Sign in to follow this  
Followers 0
Kovacic

Active Directory | moving a computer to another OU using Runas

16 posts in this topic

I have been working on this for days with no luck.

I am working on a script to move laptops into the proper OU specified by $sTargetOU while the computer name is $sObject

The situation:

IT people are logged onto laptops using the end user account (to profile them) which apparently does not have permissions to move computer accounts in AD from one OU to another.

The other situation:

When I profile a new laptop for a user, I am logged in as local admin and try to use a script to move the computer into a specified OU. I have credentials that I can use to move the computer account, but I would like to package this into an autoit script. I currently use AD.au3, which does the job as long as I am logged in with an IT AD account with sysadmin abilities.

What I am looking to do:

Simple one stop shop application that lets me runas a function similar to that below:

_AD_Open()
Global $iValue = _AD_MoveObject($sTargetOU, $sObject & "$")
If $iValue = 1 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' successfully moved to '" & $sTargetOU & "'")
ElseIf @error = 1 Then
MsgBox(64, "Active Directory Message", "Target OU '" & $sTargetOU & "' does not exist")
ElseIf @error = 2 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' does not exist")
ElseIf @error = 3 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' is already in the required OU. No change made.")
ElseIf @error = "-2147352567" Then
MsgBox(64, "Active Directory Message", "Could not move '" & $sObject)
Else
MsgBox(64, "Active Directory Message", "Return code '" & @error & "' from Active Directory")
EndIf
_AD_Close()

I appreciate any thoughts anyone might have because I'm at a dead stop.

Thanks in advance


C0d3 is P0etry( ͡° ͜ʖ ͡°)

Share this post


Link to post
Share on other sites



Have you tried using _AD_Open with Domain admin credentials?


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

In all honesty, I did not know I could do that! I will check it out tomorrow!! Thanks!


C0d3 is P0etry( ͡° ͜ʖ ͡°)

Share this post


Link to post
Share on other sites

You can either pass the needed credentials with _AD_Open or compile the script and run it as another user. _AD_Open uses the credentials of the current user logged on user.

I haven't tried the latter myself so some testing would be needed.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

I don't mind testing.. I have a few test laptops and a domain to use. Where I keep getting stuck is passing the credentials on to the process that tries to perform the OU move. If it can be bound to ADOpen, that would be much better!


C0d3 is P0etry( ͡° ͜ʖ ͡°)

Share this post


Link to post
Share on other sites

You can either pass the needed credentials with _AD_Open or compile the script and run it as another user. _AD_Open uses the credentials of the current user logged on user.

I haven't tried the latter myself so some testing would be needed.

I thought about using the Runas, but one thing I hope to do is add this to my windows profiler application that will make it a one stop shop to profile laptops. So far, I have it so we can set out a line of laptops, open the app and hit start, and it will rename the computer to the serial captured from the BIOS, then join to the domain using domain credentials I have in the script. I will do some testing using _AD_Open and let you know if I can get it to runas.


C0d3 is P0etry( ͡° ͜ʖ ͡°)

Share this post


Link to post
Share on other sites

I don't know if it's possible on your domain, but on the domains that I have direct control over, I have created a user that I use to join computers to the domain. This user is further blocked from logging into any computers by a group policy, so it minimizes access to the domain. It's not 100% foolproof because the user credentials could be used to authenticate to the domain for other reasons, but can't log on. Our limited (non-admin) users don't have access to the C: drive, which is the only place they could look to find these credentials, so that further limits the exposure of the credentials. I only use this user in sysprep'ing the systems so that is another way that limits exposure to the credentials to users that I don't want to have the information.

BTW, even limited users can join computers to a domain as long as there isn't a group policy preventing it. They're limited to (I think) joining only 10 computers in total.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Thats what I was told, according to Microsoft, it should only be 10, but with normal credentials, I was able to join more in the past. I create an AD group or just a user with domain user permissions removed and added permission to only join computers to the domain as a service account... This way, even if they are authenticated, they can't log on locally or over the network, and can set up explicit deny permissions on all other resources. It would be a little bit of a pain, but it would be closer to bullet proof.


C0d3 is P0etry( ͡° ͜ʖ ͡°)

Share this post


Link to post
Share on other sites

Kovacic,

Moved to "General Help" section. :)

M23


Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind._______My UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Share this post


Link to post
Share on other sites

I don't mind testing.. I have a few test laptops and a domain to use. Where I keep getting stuck is passing the credentials on to the process that tries to perform the OU move. If it can be bound to ADOpen, that would be much better!

