ADAddUserToGroup but for computers?

[Dr.Chi]

I tried searching for this, so forgive me if it's been covered.

How could I edit the "ADAddUserToGroup" function, to add a Computer object to an AD Group instead of a User?

I would assume it would be easy, but I can't figure it out.

Thanks for any help.

[water]

Did you try to add a computer to a group using

_ADAdduserToGroup("FQDN of group","FQDN of computer")

[Dr.Chi]

Did you try to add a computer to a group using

_ADAdduserToGroup("FQDN of group","FQDN of computer")

Yes. It gave me this error:

We Intercepted a COM error!

Number is: 800401E3

Windescription is: Operation Unavailable

If I use a username it works as usual, only when I try to trick it with a computer name does it error out. Also, I've tried both the name and also the name.localdomain.com formats.

[water]

As I understand the function you have to specify both parameters as FQDN e.g. CN=computername,OU=Computer_Accounts,DC=microsoft,DC=com or CN=groupname,OU=Groups,DC=microsoft,DC=com

[PsaltyDS]

I'm confused, there's already an _ADCreateComputer() function in the UDF. What is it you want different from that?

NVM.

$DumbQuestions += 1

Edited January 22, 2010 by PsaltyDS

[Dr.Chi]

As I understand the function you have to specify both parameters as FQDN e.g. CN=computername,OU=Computer_Accounts,DC=microsoft,DC=com or CN=groupname,OU=Groups,DC=microsoft,DC=com

I tried this too, to no effect.

Though if I use a user (not computer) I don't have to use the FQDN for either the group or user for it to work.

[water]

@PsaltyDS

As I understand he wants to assign a computer to a group as he can assign users to a group. _ADCreateComputer only creates a computer in an OU.

I checked my AD and have found some computers that are members of a group that means the "ismemberof" attribute is set.

[Dr.Chi]

I'm confused, there's already an _ADCreateComputer() function in the UDF. What is it you want different from that?

I can see how it's confusing, I'm not trying to create a new computer. I'm trying to add a Computer to an Active Directory group.

As it stands, the closest thing is the _ADAddUserToGroup but it's for adding users not computers to the group.

[water]

I tried this too, to no effect.

Though if I use a user (not computer) I don't have to use the FQDN for either the group or user for it to work.

According to the sourcecode of ADfunctions.au3 you have to use FQDN for both parameters.

; _ADAddUserToGroup
; Takes the group (Full Distringuished Name) and the user (Full Distringuished Name)
; Adds the user to the group
; Returns 0 if the user is already a member of the group,
; Returns 1 if the user was added to the group
; Returns -1 if there was an error

Func _ADAddUserToGroup($group, $user)
    If _ADIsMemberOf($group, $user) Then Return 0
    $oUsr = _ADObjGet("LDAP://" & $strHostServer & "/" & $user) ; Retrieve the COM Object for the user
    $oGroup = _ADObjGet("LDAP://" & $strHostServer & "/" & $group) ; Retrieve the COM Object for the group

    $oGroup.Add($oUsr.AdsPath)
    $oGroup.SetInfo
    $oGroup = 0
    $oUser = 0
    Return _ADIsMemberOf($group, $user)
EndFunc ;==>_ADAddUserToGroup

[Dr.Chi]

According to the sourcecode of ADfunctions.au3 you have to use FQDN for both parameters.

I understand it says that. But I know from first hand running the script you don't actually have to. Like you can run:

_ADAddUserToGroup("My Ad Group", "Username")

And it works.

But as far as my issue goes, I've done it with the FQDN also and it doesn't work. Same error as the OP.

I would guess that I would need to change the _ADObjGet portion, but not sure to what.

[water]

Ok, if it doesn't require the FQDN (maybe the docu is wrong) then your input is seen as the samaccountname.

The samaccountname of a computer needs a trailing "$". So if you want to add the computer "PC001" the parameter should read "PC001$".

Can you give this a try?

[Dr.Chi]

Didn't work

Like, this function;

_ADSamAccountNameToFQDN(ComputerName$)

Will pull the correct FQDN perfectly, so I know I'm using the samaccountname and FQDN correctly. But I think it's not working because the function for ADAddUserToGroup seems to be specifically written to use a User object and not a Computer object.

