Jump to content
Sign in to follow this  
Dr.Chi

ADAddUserToGroup but for computers?

Recommended Posts

Dr.Chi

I tried searching for this, so forgive me if it's been covered.

How could I edit the "ADAddUserToGroup" function, to add a Computer object to an AD Group instead of a User?

I would assume it would be easy, but I can't figure it out.

Thanks for any help.

Share this post


Link to post
Share on other sites
water

Did you try to add a computer to a group using

_ADAdduserToGroup("FQDN of group","FQDN of computer")


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
Dr.Chi

Did you try to add a computer to a group using

_ADAdduserToGroup("FQDN of group","FQDN of computer")

Yes. It gave me this error:

We Intercepted a COM error!

Number is: 800401E3

Windescription is: Operation Unavailable

If I use a username it works as usual, only when I try to trick it with a computer name does it error out. Also, I've tried both the name and also the name.localdomain.com formats.

Share this post


Link to post
Share on other sites
water

As I understand the function you have to specify both parameters as FQDN e.g. CN=computername,OU=Computer_Accounts,DC=microsoft,DC=com or CN=groupname,OU=Groups,DC=microsoft,DC=com


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
PsaltyDS

I'm confused, there's already an _ADCreateComputer() function in the UDF. What is it you want different from that?

:huggles:

NVM.

$DumbQuestions += 1

:D

Edited by PsaltyDS

Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites
Dr.Chi

As I understand the function you have to specify both parameters as FQDN e.g. CN=computername,OU=Computer_Accounts,DC=microsoft,DC=com or CN=groupname,OU=Groups,DC=microsoft,DC=com

I tried this too, to no effect.

Though if I use a user (not computer) I don't have to use the FQDN for either the group or user for it to work.

Share this post


Link to post
Share on other sites
water

@PsaltyDS

As I understand he wants to assign a computer to a group as he can assign users to a group. _ADCreateComputer only creates a computer in an OU.

I checked my AD and have found some computers that are members of a group that means the "ismemberof" attribute is set.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
Dr.Chi

I'm confused, there's already an _ADCreateComputer() function in the UDF. What is it you want different from that?

I can see how it's confusing, I'm not trying to create a new computer. I'm trying to add a Computer to an Active Directory group.

As it stands, the closest thing is the _ADAddUserToGroup but it's for adding users not computers to the group.

Share this post


Link to post
Share on other sites
water

I tried this too, to no effect.

Though if I use a user (not computer) I don't have to use the FQDN for either the group or user for it to work.

According to the sourcecode of ADfunctions.au3 you have to use FQDN for both parameters.

; _ADAddUserToGroup
; Takes the group (Full Distringuished Name) and the user (Full Distringuished Name)
; Adds the user to the group
; Returns 0 if the user is already a member of the group,
; Returns 1 if the user was added to the group
; Returns -1 if there was an error

Func _ADAddUserToGroup($group, $user)
    If _ADIsMemberOf($group, $user) Then Return 0
    $oUsr = _ADObjGet("LDAP://" & $strHostServer & "/" & $user) ; Retrieve the COM Object for the user
    $oGroup = _ADObjGet("LDAP://" & $strHostServer & "/" & $group) ; Retrieve the COM Object for the group

    $oGroup.Add($oUsr.AdsPath)
    $oGroup.SetInfo
    $oGroup = 0
    $oUser = 0
    Return _ADIsMemberOf($group, $user)
EndFunc ;==>_ADAddUserToGroup

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
Dr.Chi

According to the sourcecode of ADfunctions.au3 you have to use FQDN for both parameters.

I understand it says that. But I know from first hand running the script you don't actually have to. Like you can run:

_ADAddUserToGroup("My Ad Group", "Username")

And it works.

But as far as my issue goes, I've done it with the FQDN also and it doesn't work. Same error as the OP.

I would guess that I would need to change the _ADObjGet portion, but not sure to what.

Share this post


Link to post
Share on other sites
water

Ok, if it doesn't require the FQDN (maybe the docu is wrong) then your input is seen as the samaccountname.

The samaccountname of a computer needs a trailing "$". So if you want to add the computer "PC001" the parameter should read "PC001$".

Can you give this a try?


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
Dr.Chi

Didn't work :D

Like, this function;

_ADSamAccountNameToFQDN(ComputerName$)

Will pull the correct FQDN perfectly, so I know I'm using the samaccountname and FQDN correctly. But I think it's not working because the function for ADAddUserToGroup seems to be specifically written to use a User object and not a Computer object.

