AD Computer Object search

[MidwayMonster]

A portion of a script I am writing needs to check which OU the computer object is in prior to proceeding. Originally I used DSQUERY with a loop reading the Stdout data (example shown below). But on occassion it will not find the object which i know is there and have tested a manual dsquery query and it worked fine.

I believe i should probably be using the AD.au3 functions but not sure which one to use. What I am trying to accomplish is to get the OU structure the computer object resides in. I then compare it to strings to determine next steps.

Here is the dssquery portion of this script to show what I was using before.

;##### Checks OU #####

$OU_Check = Run(@ComSpec & " /c " & "c:FOLDERdsquery computer -name " & @ComputerName & " -d DOMAIN", @SystemDir, @SW_HIDE, 8)

$loop = "0"

While 1

$loop = Execute($loop + "1")

$OU_Line = StdoutRead($OU_Check)

If StringInStr($OU_Line, @ComputerName) > 0 Then

_Logging("OU Check - OU Found")

ExitLoop

ElseIf $loop = "1000000" Then

_Logging("OU Check - Computer object not found.")

$OU_Line = ""

ExitLoop

EndIf

Wend

Edited July 23, 2012 by MidwayMonster

[water]

You could use my AD UDF and the following functions:

_AD_Open()
$Result = _AD_GetObjectAttribute(@Computername & "$", "distinguishedname")
_AD_Close()

Be aware that the samaccountname of a computer object has a dollar sign at the end.

[MidwayMonster]

Thanks that appears to work really well. I will need to test it some more before using in production but so far so good...

I would like to have it move the object to a new OU in the event that it is in the default computers container. Searching the AD.au3 it appears i should use _AD_MoveObject to do this.

Can / Should i use the same _AD_Open connection and just close it after the script is complete or just open query close and open move close if necessary.

It appears the context of the command would be

_AD_MoveObject("OU=Managed_Computers,DC=SUB,DC=DOMAIN,DC=com", @Computername & "$")

it would then move it using the credentials used in the _AD_Open command.

[Kidney]

i would also get into the habit of casting your numbers as integers and not strings

[MidwayMonster]

Thanks for pointing that out. I know the base difference is that with it being a integer it treats it as a number vs text. are there other differences, benefits etc?

[water]

Can / Should i use the same _AD_Open connection and just close it after the script is complete or just open query close and open move close if necessary.

Do an _AD_Open at the top of your script, do all the AD processing and then call _AD_Close. This improves performance.

It appears the context of the command would be

_AD_MoveObject("OU=Managed_Computers,DC=SUB,DC=DOMAIN,DC=com", @Computername & "$")

it would then move it using the credentials used in the _AD_Open command.

Correct.

[MidwayMonster]

I have been playing with the _AD_MoveObject and i am getting @error = 0 which i dont see a explanation in the ad.au3 file. Can you let me know what this error code means?

Here are the _AD_Open and _AD_MoveObject lines

$AD_Con = _AD_Open($AD_UID, $AD_PWD, "DC=SUB,DC=DOMAIN,DC=com", "DC1.SUB.DOMAIN.com:3268", "CN=Configuration,DC=SUB,DC=DOMAIN,DC=com")



$AD_Move = _AD_MoveObject($OU_New, @ComputerName & "$")

[water]

@error = 0 means: No errors occurred.

Does the move operation work for you?

[MidwayMonster]

So as i was cleaning up my code to copy it up here... i realized i was logging the wrong variable for the error code and @error. The real error for the move is: -2147352567. According to what i read that falls under the MoveHere function error codes.

[MidwayMonster]

I tested credentials by making the move using dsquery | dsmove from the test system.

UDF Version 1.2.0

AutoIT 3.3.6.1

[MidwayMonster]

Keep in mind this is only the move portion. Also _Logging is my function that is specified earlier. The _AD_Open function connects to a GC properly with no issues.

$AD_Con = _AD_Open($AD_UID, $AD_PWD, "DC=SUB,DC=DOMAIN,DC=com", "DC1.SUB.DOMAIN.com:3268", "CN=Configuration,DC=SUB,DC=DOMAIN,DC=com")
; _AD_Open happens much earlier just putting here so you can see it.

$AD_Move = _AD_MoveObject($OU_New, @ComputerName & "$")
$AD_Move_Error = @error

If $AD_Move = 0 Then ; Error during move
     If $AD_Move_Error = 1 Then
          $AD_Move_Error_Detail = "$sAD_OU does not exist"
     ElseIf $AD_Move_Error = 2 Then
          $AD_Move_Error_Detail = "$sAD_Object does not exist"
     ElseIf $AD_Move_Error = 3 Then
          $AD_Move_Error_Detail = "Object already exists in the target OU"
     Else
          $AD_Move_Error_Detail = "Error returned by MoveHere function (Missing permission etc.)"
     EndIf

     _Logging("AD Move - ERROR!! Move Failed")
     _Logging("AD Move - Error Code: " & $AD_Move_Error)
     _Logging("AD Move - Error Details: " & $AD_Move_Error_Detail)
 
Else
     _Logging("AD Move - Move command Successfully")
     _Logging(" ")

     RegWrite($regkey_run, "POS Encryption", "REG_SZ", "C:Encrypt-IT.exe")

     _Logging("Script - Registry key for Run Once has been set")
     _Logging("Script - Rebooting system to apply computer move.")
     _Logging(" ")
 
     Run(@ComSpec & " /c " & "Shutdown -r -t 3")
EndIf

[MidwayMonster]

So as i was cleaning up my code to copy it up here... i realized i was logging the wrong variable for the error code and @error. The real error for the move is: -2147352567. According to what i read that falls under the MoveHere function error codes.

Does anyone know what the @error code -2147352567 for _AD_MoveObject means? I have done alot of searching on google and have not found anything as of yet.

[water]

Connecting to a GC means that only read operations are allowed. Can you connect to a DC and try the script again?

[MidwayMonster]

Going to try now.

[MidwayMonster]

I removed the GC port on the _AD_open and that seemed to do the trick!!!

Thanks Water! It now checks the Ou membership if it doesnt match the default container it continues if it does it moves it accordingly and reboots.

Thanks again

[water]

[rudi]

Hello,

 

reading through all the examles from AD.AU3 v1.4.14.0 I miss howto simply *QUERY* for computer objects meeting some wildcard.

 

In AD-Powershell this would be

get-adcomputer -filter 'Name -like "ETX32*"'| ft name

name
----
ETX3206
ETX3208
ETX3210
ETX3211
ETX3212
ETX3213

For this and other tasks all I need is a list or an array of certain subsets of "all computers" or "all OUs" etc...

Regards, Rudi.

 

Edited November 4, 2019 by rudi

[water]

Try _AD_GetObjectsInOU. 
BTW: Please do not necro a thread which is > 7 years old. It’s better to create a new one  

[rudi]

Hi,

Got it: "_AD_GetObjectsInOU()" returns the full AD content if no OU is specified.

#include "AD.au3" ; AD.AU3 v1.4.14.0
#include <Debug.au3>
_AD_Open()
$aResult=_AD_GetObjectsInOU("","(&(name=et*)(objectCategory=computer)(operatingSystem=Windows 10*))",2,"name","name")
_ad_close()

_DebugArrayDisplay($aResult)

 

[rudi]

@water

thx. And, sorry, didn't notice the age of the thread. 🙈