Active Directory UDF - Help & Support (III)

[water]

Thanks for the reply. At least I know that the AD UDF doesn't cause this strange problem.
Glad you could "solve" your problem with a workaround

[tweakster2010]

Hey water long time no see,

I am in a unique scenario and for the life of me I cannot think how to reduce out an AD open() to take from an array and search the display name to get a regular domain name from an admin domain name. You helped me before get an Admin domain name from a Regular domain name but we are making huge security changes and if I can get this part done we can start testing it and I am just mind numb from trying different ideas to reduce it out but I cannot think of anything that makes sense.

_AD_Open()
    Global $aUser = _AD_GetObjectsInOU("", "(&(objectCategory=person)(objectClass=user)(samaccountname=" & @UserName & "))", 2, "ADsPath,Displayname,distinguishedName")
    Global $sDisplayName0 = $aUser[1][1] ; Displayname
    $aUser123 = _AD_GetObjectsInOU("", '(&(objectCategory=person)(objectClass=user)(name=9-' & $sDisplayName0 & '*))', 2, "sAMAccountName,Displayname,distinguishedName")
    $adminID = _ArrayToString($aUser123, @TAB, 1, 1, @CRLF, 0, 0)
    _ArrayDisplay($aUser123,"")
    $adminStringSplit = StringLeft($adminID, 4)

This is what yo helped me come up with for getting Admin from Regular. What I am trying to do is when @Username = Admin ID get the $adminID to be a regular ID instead. I am just struggling on making the $aUser123 = Domain user. I already started my coding to define them based when I figure this part out. Any insight is greatly appreciated!

 

thanks,

 

Edit for typos and to point out our 1 ID starts with 9- in front so I know I should be able to reduce the 9- on the display portion to get the regular display name but I am completely drawing a blank on doing that. I also know its in the array first, which I am still green on arrays

Edited November 23, 2015 by tweakster2010

[water]

If I understand you correctly you "simply" try to do it the other way round?
Means:

• You've got the SamAccountName of an Admin
• You want to search the regular ID by using the Displayname of the Admin-ID as a key

[tweakster2010]

That is correct. But when I am trying to do is strip part of the displayname out as it has extra at the front and end of it. 2 characters in the front 4 in at the end. I have been playing around with trimming an array as I thought when I was reading through it again that the Array hosed the displayname. But every which way I go i still only show with 1 result but I am able to strip the either direction and see both. When i do an array trim I can trim out the front and end of the display name and it shows correctly but I cannot get it to locate from the displayname. That where I think I am getting lost at it.

 

Global $aUser = _AD_GetObjectsInOU("", "(&(objectCategory=person)(objectClass=user)(samaccountname=" & @UserName & "))", 2, "ADsPath,Displayname,distinguishedName")
    Global $sDisplayName0 = $aUser[1][1] ; Displayname
    _ArrayDisplay($aUser,"")
$aUser123 = _AD_GetObjectsInOU("", '(&(objectCategory=person)(objectClass=user)(name=*' & $sDisplayName0 & '*))', 2, "sAMAccountName,Displayname,distinguishedName")
_ArrayTrim($aUser123,2,0,1,1,1)
_ArrayTrim($aUser123,4,1,1,1,1)
_ArrayDisplay($aUser123,"")

I realize now though that the trimming isnt the stored information I am looking for and I am still very novice at the AD.udf and arrays but as I keep not getting the result I desire I think I am starting to understand it better. So I think eventually I will realize how to do the call and I noticed I could not do a forced exclude certain characters in the search itself with ! and ~ characters as I return a -1 from check. Any ideas?

[water]

I hope I got it right:

#include <ad.au3>
_AD_Open()
Global $aAdmin = _AD_GetObjectsInOU("", "(&(objectCategory=person)(objectClass=user)(samaccountname=" & @UserName & "))", 2, "ADsPath,Displayname,distinguishedName") ; Get the admin user by SamAccountName
If @error Then Exit MsgBox(0, "", "Error " & @error & " when retrieving Admin data!")
_ArrayDisplay($aAdmin)
$sUser = StringMid($aAdmin[1][1], 3) ; Strip off "9-" from the displayname
Global $aUser = _AD_GetObjectsInOU("", "(&(objectCategory=person)(objectClass=user)(displayname=*" & $sUser & "*))", 2, "ADsPath,Displayname,distinguishedName") ; Search the regular user by displayname
If @error Then Exit MsgBox(0, "", "Error " & @error & " when retrieving normal user data!")
_ArrayDisplay($aUser)
_AD_Close()

 

[tweakster2010]

That still only displays the Admin ID when logged in with the Admin ID. I think the big problem is our Admin ID's sn and first name are different than our regular ID. So in turn we would have to strip that info out then search just that info. Do you think that is possible?