Share this post


Link to post
Share on other sites
water

Didn't work :D

Like, this function;

_ADSamAccountNameToFQDN(ComputerName$)

Will pull the correct FQDN perfectly, so I know I'm using the samaccountname and FQDN correctly. But I think it's not working because the function for ADAddUserToGroup seems to be specifically written to use a User object and not a Computer object.

I don't see any difference. A path to an obect is added to the group. Should work for user and computers.

The code should look like:

$ComputerName = "PC001"
_ADSamAccountNameToFQDN($ComputerName & "$")
Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
Dr.Chi

For some reason it "knows" there's a difference. :D

Here's my code:

$PC = _ADSamAccountNameToFQDN(@ComputerName & "$")
MsgBox(1, "name", $PC)
$group = _ADSamAccountNameToFQDN("Laptop Users Group")
MsgBox(1, "name", $group)

_ADAddUserToGroup($group, $PC)

(It's got extra steps for debugging, actual script won't have all the extra junk.)

The message boxes for the FQDN's are absolutely correct. It's just when it tried to add the computer to the group that it craps out.

I've also tried the last line as:

_ADAddUserToGroup("Laptop Users Group", $PC)

Share this post


Link to post
Share on other sites
water

I don't know why it works for you when you don't specify the parameters as FQDN. When I use the samaccountname I get error "80072032 - An invalid dn-syntax was specified."

Could you try my translation of the adfunctions.au3 which can be found here?

Your code would then look like:

#include <AD.au3>
_AD_Open()
$iAD_Debug=1
$Return = _AD_AddUserToGroup(FQDN of group, FQDN of computer)
ConsoleWrite($Return & "-" & @error & @CRLF)
_AD_Close()

Maybe we get some more information to debug the problem.

Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
water

Another question: Why do you want to add a computer to a group?


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
Dr.Chi

Okay when I use your AD.au3 it works. I've not seen your UDF, I was using the (I guess old) "adfunctions.au3" UDF.

Using yours I got my script to run as follows:

#include <AD.au3>
_AD_Open()
$PC = _AD_SamAccountNameToFQDN(@ComputerName & "$")
$group = _AD_SamAccountNameToFQDN("LAptop Users Group")
_AD_AddUserToGroup($group, $PC)
_AD_Close()

To answer your question, we have a couple of groups that have computers instead of users so we can get quite granular with locking down GPOs.

Also, I wonder why the old adfunctions.au3 didn't work, here's the code for that portion:

; _ADAddUserToGroup
; Takes the group (SamAccountName without leading 'CN=') and the user (SamAccountName without leading 'CN=')
; Adds the user to the group
; Returns 0 if the user is already a member of the group,
; Returns 1 if the user was added to the group
; Returns -1 if there was an error

Func _ADAddUserToGroup($group, $user)
    If _ADIsMemberOf($group, $user) Then Return 0
    $strQuery = "<LDAP://" & $strHostServer & "/" & $strDNSDomain & ">;(sAMAccountName=" & $user & ");ADsPath;subtree"
    $objRecordSet = $objConnection.Execute ($strQuery)  ; Retrieve the FQDN for the user
    $ldap_entry = $objRecordSet.fields (0).value
    $oUsr = ObjGet($ldap_entry)  ; Retrieve the COM Object for the user
    
    $strQuery = "<LDAP://" & $strHostServer & "/" & $strDNSDomain & ">;(sAMAccountName=" & $group & ");ADsPath;subtree"
    $objRecordSet = $objConnection.Execute ($strQuery)  ; Retrieve the FQDN for the group
    $ldap_entry = $objRecordSet.fields (0).value
    $oGroup = ObjGet($ldap_entry)  ; Retrieve the COM Object for the group
    
    $OGroup.Add ($oUsr.AdsPath)
    $OGroup.SetInfo
    
    Return _ADIsMemberOf($group, $user)
EndFunc   ;==>_ADAddUserToGroup

Share this post


Link to post
Share on other sites
water

The adfunctions.au3 I was testing is version 3.3.2 (as can be seen in the header on line 33).

The code of the function is different - but it doesn't matter anymore, your code now works with AD.au3.

My AD.au3 is completely based on the last adfunctions.au3 and extends it with help file, examples, better error checking and some more functions.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×