Active Directory UDF - Help & Support (III)

[water]

[nikink]

Here's a thought, is there a way to get this script to connect to the remote machine with one account, then join with a different one?

As in perhaps connect to and run with a local administrator account, but then join with a domain account.

[water]

The function uses the credentials of the currently logged on user to call WMI. You could try "#RequireAdmin" to run the script as local admin.

[colombeen]

When trying to get "ms-Mcs-AdmPwd" i keep getting "Has the unknown ADsType: 4". how can i fix this?

in the previous version of the UDF I didn't have this problem.

$AD_comp_LAPS = _AD_GetObjectProperties ($CompName & "$", "ms-Mcs-AdmPwd")
If $AD_comp_LAPS[0][0] > 0 Then
    If $AD_comp_LAPS[1][1] = Null Or $AD_comp_LAPS[1][1] = "" Then
        GUICtrlSetData($PC_LAPS_Password, "")
    Else
        GUICtrlSetData($PC_LAPS_Password, $AD_comp_LAPS[1][1]) ; this shows unknown ADsType now
    EndIf
Else
    GUICtrlSetData($PC_LAPS_Password, "")
EndIf

 

Edited August 17, 2016 by colombeen

[water]

So you are running the latest 1.4.5.0 version of the AD UDF?

[water]

Can't test at the moment but you could modify the following lines in function _AD_GetObjectProperties

Case $ADSTYPE_CASE_IGNORE_STRING
    $aObjectProperties[$iPropertyRecord][1] = $vPropertyValue.CaseIgnoreString

to

Case $ADSTYPE_CASE_IGNORE_STRING, $ADSTYPE_PRINTABLE_STRING
    $aObjectProperties[$iPropertyRecord][1] = $vPropertyValue.CaseIgnoreString

or (if the above doesn't work) to

Case $ADSTYPE_CASE_IGNORE_STRING, $ADSTYPE_PRINTABLE_STRING
    $aObjectProperties[$iPropertyRecord][1] = $vPropertyValue

and try if you get the desired values.

[colombeen]

Hi water, with this mod it keeps returning an empty value (and i'm sure it's not empty)

 

EDIT:

This however does work :

Switch $oProperty.ADsType
    Case $ADSTYPE_CASE_IGNORE_STRING
        $aObjectProperties[$iPropertyRecord][1] = $vPropertyValue.CaseIgnoreString
    Case $ADSTYPE_PRINTABLE_STRING
        $aObjectProperties[$iPropertyRecord][1] = $vPropertyValue.PrintableString

 

Edited August 17, 2016 by colombeen

[water]

Thanks for testing the code.
I will modify the function accordingly and hope to release a new version of the UDF quite soon.

[water]

Version 1.4.6.0 of the UDF has been released.

Bugfix in function _AD_GetObjectProperties.

Please test before using in production!
For download please see my signature.

[water]

I released a new version of the UDF that should correctly handle all string properties!

[inopia]

Hello water,

 

first off: Thank you so much for this developing this UDF. It is really amazing!!  

I don't know if this question has been answered before, since I wasn't able to find it:

We have a domain example.com and a subdomain office.example.com.

Our useraccounts are stored in example.com while our securitygroups are stored in office.example.com.

When I try to add a user to a group via _AD_AddUserToGroup...

1. while being on the DC of example.com I get the error -> 1 - $sGroup does not exist
2. while being on the DC of office.example.com I get -> 2 - $sUser (user or computer) does not exist

Is there a way to reach to the other domain? I use the FQDN, but aparrently this isn't enough.

(My account has the rights to work in both domains and I can add users to groups via MMC. Though while being in office.example.com I have to add the user by typing example\username.)

 

Kind regards

ino

[water]

Unfortunately the UDF does not support cross domain processing.
As I only have a single domain here I can not even test what would be needed to make the UDF cross domain aware  

[water]

Maybe setting ADO command object property "Chase referrals" to 1 using function _AD_SetADOProperties would do the trick?
https://technet.microsoft.com/en-us/library/cc978014.aspx

[inopia]

On 19.8.2016 at 6:08 PM, water said:

Maybe setting ADO command object property "Chase referrals" to 1 using function _AD_SetADOProperties would do the trick?
https://technet.microsoft.com/en-us/library/cc978014.aspx

This didn't work. Too bad : ( 

But I found a way to realize it anyway by using powershell : )

#include <File.au3>

$script="C:\tmp\temp.ps1"

_FileCreate($script)
$hwd=FileOpen ($script, 66)
FileWriteLine ($script, 'Import-Module ActiveDirectory')
FileWriteLine ($script, '$mycreds = GET-CREDENTIAL –credential "office\admin"')
FileWriteLine ($script, '$user = Get-ADUser "*distinguishedName*" –Server "example.com"')
FileWriteLine ($script, '$group = Get-ADGroup "*distinguishedName*" –Server "office.example.com";')
FileWriteLine ($script, 'Add-ADGroupMember $group -Credential $mycreds –Member $user –Server "office.example.com"')
FileClose($hwd)