How to pass credentials to _AD_Open can be found in the help file _AD_Open.html or the wiki (link can be found in my signature).

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

I am also getting the object error (Attached)

This is an example of what this script would be moving, from this OU

"CN=MyCompName,OU=computers,DC=MyDomain,DC=COM"

to this one:

"OU=computers,OU=Updated OUs,DC=MyDomain,DC=com"

This works when being run by someone with elevated permissions, so I am trying to get it to open AD with another AD account, and I get the error in the attachment.

Func SET()
RunWait("net config server /srvcomment:""" & $FullDesc & """",@SW_HIDE)
Msgbox(0, "Description Updated", " Updated local computer and AD descriptions:" & @CRLF & @CRLF & $FullDesc & @CRLF & @CRLF & "The computer should be moved to the following OU:" & @CRLF & @CRLF & $compouV)
Global $SvcUsername = "MyDomainUsername"
Global $SvcPassword = "SomeGoofyPassword"

If $oumove = "yes" then ; Check to see if an error happened earlier i the script that changed this to 'no'
$sTargetOU = $compouV
$sObject = @ComputerName
_AD_Open([$sAD_UserIdParam = $SvcUsername, $sAD_PasswordParam = $SvcPassword[, $sAD_DNSDomainParam = "DC=MyDomain,DC=COM", $sAD_HostServerParam = "", $sAD_ConfigurationParam = ""[, $iAD_Security = 0]]])
Global $iValue = _AD_MoveObject($sTargetOU, $sObject & "$")
If $iValue = 1 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' successfully moved to '" & $sTargetOU & "'")
ElseIf @error = 1 Then
MsgBox(64, "Active Directory Message", "Target OU '" & $sTargetOU & "' does not exist")
ElseIf @error = 2 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' does not exist")
ElseIf @error = 3 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' is already in the required OU. No change made.")
Else
MsgBox(64, "Active Directory Message", "Return code '" & @error & "' from Active Directory")
EndIf
_AD_Close()
Else
MsgBox(64, "Active Directory Message", "No OU moves were performed because the User account is not in a Users OU.")
exit
EndIf

endfunc ;==>SET

I am sure I messed up somewhere, just not sure where

post-63131-0-52965000-1358969718_thumb.p


C0d3 is P0etry( ͡° ͜ʖ ͡°)

Share this post


Link to post
Share on other sites

Looks like the stop is happening here

Func _AD_SamAccountNameToFQDN($sAD_SamAccountName = @UserName)

If StringMid($sAD_SamAccountName, 3, 1) = "=" Then Return $sAD_SamAccountName ; already a FQDN. Return unchanged
$__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(sAMAccountName=" & $sAD_SamAccountName & ");distinguishedName;subtree"
Local $oAD_RecordSet = $__oAD_Command.Execute
If @error Or Not IsObj($oAD_RecordSet) Or $oAD_RecordSet.RecordCount = 0 Then Return SetError(1, @error, "")
Local $sAD_FQDN = $oAD_RecordSet.fields(0).value
Return _AD_FixSpecialChars($sAD_FQDN, 0, "/#")

EndFunc   ;==>_AD_SamAccountNameToFQDN

This line:

$__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(sAMAccountName=" & $sAD_SamAccountName & ");distinguishedName;subtree"

I tried varius naming conventions like myusername@mydomain.com , mydomainmyusername and nothing seemed to help..


C0d3 is P0etry( ͡° ͜ʖ ͡°)

Share this post


Link to post
Share on other sites

Never mind, my fault... I called _AD_SamAccountNameToFQDN earlier in the script, so I had to move _AD_OPEN()

im good now


C0d3 is P0etry( ͡° ͜ʖ ͡°)

Share this post


Link to post
Share on other sites

Your _AD_Open function is written wrong too. This is the correct way.

_AD_Open($SvcUsername, $SvcPassword, "DC=MyDomain,DC=COM",  "", "", 0)


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

I had only moved it out because I thought the error was being generated from that function. Sometimes things that should work perfectly error out for me.


