Active Directory UDF - Help & Support (II)

[water]

Not beautiful but it should work. Pass the FQDN to function _AD_RemoveFromGroup.

Means:

local $worked = _AD_RemoveUserFromGroup("CN=First Level Review R/W access", $user)

[Kovacic]

Thanks! The account I was working on was completed, but I will test it at some point today.

[Kovacic]

After some testing, I found a solution... Specifying the FQDN did not seem to help, so I took a peek at the UDF, then i did some research on LDAP queries and came up with a list of LDAP Escape sequence substitutes.. 

http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx

I made a small stand alone tool to represent what I was using before:

#include <AD.au3>

$user = "tuser1"
_AD_OPEN()

    msgbox(0,"","Removing " & $user & " from all AD groups" & @CRLF)
    $groupz = _AD_GetUserGroups($user)
    For $c = 1 to UBound($groupz) - 1
        msgbox(0,"","Removing " & $user & " from the following group: " &  $groupz[$c] & @CRLF)
        
           $worked = _AD_RemoveUserFromGroup($groupz[$c], $user)
        
        If $worked = 1 then
            msgbox(0,"",$user & " has been removed from " & $groupz[$c] & @CRLF)
        else
            msgbox(0,"","ERROR removing " & $user & " from " & $groupz[$c] & "      ############## ERROR:" & @Error & @CRLF)
        endif
    next
_AD_CLOSE()

Then I added a line to look for the forward slash and replace it with the Escape sequence substitute:

$groupz[$c] = stringreplace($groupz[$c],"/","\2f")

and ended up with this:

#include <AD.au3>

$user = "tuser1"
_AD_OPEN()

    msgbox(0,"","Removing " & $user & " from all AD groups" & @CRLF)
    $groupz = _AD_GetUserGroups($user)
    For $c = 1 to UBound($groupz) - 1
        msgbox(0,"","Removing " & $user & " from the following group: " &  $groupz[$c] & @CRLF)
        $groupz[$c] = stringreplace($groupz[$c],"/","\2f")
           $worked = _AD_RemoveUserFromGroup($groupz[$c], $user)
        
        If $worked = 1 then
            msgbox(0,"",$user & " has been removed from " & $groupz[$c] & @CRLF)
        else
            msgbox(0,"","ERROR removing " & $user & " from " & $groupz[$c] & "      ############## ERROR:" & @Error & @CRLF)
        endif
    next
_AD_CLOSE()

This is actually working, so it may make a nice addition to the UDF

ASCII character Escape sequence substitute
*   \2a
(   \28
)   \29
\   \5c
NUL \00
/   \2f

Edited December 4, 2013 by Kovacic

[water]

If I understand you correctly then function _AD_FixSpecialChars has been made for this:

$groupz[$c] = _AD_FixSpecialChars($groupz[$c])

[water]

This is the site I've used for reference:

http://www.rlmueller.net/CharactersEscaped.htm

[Kovacic]

After some testing, 

I replaced:

$groupz[$c] = stringreplace($groupz[$c],"/","\2f")

with:

$groupz[$c] = _AD_FixSpecialChars($groupz[$c])

I got an @Error 1, it looks like _AD_RemoveUserFromGroup might require separate escape chars.

[water]

Looks like I need to do some more investigation ...

[Kovacic]

All in all im a huge fan! :]

[water]

All in all im a huge fan! :]

Thanks

Looks like function _AD_ObjectExists causes the error = 1. The passed group name is used in a LDAP search. This means the escape characters you provided are needed.

My _AD_FixSpecialChars function only seems to work for FQDN.

I will have to verify that.

[water]

Got it!

The link I provided confirms what we have seen:

To escape special characters in Distinguished Names function _AD_FixSpecialChars works fine.

To escape special characters in LDAP filters you need to specify the hex code as you did.

I will extend function _AD_FixSpecialChars to handle LDAP  filters.

[Kovacic]

Good call! I didnt even realize that was the hex version.. On another note, using that, you can escape any special chrs in that method. I guess you would have to figure out any legal useable chrs in AD, then add the StringReplace method for it.

Nice!

[Jemboy]

Hi I use the AD UDF in several scripts on Citrix servers to check for memberships en set some registry when starting an application.

However sometimes my Terminal servers cannot find the domain controller, this I am fixing by a workaround (restart of DNS Client-service),

but there are always some users who are just login in and getting an "autoit" error.

After some debugging I found out that the line within my script: $sFQDN_User = _AD_SamAccountNameToFQDN() is generating an exeption: "The resquested action with this object has failed."