[water]

Didn't work

Like, this function;

_ADSamAccountNameToFQDN(ComputerName$)

Will pull the correct FQDN perfectly, so I know I'm using the samaccountname and FQDN correctly. But I think it's not working because the function for ADAddUserToGroup seems to be specifically written to use a User object and not a Computer object.

I don't see any difference. A path to an obect is added to the group. Should work for user and computers.

The code should look like:

$ComputerName = "PC001"
_ADSamAccountNameToFQDN($ComputerName & "$")

Edited January 22, 2010 by water

[Dr.Chi]

For some reason it "knows" there's a difference.

Here's my code:

$PC = _ADSamAccountNameToFQDN(@ComputerName & "$")
MsgBox(1, "name", $PC)
$group = _ADSamAccountNameToFQDN("Laptop Users Group")
MsgBox(1, "name", $group)

_ADAddUserToGroup($group, $PC)

(It's got extra steps for debugging, actual script won't have all the extra junk.)

The message boxes for the FQDN's are absolutely correct. It's just when it tried to add the computer to the group that it craps out.

I've also tried the last line as:

_ADAddUserToGroup("Laptop Users Group", $PC)

[water]

I don't know why it works for you when you don't specify the parameters as FQDN. When I use the samaccountname I get error "80072032 - An invalid dn-syntax was specified."

Could you try my translation of the adfunctions.au3 which can be found here?

Your code would then look like:

#include <AD.au3>
_AD_Open()
$iAD_Debug=1
$Return = _AD_AddUserToGroup(FQDN of group, FQDN of computer)
ConsoleWrite($Return & "-" & @error & @CRLF)
_AD_Close()

Maybe we get some more information to debug the problem.

Edited January 22, 2010 by water

[water]

Another question: Why do you want to add a computer to a group?

[Dr.Chi]

Okay when I use your AD.au3 it works. I've not seen your UDF, I was using the (I guess old) "adfunctions.au3" UDF.

Using yours I got my script to run as follows:

#include <AD.au3>
_AD_Open()
$PC = _AD_SamAccountNameToFQDN(@ComputerName & "$")
$group = _AD_SamAccountNameToFQDN("LAptop Users Group")
_AD_AddUserToGroup($group, $PC)
_AD_Close()

To answer your question, we have a couple of groups that have computers instead of users so we can get quite granular with locking down GPOs.

Also, I wonder why the old adfunctions.au3 didn't work, here's the code for that portion:

; _ADAddUserToGroup
; Takes the group (SamAccountName without leading 'CN=') and the user (SamAccountName without leading 'CN=')
; Adds the user to the group
; Returns 0 if the user is already a member of the group,
; Returns 1 if the user was added to the group
; Returns -1 if there was an error

Func _ADAddUserToGroup($group, $user)
    If _ADIsMemberOf($group, $user) Then Return 0
    $strQuery = "<LDAP://" & $strHostServer & "/" & $strDNSDomain & ">;(sAMAccountName=" & $user & ");ADsPath;subtree"
    $objRecordSet = $objConnection.Execute ($strQuery)  ; Retrieve the FQDN for the user
    $ldap_entry = $objRecordSet.fields (0).value
    $oUsr = ObjGet($ldap_entry)  ; Retrieve the COM Object for the user
    
    $strQuery = "<LDAP://" & $strHostServer & "/" & $strDNSDomain & ">;(sAMAccountName=" & $group & ");ADsPath;subtree"
    $objRecordSet = $objConnection.Execute ($strQuery)  ; Retrieve the FQDN for the group
    $ldap_entry = $objRecordSet.fields (0).value
    $oGroup = ObjGet($ldap_entry)  ; Retrieve the COM Object for the group
    
    $OGroup.Add ($oUsr.AdsPath)
    $OGroup.SetInfo
    
    Return _ADIsMemberOf($group, $user)
EndFunc   ;==>_ADAddUserToGroup

[water]

The adfunctions.au3 I was testing is version 3.3.2 (as can be seen in the header on line 33).

The code of the function is different - but it doesn't matter anymore, your code now works with AD.au3.

My AD.au3 is completely based on the last adfunctions.au3 and extends it with help file, examples, better error checking and some more functions.