Jump to content
Sign in to follow this  
Kovacic

Active Directory | moving a computer to another OU using Runas

Recommended Posts

I have been working on this for days with no luck.

I am working on a script to move laptops into the proper OU specified by $sTargetOU while the computer name is $sObject

The situation:

IT people are logged onto laptops using the end user account (to profile them) which apparently does not have permissions to move computer accounts in AD from one OU to another.

The other situation:

When I profile a new laptop for a user, I am logged in as local admin and try to use a script to move the computer into a specified OU. I have credentials that I can use to move the computer account, but I would like to package this into an autoit script. I currently use AD.au3, which does the job as long as I am logged in with an IT AD account with sysadmin abilities.

What I am looking to do:

Simple one stop shop application that lets me runas a function similar to that below:

_AD_Open()
Global $iValue = _AD_MoveObject($sTargetOU, $sObject & "$")
If $iValue = 1 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' successfully moved to '" & $sTargetOU & "'")
ElseIf @error = 1 Then
MsgBox(64, "Active Directory Message", "Target OU '" & $sTargetOU & "' does not exist")
ElseIf @error = 2 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' does not exist")
ElseIf @error = 3 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' is already in the required OU. No change made.")
ElseIf @error = "-2147352567" Then
MsgBox(64, "Active Directory Message", "Could not move '" & $sObject)
Else
MsgBox(64, "Active Directory Message", "Return code '" & @error & "' from Active Directory")
EndIf
_AD_Close()

I appreciate any thoughts anyone might have because I'm at a dead stop.

Thanks in advance


C0d3 is P0etry( ͡° ͜ʖ ͡°)

Share this post


Link to post
Share on other sites

Have you tried using _AD_Open with Domain admin credentials?


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

You can either pass the needed credentials with _AD_Open or compile the script and run it as another user. _AD_Open uses the credentials of the current user logged on user.

I haven't tried the latter myself so some testing would be needed.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2020-10-10 - Version 1.5.2.1) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2020-06-30 - Version 1.6.2.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (NEW 2020-06-27 - Version 1.3.2.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
Task Scheduler (2019-12-03 - Version 1.5.1.0) - Download - General Help & Support - Wiki

Tutorials:
ADO - Wiki, WebDriver - Wiki

 

Share this post


Link to post
Share on other sites

I don't mind testing.. I have a few test laptops and a domain to use. Where I keep getting stuck is passing the credentials on to the process that tries to perform the OU move. If it can be bound to ADOpen, that would be much better!


C0d3 is P0etry( ͡° ͜ʖ ͡°)

Share this post


Link to post
Share on other sites

You can either pass the needed credentials with _AD_Open or compile the script and run it as another user. _AD_Open uses the credentials of the current user logged on user.

I haven't tried the latter myself so some testing would be needed.

I thought about using the Runas, but one thing I hope to do is add this to my windows profiler application that will make it a one stop shop to profile laptops. So far, I have it so we can set out a line of laptops, open the app and hit start, and it will rename the computer to the serial captured from the BIOS, then join to the domain using domain credentials I have in the script. I will do some testing using _AD_Open and let you know if I can get it to runas.


C0d3 is P0etry( ͡° ͜ʖ ͡°)

Share this post


Link to post
Share on other sites

I don't know if it's possible on your domain, but on the domains that I have direct control over, I have created a user that I use to join computers to the domain. This user is further blocked from logging into any computers by a group policy, so it minimizes access to the domain. It's not 100% foolproof because the user credentials could be used to authenticate to the domain for other reasons, but can't log on. Our limited (non-admin) users don't have access to the C: drive, which is the only place they could look to find these credentials, so that further limits the exposure of the credentials. I only use this user in sysprep'ing the systems so that is another way that limits exposure to the credentials to users that I don't want to have the information.

BTW, even limited users can join computers to a domain as long as there isn't a group policy preventing it. They're limited to (I think) joining only 10 computers in total.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Thats what I was told, according to Microsoft, it should only be 10, but with normal credentials, I was able to join more in the past. I create an AD group or just a user with domain user permissions removed and added permission to only join computers to the domain as a service account... This way, even if they are authenticated, they can't log on locally or over the network, and can set up explicit deny permissions on all other resources. It would be a little bit of a pain, but it would be closer to bullet proof.


C0d3 is P0etry( ͡° ͜ʖ ͡°)

Share this post


Link to post
Share on other sites

Kovacic,

Moved to "General Help" section. :)

M23


Public_Domain.png.2d871819fcb9957cf44f4514551a2935.png Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind

Open spoiler to see my UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Share this post


Link to post
Share on other sites

I don't mind testing.. I have a few test laptops and a domain to use. Where I keep getting stuck is passing the credentials on to the process that tries to perform the OU move. If it can be bound to ADOpen, that would be much better!