 

the only thing that is running into my mind is strip the array out and then convert to string then search the string and acquire the samaccountname for the regular ID. Does that sound feasible or am I over thinking a search function that should work? I will start trying that now though to see if I can do that.

[water]

So all your users and admins are in the same OU?
You can't distinguish an admin from a regular user by a different samaccount e.g. normal user = george, admin id for the same user  = admingeorge?
As SamAccountnames are unique, displaynames are not you run into the problems you see now.

The code I posted is only an example:
For your current setup to grab all admins and return the regular user for each admin I would:

• Search all displaynames that start with "9-" to grab all admins
• Loop through the array, strip of "9-" from the returned displaynames
• Search with the new displaynames for the regular user

Is this correct?

[tweakster2010]

That is very likely the easier way of what I was talking about. I wasn't thinking about grabbing all 9- but instead just stripping 9- and using only the remainder for like the LN/FN/Displayname but that's what I could not get to work.

But as an example Admin is 9-(LastName),Firstname(adminID) No parenthesis in the actual Id but labeling to identify it.  So in turn its additional characters to the front and back of the display, 2 additional to the last name and 4 additional to the first name. So all in all I think I have been over thinking it just trying to pull the display name to avoid the search returning anyone with similar last names or first names and grab the exact display name that matches from the 2 accounts.

[tweakster2010]

Ok I think we were over thinking this pretty hard or at least I was. with some help of my coworker (he codes only in VBs) so he just gave me another approach that we could incorporate.

Below is the functioning code for both sides. I can log in as an admin or regular ID and get the same results.

_AD_Open()
    Global $aUser = _AD_GetObjectsInOU("", "(&(objectCategory=person)(objectClass=user)(samaccountname=" & @UserName & "))", 2, "ADsPath,Displayname,distinguishedName")
    Global $sDisplayName0 = $aUser[1][1] ; Displayname
    MsgBox(0,"", $sDisplayName0)
If StringLeft($sDisplayName0,2) = "9-" Then
    $Displaynamestring = StringTrimLeft($sDisplayName0,2)
    $Displaynamestring1 = StringTrimRight($Displaynamestring,6)
Else
    $Displaynamestring1 = $sDisplayName0
EndIf
$aUser123 = _AD_GetObjectsInOU("", '(&(objectCategory=person)(objectClass=user)(name=*' & $Displaynamestring1 & '*))', 2, "sAMAccountName,Displayname,distinguishedName")
_ArrayDisplay($aUser123,"")
$adminID = _ArrayToString($aUser123, @TAB, 1, 1, @CRLF, 0, 0)
$adminStringSplit = StringLeft($adminID, 4)
$regularID = _ArrayToString($aUser123, @TAB,2, 2, @CRLF, 0, 0)
_AD_Close()

 

[water]

Glad your problem could be solved

[hroberts]

I am trying to figure out how to take the array output of _AD_GetAllOUs and display them in a drop down box.  Displaying Column 1 but selecting column 2 as the move to location.  Everything I have tried fails horribly, and I have been searching all day to find out how to populate a dropdown box with the array.  Can you provide some assistance, or point me to someplace that may help?

 

Thanks,

[water]

I posted a reply in your other thread. I pointed you to the AD example scripts thread.

[chucks0]

I have an issue with _AD_JoinDomain.  We use "DC=something,DC=org" for the domain name when using _AD_Open.  When doing a domain join using _AD_JoinDomain, it is only using "something" as the domain name that is passed to $oComputer.JoinDomainOrWorkGroup which causes a 1355 error (domain not found) when the computer is on a different subnet than the domain controller.  If "something.org" is used as the domain name, it works fine.

This appears to be controlled by the following lines of code in the _AD_JoinDomain function:

Local $aDomain = StringSplit($sAD_DNSDomain, ",")
    Local $sDomainName = StringReplace($aDomain[1], "DC=", "")

Is there a way to update the function to include all of the DC portions of the domain name instead of just the first one?  Obviously, I can manually replace those 2 lines with the following, but I would prefer it I didn't have to remember to make this change each time I update AD.au3.

