Problem with AD.au3 and _AD_DeleteObject

[geriksen73]

OK.

Didn't see any solution to the problem here... Same issue and tried with different Accounts and Groups... Seems to be related when we want to create a computer account from a non AD to Win 2008 AD... Please advise!

[water]

I think the problem is related to missing permissions of the user account you use to connect to the AD.

"Function _AD_CreateComputer creates a computer account and then sets some permissions on this object.

Every user is allowed to add up to 10 computers to a domain. But not every domain user is allowed to set the permissions on the user account.

Make sure the user you use to connect to the AD has proper permissions to create and set permissions on an user account."

[geriksen73]

I know... But I use the Built-In Administrator Account for the AD... So this hould work right? I can from the same script and thus _AD_Open() both Create OU and Delete OU... So isen't this strange???

[water]

I'm not very firm with AD permissions but as the OP never came back with the problem I think might have solved his problem.

Can you talk to your AD admin and check the permissions?

[water]

You could run example script _AD_GetObjectProperties.au3. Example 3 displays the properties for the current computer. Property "nTSecurityDescriptor" displays the owner of the object, that is the user who created the computer account. You could then check the permissions of this user.

Example: "Control:nnnn, Group:domain\Domain Users, Owner:domain\user, Revision:1"

[geriksen73]

Hi again,

I'm the AD Admin... and there are now issues with doing "stuff" from ordinary GUI like joining the domain etc... What's odd is that it's not accepting the ordinary "DomainUser" and says it's not an account in AD??? I'm pretty sure there are bug in your Function... But how can we fix this??? I'm no scripting or programmer guru... Just a Sys Admin trying to automate things with AutoIt!

[geriksen73]

BTW; After a reboot when the script finish with the offending error, I can't log on the domain with the newly joined machine. It says:

The security database on the server does not have a computer account for this workstation trust relationship...

So I guess there are some settings that don't get correctly parsed during the Create Computer Function...

What to do now?

[water]

We need to solve this problem step by step.

You do/want to do the create computer stuff from a computer that is not a member of the domain yet?

Can you please post the whole script or at least the _AD_Open statement you use?

[water]

BTW; After a reboot when the script finish with the offending error, I can't log on the domain with the newly joined machine. It says:

The security database on the server does not have a computer account for this workstation trust relationship...

Google says this problem might be caused by a changed primary domain suffix.

This site looks quite promising too.

[geriksen73]

Yes, want to do some stuff during the Domain Join because then it would be less steps to complete... This is basically what I want to do with a new server in WORKGROUP:

1. Create a OU before Joining it to the Domain as a member server

2. Import and set a GPO for the OU (haven't begun on this yet, so not important yet!)

3. Join the server to the domain with (Create Computer and Join Domain Functions)

4. Reboot and continue setup...

Come to think about something here... Since this is a server I try to Join, maybe it's not allowed yet to "move it" to a different OU? I know that adding member servers gets automatically "Computers"

expandcollapse popup

Func Join_Domain()
                ;Create computer account in AD
                ;Global $iComp = _AD_CreateComputer($adOU[$selectedItem][1], @ComputerName, $AD_UserName)
    $adOU = _AD_GetAllOUs($AD_DomainName,"")
    MsgBox (16,"Output",$adOU)
    MsgBox (16,"Output",$adOU[$selectedItem][1])
    MsgBox (16,"Output",@ComputerName)
    MsgBox (16,"Output",$AD_UserName)
    Global $iComp = _AD_CreateComputer($adOU[$selectedItem][1], @ComputerName, $AD_UserName)
                If $iComp = 1 Then
                    MsgBox(64, "Successful", @ComputerName & " is now added to the AD domain.", 5) ; Successful
                ElseIf @error = 1 Then
                    MsgBox(64, "Fail", "The " & $adOU[$selectedItem][1] & " OU can not be found to create " & @ComputerName & " account in AD.")
                ElseIf @error = 2 Then
                    MsgBox(64, "Fail", @ComputerName & " already exists in the " & $adOU[$selectedItem][1] & " OU in AD.")
                ElseIf @error = 3 Then
                    MsgBox(64, "Fail", "The user " & $AD_UserName & " does not exist in AD.")
                    ;Else
                    ;   MsgBox(64, "Active Directory Functions", "Creating Computer account - Return code '" & @error & "' from Active Directory")
                EndIf
                ;MsgBox(16,"Status","Finsihed Create Computer in AD script")
   
    ;Join computer to AD account
                Global $iDom = _AD_JoinDomain(@ComputerName, $AD_UserName, $AD_password)
       If $iDom = 1 Then
       MsgBox(64, "Successful", @ComputerName & " has now been joined to the AD domain", 5)
     
     $tCur = _DateTimeFormat(_NowCalc(), 0)
     FileWrite($SetupFileStatus, $tCur & " - Restarted after Domain Join operation..." & @CRLF)
     ;RegWrite("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunonce", "ITA-Setup", "REG_SZ", $SetupFile)
        FileCopy($SetupFile, @StartupCommonDir)
     $ResponseBox = MsgBox(20, "Want to reboot now?", "We need to reboot to complete this domain join..." & @CRLF & @CRLF & "Do you want to do this now?")
  