How to pass credentials to _AD_Open can be found in the help file _AD_Open.html or the wiki (link can be found in my signature).

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2020-10-10 - Version 1.5.2.1) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2020-06-30 - Version 1.6.2.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (NEW 2020-06-27 - Version 1.3.2.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
Task Scheduler (2019-12-03 - Version 1.5.1.0) - Download - General Help & Support - Wiki

Tutorials:
ADO - Wiki, WebDriver - Wiki

 

Share this post


Link to post
Share on other sites

I am also getting the object error (Attached)

This is an example of what this script would be moving, from this OU

"CN=MyCompName,OU=computers,DC=MyDomain,DC=COM"

to this one:

"OU=computers,OU=Updated OUs,DC=MyDomain,DC=com"

This works when being run by someone with elevated permissions, so I am trying to get it to open AD with another AD account, and I get the error in the attachment.

Func SET()
RunWait("net config server /srvcomment:""" & $FullDesc & """",@SW_HIDE)
Msgbox(0, "Description Updated", " Updated local computer and AD descriptions:" & @CRLF & @CRLF & $FullDesc & @CRLF & @CRLF & "The computer should be moved to the following OU:" & @CRLF & @CRLF & $compouV)
Global $SvcUsername = "MyDomainUsername"
Global $SvcPassword = "SomeGoofyPassword"

If $oumove = "yes" then ; Check to see if an error happened earlier i the script that changed this to 'no'
$sTargetOU = $compouV
$sObject = @ComputerName
_AD_Open([$sAD_UserIdParam = $SvcUsername, $sAD_PasswordParam = $SvcPassword[, $sAD_DNSDomainParam = "DC=MyDomain,DC=COM", $sAD_HostServerParam = "", $sAD_ConfigurationParam = ""[, $iAD_Security = 0]]])
Global $iValue = _AD_MoveObject($sTargetOU, $sObject & "$")
If $iValue = 1 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' successfully moved to '" & $sTargetOU & "'")
ElseIf @error = 1 Then
MsgBox(64, "Active Directory Message", "Target OU '" & $sTargetOU & "' does not exist")
ElseIf @error = 2 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' does not exist")
ElseIf @error = 3 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' is already in the required OU. No change made.")
Else
MsgBox(64, "Active Directory Message", "Return code '" & @error & "' from Active Directory")
EndIf
_AD_Close()
Else
MsgBox(64, "Active Directory Message", "No OU moves were performed because the User account is not in a Users OU.")
exit
EndIf

endfunc ;==>SET

I am sure I messed up somewhere, just not sure where

post-63131-0-52965000-1358969718_thumb.p


C0d3 is P0etry( ͡° ͜ʖ ͡°)

Share this post


Link to post
Share on other sites

Looks like the stop is happening here

Func _AD_SamAccountNameToFQDN($sAD_SamAccountName = @UserName)

If StringMid($sAD_SamAccountName, 3, 1) = "=" Then Return $sAD_SamAccountName ; already a FQDN. Return unchanged
$__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(sAMAccountName=" & $sAD_SamAccountName & ");distinguishedName;subtree"
Local $oAD_RecordSet = $__oAD_Command.Execute
If @error Or Not IsObj($oAD_RecordSet) Or $oAD_RecordSet.RecordCount = 0 Then Return SetError(1, @error, "")
Local $sAD_FQDN = $oAD_RecordSet.fields(0).value
Return _AD_FixSpecialChars($sAD_FQDN, 0, "/#")

EndFunc   ;==>_AD_SamAccountNameToFQDN

This line:

$__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(sAMAccountName=" & $sAD_SamAccountName & ");distinguishedName;subtree"

I tried varius naming conventions like myusername@mydomain.com , mydomainmyusername and nothing seemed to help..


C0d3 is P0etry( ͡° ͜ʖ ͡°)

Share this post


Link to post
Share on other sites

Never mind, my fault... I called _AD_SamAccountNameToFQDN earlier in the script, so I had to move _AD_OPEN()

im good now


C0d3 is P0etry( ͡° ͜ʖ ͡°)

Share this post


Link to post
Share on other sites

Your _AD_Open function is written wrong too. This is the correct way.

_AD_Open($SvcUsername, $SvcPassword, "DC=MyDomain,DC=COM",  "", "", 0)


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

I had only moved it out because I thought the error was being generated from that function. Sometimes things that should work perfectly error out for me.