C0d3 is P0etry( ͡° ͜ʖ ͡°)

Share this post


Link to post
Share on other sites

BTW: Function _AD_SamAccountNameToFQDN is only needed in rare cases. All functions accept SamAccountName and FQDN as parameters and convert them under the cover if needed.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Similar Content

    • 31290
      By 31290
      Hi guys, 
      I'd like to write a piece of tool that would allow me to update a certain field in our Active Directory from a comma separated csv file composed like this:

      This file, automatically generated, can hold more than 10k lines.
      Thus, I need column A to be in one variable, column B in a second one and column C in a third one.
      I'm really missing this part as updating the AD is fairly easy once the 3 variable are populated. 
      I see things like this:
      Here's my attempts at the moment:
      #include <File.au3> #include <Array.au3> Global $csv_file = @DesktopDir & "\Book1.csv" Global $aRecords If Not _FileReadToArray($csv_file,$aRecords) Then MsgBox(4096,"Error", " Error reading log to Array error:" & @error) Exit EndIf For $x = 1 to $aRecords[0] Msgbox(0,'Record:' & $x, $aRecords[$x]) ; Shows the line that was read from file $csv_line_values = StringSplit($aRecords[$x], ",",1) ; Splits the line into 2 or more variables and puts them in an array ; _ArrayDisplay($csv_line_values) ; Shows what's in the array you just created. ; $csv_line_values[0] holds the number of elements in array ; $csv_line_values[1] holds the value ; $csv_line_values[2] holds the value ; etc Msgbox(0, 0, $csv_line_values[1]) Next Any help on this please? 
      Thanks in advance
      -31290-
    • water
      By water
      Should the AD UDF support the fine grained password policy available since Windows Server 2012?
      What do fine-grained password policies do?
      You can use fine-grained password policies to specify multiple password policies in a single domain and apply different restrictions for password and account lockout policies to different sets of users in a domain.
    • DavidLago
      By DavidLago
      Hello. 
      I have 5 DCs, and I need to create a scheduled task to run a script that will test the authentication time for each one of them, once every minute. (Then I'll use it within a log analyser to create graphics).
      I came up with a script using the great AD UDF (by water). First I tried using "for" and an array, but something was messing up the results, then I went for the dumb old fashioned way:
      #Include <ad.au3> #include <MsgBoxConstants.au3> Global $AdTestTime = "" Global $Timer1, $Timer2, $Timer3, $Timer4, $Timer5 = "" Global $sAD1 = "MYSERVER109" Global $sAD2 = "MYSERVER110" Global $sAD3 = "MYSERVER111" Global $sAD4 = "MYSERVER112" Global $sAD5 = "MYSERVER113" $Timer1 = Timerinit() _AD_Open("", "", $sAD1) _AD_Close() Local $fDiff1 = TimerDiff($Timer1) $Timer2 = Timerinit() _AD_Open("", "", $sAD2) _AD_Close() Local $fDiff2 = TimerDiff($Timer2) $Timer3 = Timerinit() _AD_Open("", "", $sAD3) _AD_Close() Local $fDiff3 = TimerDiff($Timer3) $Timer4 = Timerinit() _AD_Open("", "", $sAD4) _AD_Close() Local $fDiff4 = TimerDiff($Timer4) $Timer5 = Timerinit() _AD_Open("", "", $sAD5) _AD_Close() Local $fDiff5 = TimerDiff($Timer5) MsgBox(0,"", "MYSERVER109=" & $fDiff1) MsgBox(0,"", "MYSERVER110=" & $fDiff2) MsgBox(0,"", "MYSERVER111=" & $fDiff3) MsgBox(0,"", "MYSERVER112=" & $fDiff4) MsgBox(0,"", "MYSERVER113=" & $fDiff5) Still, something is off here. 
      The first AD to be tested is always the slowest one, by far, like 20 times slower. Then I started to suspect that the first one starts the "negotiation", and the following ones ride the gravy train.
      If I repeat the first code twice, All servers seem to have a similar result.
      $Timer1 = Timerinit() _AD_Open("", "", $sAD1) _AD_Close() Local $fDiff1 = TimerDiff($Timer1) $Timer1 = Timerinit() _AD_Open("", "", $sAD1) _AD_Close() Local $fDiff1 = TimerDiff($Timer1) $Timer2.... Am I right?
      Also, is there a better way to test the authentication time?
      Thanks for the help.
      - Dave
    • water
      By water
      As the Active Directory UDF - Help & Support thread has grown too big, I start a new one.
      The original thread can be found here.
    • Jewtus
      By Jewtus
      I've been playing with the AD UDF (by water) and I'm really not sure how it works (even after playing for several hours) and I'm hoping that someone can point me in the right direction on this.
       
      What I want to do is make it so if I give a network username, it returns back the information about said user (IE name, org, dept, etc). I know the info is in AD, I just don't know how to pull it using the UDF. Anyone have suggestions?