I wrote some error handling and to catch and show the error:   errnumer: -2147016646       windescription: The server is not operational.

Local $oAD_RecordSet = $__oAD_Command.Execute
If @error Or Not IsObj($oAD_RecordSet) Or $oAD_RecordSet.RecordCount = 0 Then Return SetError(1, @error, "") 

In the above line from UDF function _AD_SamAccountNameToFQDN, it seems that the UDF errorhandling is not kicking in.

At the moment I am using a custom errorhandler to react on the error, but I rather want to check on @error within my script.

Is this possible?

[water]

Which version of the AD UDF and which version of AutoIt do you run?

[water]

To check on @error you could run the latest beta version of AutoIt. When there is no custom COM error handler then AutoIt simply sets @error and continues processing.

[Jemboy]

Which version of the AD UDF and which version of AutoIt do you run?

To check on @error you could run the latest beta version of AutoIt. When there is no custom COM error handler then AutoIt simply sets @error and continues processing.

The version of de UDF I am running is: v1.2.10   I probably should update ;-)

and my AutoIt version is: v3.3.8.1.

Should I use Autoit autoit-v3.3.9.24-beta-setup.exe instead?

[water]

The UDF version 1.2.1.0 isn't too old.

You can use a production version and a beta in parallel. Just press Alt+F5 (please check - I'm not sure and can't test at the moment) instead of F5 to run a script from SciTE.

[Jemboy]

The UDF version 1.2.1.0 isn't too old.

You can use a production version and a beta in parallel. Just press Alt+F5 (please check - I'm not sure and can't test at the moment) instead of F5 to run a script from SciTE.

Just installed the AD udf v1.3.00 and the autoit beta.

However I tried compiling my script  (Alt-F7) and got a few errors for using Autoit beta.

I added the constant: Global Const $__WINAPICONSTANT_FORMAT_MESSAGE_FROM_SYSTEM = 0x1000    to the AD udf.

This constanst was removed from WinApi.au3 in AutoIt beta, but is used in the AD.au3.

 

Also _arraycreate() is no more available with the AutoitBeta Array.au3.

So in the AD.au3 function:  Func _AD_SetUserPrimaryGroup($sAD_User, $sAD_Group) I replaced:

$oAD_Group.GetInfoEx(_ArrayCreate("primaryGroupToken"), 0)

by:

Dim $TokenArray[0]

$TokenArray[0]= "primaryGroupToken"
$oAD_Group.GetInfoEx($TokenArray, 0)

My script is compiling again.

To reproduce the error, I have to change the DNS of the Citrix server to 8.8.8.8. so it won't find the domaincontroller.

However I cannot do this righnow because there are some people working on it.

So I'll test after working hours....

Edited December 14, 2013 by Jemboy

[water]

Ah, I see. A version of the UDF ready for the beta versions of AutoIt is already in the making.

As I'm leaving for vacation I won't be able to respond until next year.

[Jemboy]

Ah, I see. A version of the UDF ready for the beta versions of AutoIt is already in the making.

As I'm leaving for vacation I won't be able to respond until next year.

Have I nice vacation, see you next year.

I just tested the AD udf v1.3.0.0 with the Autoit Beta and the errors do not trigger an exception anymore.

However _AD_Open() will not set @Error or return a 0 to indicate a failure.

The function _AD_SamAccountNameToFQDN() though return an emppty string and sets @error to 1.

[legend]

I'm using this, to change the password for a user, and it works, but I want it to enable the option

"user must change password at next logon"

I heart it would do the trick, by adding: ,1

but it still doesen't force the user to create a new password at next logon.

Global $iValue = _AD_SetPassword($sUser, $sPassword,1)

anyone know what might be the problem?

this is the script I use:

    Case $change_pass
    $readit = GUICtrlRead($machinename)

    _AD_Open()

    $get_user = InputBox("skift password","Ændre brugerens password til: Abcd1234","Initialer")

    Global $sUser = _AD_SamAccountNameToFQDN($get_user)
    Global $sPassword = "Abcd1234"

    ; Set the password
    Global $iValue = _AD_SetPassword($sUser, $sPassword,1)
    If $iValue = 1 Then
    MsgBox(64, "password ændret", "passwordet er ændret til: Abcd1234")
    ElseIf @error = 1 Then
    MsgBox(64, "Fejl", "den indtastede bruger eksisterer ikke.")
    Continueloop
    Else
    MsgBox(64, "Fejl", "Du har ikke rettigheder til at ændre passwordet.")
    EndIf

; Close Connection to the Active Directory
_AD_Close()