C0d3 is P0etry( ͡° ͜ʖ ͡°)

Share this post


Link to post
Share on other sites

BTW: Function _AD_SamAccountNameToFQDN is only needed in rare cases. All functions accept SamAccountName and FQDN as parameters and convert them under the cover if needed.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2020-10-10 - Version 1.5.2.1) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2020-06-30 - Version 1.6.2.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (NEW 2020-06-27 - Version 1.3.2.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
Task Scheduler (2019-12-03 - Version 1.5.1.0) - Download - General Help & Support - Wiki

Tutorials:
ADO - Wiki, WebDriver - Wiki

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By rudi
      Hello,
       
      <edit>
      In this posting below you will find a script to get an Active Directory User's Group Memberships including nested Group Memberships:
       
      </edit>
      quite a while ago I started this thread: https://www.autoitscript.com/forum/topic/193984-ad-member-of-group-in-group/
       
      #include <AD.au3> _AD_Open() $user=_AD_SamAccountNameToFQDN("ASP") $group=_AD_SamAccountNameToFQDN("daten-Bestellung-QS_lesen") $result=_AD_IsMemberOf($group,$user,false,True) ; $Group is the 1st, $User the 2nd param ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $result = ' & $result & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console _AD_Close() this works fine, thanks for the help in the other thread.
      Howto to get the "chain" of groups for nested group memberships?

      In AD.AU3 I found the function _AD_RecursiveGetMemberOf(), which might be an approach, (get all the group content then sort out what's needed), just wondering if there is another function that I've overlooked, that directly would give me the "nested membership chain" *ONLY*?
       
      Regards, Rudi.
    • By tweakster2010
      Hello All,
      It has been a long time since I posted, role changes etc involving work and I finally am back to modifying a program I write in AutoIt that has AD integration. I am at a point where we are modifying our structure where I am validating users access via what Distribution List they belong to in our AD OU's. What I have run into is the OU is a sub OU of a sub OU now. Meaning: CN=team, OU=DL, OU=Groups, DC=business.com(working), is now CN=Team, OU=SubDL, OU=DL, OU=Groups, DC=business.com (Not working).  Just curious if the AD functionality should be able to read it or maybe I am missing something?
       
      ElseIf _AD_IsMemberOf("CN=Team,OU=Distribution Lists,OU=Groups,DC=business,DC=com", $sFQDN_User) Then #works for primary Distro ElseIf _AD_IsMemberOf("CN=Team,OU=SubDL,OU=Distribution Lists,OU=Groups,DC=business,DC=com", $sFQDN_User) Then #fails for subOU of DL How I am accessing AD to get the information:
      _AD_Open() Global $aUser = _AD_GetObjectsInOU("", "(&(objectCategory=person)(objectClass=user)(samaccountname=" & @UserName & "))", 2, "ADsPath,Displayname,distinguishedName") Global $sDisplayName0 = $aUser[1][1] ; Displayname ;MsgBox(0,"", $sDisplayName0) If StringLeft($sDisplayName0, 2) = "9-" Then $Displaynamestring = StringTrimLeft($sDisplayName0, 2) $Displaynamestring1 = StringTrimRight($Displaynamestring, 6) The error code generated is a 1 with a 0 extended. I assume it is because it cannot find the SubOU.
       
      Thanks for any assistance.
    • By antmar904
      I'm trying to read all cells used in column "C" in excel to an array but not sure how.
       
      Local $NameArray = _Excel_RangeRead($oWorkbook, $oWorkbook.Activesheet, $oWorkbook.Range["C"].End)  
    • By Blois
      Hey Guys,
      Good?
      I'm ned help to consult in other domain. My three domain contains any domains.
      How do I get this query done?
       
      Tks for the Help!
       
    • By rudi
      Hello,
       
      from this posting of @Jos https://www.autoitscript.com/forum/topic/162005-getting-windows-users-account-type/?do=findComment&comment=1176831
      I can smoothly check, if a user is a *DIRECT* group member. Has anybody some code to check also, if a user is a *INDIRECT* member of a cascaded group construct?  Maybe with @Melba23 's AD UDF?
       
      The required rights are granted to group "Dept_B" User John is member of group "Dept_A" Group "Dept_A" is member of the group "Dept_B" So in the AD / NTFS FS environment John finally has the rights of both groups But when checking his "membership to group Dept_B" the result is "no member". The approach I can think of would be, to check all Group Members of group "Dept_B" whether they are of type group, then check again if "John" is member of than " 2nd level group"
      Func UserInGroup($InGroup,$ThisUser=@LogonDomain & "/" & @UserName) Local $objUser = ObjGet("WinNT://" & $ThisUser ) For $oGroup in $objUser.Groups If $oGroup.Name = $InGroup Then Return 1 EndIf Next Return 0 EndFunc Any suggestions appreciated, regards, Rudi.
×
×
  • Create New...