Local $sDomainName = StringReplace(StringReplace($sAD_DNSDomain, ",", "."), "DC=", "")

 

Edited January 8, 2016 by chucks0

[water]

It should be possible to add another parameter for such a case. You could now pass "something.org" as the last parameter.

expandcollapse popup

Func _AD_JoinDomain($sComputer = @ComputerName, $sUserParam = "", $sPasswordParam = "", $sOU = Default, $iFlag = 1, $sNewName = "", $sDomainParam = "")

    If BitAND($iFlag, 2) <> 2 And _AD_ObjectExists($sComputer & "$") = 0 Then Return SetError(1, 0, 0)
    If $sNewName <> "" And _AD_ObjectExists($sNewName & "$") = 1 Then Return SetError(6, 0, 0)
    Local $iResult, $iResult2, $sJoinUser, $sJoinPassword, $aTempUser
    Local $aDomain = StringSplit($sAD_DNSDomain, ",")
    Local $sDomainName = StringReplace($aDomain[1], "DC=", "")
    If $sDomainParam <> "" Then $sDomainName = $sDomainParam ; <== inserted this line
    ; Create WMI object
    Local $oComputer = ObjGet("winmgmts:{impersonationLevel=Impersonate}!\\" & $sComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & $sComputer & "'")
    If @error Or Not IsObj($oComputer) Then Return SetError(3, @error, 0)
    If $oComputer.Domain = $sDomainName Then Return SetError(4, 0, 0)
    ; Join domain. JoinDomainOrWorkGroup requires NetBiosName: domain\user
    If $sUserParam <> "" Then
        $sJoinPassword = $sPasswordParam
        $sJoinUser = $sUserParam
        If StringInStr($sUserParam, "\") = 0 And StringInStr($sUserParam, "@") = 0 Then ; Windows login name has been passed. Create a NetBiosName out of it
            If _AD_ObjectExists($sUserParam) = 0 Then Return SetError(2, 0, 0)
            $sJoinUser = $sDomainName & "\" & $sUserParam
        ElseIf StringInStr($sUserParam, "@") <> 0 Then ; User principal name has been passed. Create a NetBiosName out of it
            $aTempUser = StringSplit($sUserParam, "@")
            If _AD_ObjectExists($aTempUser[1]) = 0 Then Return SetError(2, 0, 0)
            $sJoinUser = $sDomainName & "\" & $aTempUser[1]
        Else ; NetBios name has been passed
            $aTempUser = StringSplit($sUserParam, "\")
            If _AD_ObjectExists($aTempUser[2]) = 0 Then Return SetError(2, 0, 0)
        EndIf
    ElseIf $sAD_UserId <> "" Then
        $sJoinPassword = $sAD_Password
        $sJoinUser = $sAD_UserId
        If StringInStr($sAD_UserId, "\") = 0 And StringInStr($sAD_UserId, "@") = 0 Then
            $sJoinUser = $sDomainName & "\" & $sAD_UserId ; Windows login name has been passed. Create a NetBiosName out of it
        ElseIf StringInStr($sAD_UserId, "@") <> 0 Then ; User principal name has been passed. Create a NetBiosName out of it
            $aTempUser = StringSplit($sAD_UserId, "@")
            $sJoinUser = $sDomainName & "\" & $aTempUser[1]
        EndIf
    Else
        $sJoinPassword = Default
        $sJoinUser = Default
    EndIf
    ; Join the computer to the domain
    $iResult = $oComputer.JoinDomainOrWorkGroup($sDomainName, $sJoinPassword, $sJoinUser, $sOU, $iFlag)
    ; $iResult: 0 = Success, no reboot needed, 1 = Success, reboot needed. Everything else: Error
    If $iResult < 0 Or $iResult > 1 Then
        Return SetError(5, $iResult, 0)
    Else
        ; Rename computer if parameter $sNewName has been set
        If $sNewName <> "" Then
            $iResult2 = $oComputer.Rename($sNewName, $sJoinPassword, $sJoinUser)
            If $iResult2 <> 0 Then Return SetError(7, $iResult2, 0)
        EndIf
        Return SetError(0, $iResult, 1)
    EndIf

EndFunc   ;==>_AD_JoinDomain

Edited January 8, 2016 by water

[willichan]

Hi Water,

Just wanted to give LONG overdue kudos and thanks for your AD UDF.  This is one of my three top used UDFs at the office, and has GREATLY simplified data gathering for some very complex reports, as well as automating several tasks.  I have even been able to free up one admin completely from our annual security audit process (for which he is also very grateful) thanks to the use of your UDF.

Thank you.

 

[water]

Great you like the UDF

If you like you could write a review in the download section and give a few stars. So other users know what to expect from the UDF.

[OrangeCoder]

Hey Guys

 

I feel a little lost here

trying to use _AD_Open

if my username is

orange.coder

my password is BigCitrus

my domain is 

citrus.orchard.b12.ca.us

my _AD_Open would like this 

_AD_Open("orange.coder","BigCitrus","DC=citrus,DC=orchard,DC=b12,DC=ca,DC=us")

 

?

[water]

If this are the credentials of the currentyl logged in user then

_AD_Open()

should be enough.

[OrangeCoder]

Hey water!

 

I wanted to provide the credentials cuz the script will be used on undomained computers during setup

[water]

I see.

The wiki provides detailed information how to connect to a domain.
https://www.autoitscript.com/wiki/Active_Directory_UDF_-_General

Hope this answers your questions.