      If $ResponseBox = 6 Then
      _AD_Close()
      Shutdown(2, "Needs to reboot after Domain join... Rebooting NOW!")
      ElseIf $ResponseBox = 7 Then
       Exit
      EndIf
                EndIf
     
      If @error = 1 Then
                    MsgBox(64, "Fail", @ComputerName & " does not exist in the Company Domain.")
     _AD_Close()
                ElseIf @error = 2 Then
                    MsgBox(64, "Fail", "The user " & $AD_UserName & " does not exist in AD.")
     _AD_Close()
                ElseIf @error = 3 Then
                    MsgBox(64, "Fail", "WMI Object could not be created. Return code - " & @extended)
     _AD_Close()
                ElseIf @error = 4 Then
                    MsgBox(64, "Fail", @ComputerName & " is already a member of the AD domain.")
     _AD_Close()
                ElseIf @error = 5 Then
                    MsgBox(64, "Fail", @ComputerName & " was unable to join the AD domain. Return code - " & @extended)
     _AD_Close()
       EndIf
EndFunc

Func AD_Open()
;Create connection to AD
;Asks for the AD password
Global $AD_password = InputBox("Input", "Enter AD password:", "IT master #2", "*")
_AD_Open($AD_UserName, $AD_password, $AD_DomainName, $AD_DC_HostName, $AD_Configuration)
   If @error = 0 Then
   MsgBox(64, "Active Directory Connection", "Logon was succcessful!")
   ElseIf @error <= 8 Then
      MsgBox(16, "Active Directory Connection", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)
   Else
      MsgBox(16, "Active Directory Connection", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _
      @CRLF & @CRLF & "Extended error information will be displayed")
      Global $aError = _AD_GetLastADSIError()
      _ArrayDisplay($aError)
   EndIf
EndFunc

Global $IniFile = "C:Setupconfig.ini"
Global $SectionIni = "AD"
Global $SetupFile = "C:Setupserver_ad-member_setup.exe"
Global $SetupFileStatus = "C:Setupsetup_restarted.txt"
Global $KeySectionIni1 = "AD_Admin_UserName"
Global $KeySectionIni2 = "AD_DomainName"
Global $KeySectionIni3 = "AD_DC_HostName"
Global $KeySectionIni4 = "AD_Configuration"
; Return a value of 0 if the Key don't exists...
Global $AD_UserName = IniRead($IniFile, $SectionIni, $KeySectionIni1, 0)
Global $AD_DomainName = IniRead($IniFile, $SectionIni, $KeySectionIni2, 0)
Global $AD_DC_HostName = IniRead($IniFile, $SectionIni, $KeySectionIni3, 0)
Global $AD_Configuration = IniRead($IniFile, $SectionIni, $KeySectionIni4, 0)

Config.INI Output:
[AD]
AD_Admin_UserName=Administrator
AD_DomainName=DC=smi,DC=local
AD_DC_HostName=filapp-srv.smi.local
AD_Configuration=CN=Configuration,DC=smi,DC=local

[geriksen73]

OK. Still getting the error, but seems to work now... without the message after restart and logon to the domain account... I'll test some more and come back to you... Seems to be related to:

$adOU = _AD_GetAllOUs($AD_DomainName,"")

How can I make this value available to all Functions? Seems like it won't help with Global in front... Because I've tried that...???

[water]

What's the value of $AD_DomainName?

Don't pass the second parameter as space, it is used as separator for function StringSplit. Try this:

$adOU = _AD_GetAllOUs($AD_DomainName)

[geriksen73]

You can see it in the INI file I've pasted:

From INI file -> AD_DomainName=DC=smi,DC=local

From Variable -> Global $AD_DomainName = IniRead($IniFile, $SectionIni, $KeySectionIni2, 0)

[water]

To get all OUs of the domain just call

$adOU = _AD_GetAllOUs()

[geriksen73]

Why can't I use this function to refresh the OU list?

Global $adOU = _AD_GetAllOUs($AD_DomainName,"")
    For $iCount = 1 To $adOU[0][0]
        If $iCount = 1 Then
           $sOU = $adOU[$iCount][0]
        Else
     $sOU = $sOU & "|" & $adOU[$iCount][0]
        EndIf
    Next
EndFunc

Seems like the Next command won't work then... I've also tried with a Global $sOU, but it didn't like that as well...

[water]

Replace

Global $adOU = _AD_GetAllOUs($AD_DomainName,"")

with

Global $adOU = _AD_GetAllOUs()

[geriksen73]

Well, same error message, but seems to work for now... But, why does this message appear???

BTW; The above _AD_GetAllUOs() doesn't work when I call them other places in the code if I have made a function out of that array value... Any tips???

[water]

Well, same error message, but seems to work for now... But, why does this message appear???

With "error message" you mean "The security database on the server does not have a computer account for this workstation trust relationship..."? If yes, then I have no clue. Did any of the links I provided give you an idea?

BTW; The above _AD_GetAllUOs() doesn't work when I call them other places in the code if I have made a function out of that array value... Any tips???

_AD_GetAllUOs() should work as soon as you have called _AD_Open. What do you mean by "doesn't work"? Do you get an error? No results?

[geriksen73]

Nope, "The security database on the server..." are gone, but still receive the same error. Though atleast now I can logon with the joined computer to the domain. But, I don't like when there are something wrong here... Some settings proparbly arn't set correctly... Strange that nobody else have had this error and fixed it. So nothing more to do then or???

[water]

I still think it's a permission error (as it was for the two other guys who reported the same error before).

I would suggest to get the owner of a computer which is already a member of the domain. Then get the AD permissions of this user and compare it to the user you use to create the computer account for the servers you want to join.

The computer is joined to the domain because EVERY user can join up to 10 computers to a domain. But you need more permissions to set the permissions of the created computer account.

Edited June 12, 2012 by water