Run(@ComSpec & " /c PowerShell.exe " & "-NoProfile -ExecutionPolicy Bypass -File "&$script)

 

Edited August 22, 2016 by inopia
fixed a mistake

[Surf243]

On 8/19/2016 at 10:59 AM, water said:

Unfortunately the UDF does not support cross domain processing.
As I only have a single domain here I can not even test what would be needed to make the UDF cross domain aware  

I modified some of your functions to add a user from another trusted domain:

Func _AD_ExObjectExists($sObject = @UserName, $sProperty = "", $sHostServer = $sAD_HostServer, $sDNS = $sAD_DNSDomain)

    If $sProperty = "" Then
        $sProperty = "samAccountName"
        If StringMid($sObject, 3, 1) = "=" Then $sProperty = "distinguishedName"
    EndIf
    $__oAD_Command.CommandText = "<LDAP://" & $sHostServer & "/" & $sDNS & ">;(" & $sProperty & "=" & $sObject & ");ADsPath;subtree"
    Local $oRecordSet = $__oAD_Command.Execute ; Retrieve the ADsPath for the object, if it exists
    If IsObj($oRecordSet) Then
        If $oRecordSet.RecordCount = 1 Then
            Return 1
        ElseIf $oRecordSet.RecordCount > 1 Then
            Return SetError($oRecordSet.RecordCount, 0, 0)
        Else
            Return SetError(1, 0, 0)
        EndIf
    Else
        Return SetError(1, 0, 0)
    EndIf

EndFunc   ;==>_AD_ExObjectExists

The code above is needed to check if Object Exists in the other domain

The code below allows me to work with SIDs. If the Object does exist it would show up in the ForeignSecurityPrincipals OU

Func _AD_AddExUserToGroup($sGroup, $sUser, $sProperty = "", $sHostServer = $sAD_HostServer, $sDNS = $sAD_DNSDomain)

    If Not _AD_ObjectExists($sGroup) Then Return SetError(1, 0, 0)
    If Not _AD_ExObjectExists($sUser, $sProperty, $sHostServer, $sDNS) Then Return SetError(2, 0, 0)
    If _AD_IsMemberOf($sGroup, "CN=" & $sUser & ",CN=ForeignSecurityPrincipals," & $sAD_DNSDomain) Then Return SetError(3, 0, 0)
    If StringMid($sGroup, 3, 1) <> "=" Then $sGroup = _AD_SamAccountNameToFQDN($sGroup) ; sAMACccountName provided
    If (StringMid($sUser, 3, 1) <> "=" And StringMid($sUser, 3, 1) <> "1") Then $sUser = _AD_SamAccountNameToFQDN($sUser) ; sAMACccountName provided
    If StringMid($sUser, 3, 1) = "1" Then $sUser = "<SID=" & $sUser & ">" ; SID provided
    Local $oUser = __AD_ObjGet("LDAP://" & $sHostServer & "/" & $sUser) ; Retrieve the COM Object for the user
    Local $oGroup = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sGroup) ; Retrieve the COM Object for the group
    $oGroup.Add($oUser.AdsPath)
    If @error Then Return SetError(@error, 0, 0)
    $oGroup.SetInfo
    If @error Then Return SetError(@error, 0, 0)
    Return 1

EndFunc   ;==>_AD_AddExUserToGroup

What's needed is the SID from the AD User in the other domain (Assuming your domains are trusted between each other & the group is Domain Local).

($sProperty = "objectSid" if using a SID)

I still need to modify the Removing of users from groups.

Edited August 25, 2016 by Surf243
Modified Functions

[water]

Would it be helpful to make the following changes to the AD UDF?

• With a flag function _AD_Open opens a connection to the specified domain controller AND the global catalogue
• Some/all functions that just query AD would use the global catalog
• All write functions would use the specified DC

[Surf243]

Yes, that would be very helpful. I think others would appreciate that as well.

Thanks for all the work you do!

[Mercury049]

I'm having issues getting calltips to work?  I've imported AD.au3 to the Include directory.  Run the SciteConfig tool and added all the calltips.  Yet it still won't give call tips and in fact acts like it doesn't see the addition of AD.au3 when I'm typing my #include.  

 

Thoughts?

 

[water]

On 30.8.2016 at 3:34 PM, Surf243 said:

Yes, that would be very helpful. I think others would appreciate that as well.

Thanks for all the work you do!

I think I will implement this feature in a new function: _AD_OpenGC (Open connection to global catalog).
You would call _AD_Open as before. If you want to run (all) query functions against the global catalog then call _AD_OpenGC in addition.
What do you think?

[Surf243]

On 9/5/2016 at 2:25 AM, water said:

I think I will implement this feature in a new function: _AD_OpenGC (Open connection to global catalog).
You would call _AD_Open as before. If you want to run (all) query functions against the global catalog then call _AD_OpenGC in addition.
What do you think?

Seems like a good idea. 

So here's my understanding of the process:

_AD_Open < -- First

_AD_OpenGC <-- Second

~~ Some AD Query ~~

_AD_CloseGC

_AD_Close

Is this correct?

Edited September 6, 2016 by Surf243
Typo