding a variable inside a PowerShell command

AD - Active Directory UDF

Compare Active Directory Groups

Using the PowerShell Group Policy Module with AutoIt

Active Directory - Need to search where user is/was logged

Browse

AutoIt Resources

Release

Beta