Active Directory UDF - Help & Support (III)

water · June 3, 2016

Unfortunately not from my side. That's far outside my knowledge
Any ideas from your AD admin?

AdamUL · June 3, 2016

Are you renaming your PCs after adding them to AD, such as using _AD_JoinDomain. How I wrote my function was to rename the computer before adding it to AD. This was before the feature was added to _AD_JoinDomain. Also, _AD_JoinDomain should add the PC to the Computers OU with the $sOU value set to the Default keyword.

Also, I'm wondering if the logic for renaming needs to be changed in _AD_JoinDomain to invoke the .Rename method before the .JoinDomainOrWorkGroup method. Here's a blog post about changing a PC's name and adding it to AD, using Powershell and WMI.

http://allanrbo.blogspot.com/2012/07/join-domain-and-rename-in-one-reboot.html

For group policies, you could add "gpupdate /force" with the Run or RunWait function to you script.

Adam

OrangeCoder · June 7, 2016

Hey @AdamUL thanks for that info.

I'll be sure to give that a try

However for putting the PC to the COmputers OU with $sOU value set to the default keyword - would you provide me an example of that ?

I wanna make sure I do it right the first time lol

OrangeCoder · June 8, 2016

@AdamUL

AdamUL · June 9, 2016

Sorry for the late reply. I'm on vacation this week, and got the @ notification.

For the _AD_JoinDomain call use the following. This uses the same credentials as _AD_Open.

_AD_JoinDomain(@ComputerName, "", "", Default)

If you are using _AD_CreateComputer first, use the FQDN for the Computers OU, like the following to create the computer account.

_AD_CreateComputer("CN=Computers,DC=ad,DC=something,DC=edu", @ComputerName, $sADUser)

Where I work, any computer account created in the Computers OU, is move to different OUs by a script, based on the computer name prefix.

Adam

OrangeCoder · June 9, 2016

hhhmm interesting @AdamUL! about the script to moving computers based on name prefix

Thank you for that - no worries on the delay - thought maybe you didn't get the notice cause I didn't tag you correctly

OrangeCoder · June 9, 2016

@water - perhaps I missed it but where do I find a list of all the Flags for ADJoinDomain ?

water · June 9, 2016

Check table 16 here https://technet.microsoft.com/en-us/library/ee692588.aspx

That's the first link in the functions header section.

Edited June 9, 2016 by water

Kaimberex · June 10, 2016

Is there a way to get the below function to return the array as DisplayName instead of FQDN? the Recursive function takes too long to process. Im sure I am missing something simple. Any help would be appreciated! Thanks!

; #FUNCTION# ====================================================================================================================
; Name...........: _AD_GetGroupMembers
; Description ...: Returns an array of group members.
; Syntax.........: _AD_GetGroupMembers($sGroup)
; Parameters ....: $sGroup - Group to retrieve members from. Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName
; Return values .: Success - Returns an one-based one dimensional array of names (FQDN) that are members of the specified group
;                  Failure - "", sets @error to:
;                  |1 - Specified group does not exist
; Author ........: Jonathan Clelland
; Modified.......: water
; Remarks .......: If the group has no members, _AD_GetGroupMembers returns an array with one element (row count) set to 0
; Related .......: _AD_GetGroupMemberOf, _AD_RecursiveGetGroupMembers
; Link ..........:
; Example .......: Yes
; ===============================================================================================================================

water · June 10, 2016

Unfortunately, no. The function returns all members of a group by accessing property "member". This property is returned as the FQDN of the members. It has to be the FQDN to be unique.
So you can only grab the FQDN of each member and use _AD_GetProperty to retrieve the displayname. But that takes some time to process too.

Edited June 10, 2016 by water

Kaimberex · June 10, 2016

47 minutes ago, water said:

Unfortunately, no. The function returns all members of a group by accessing property "member". This property is returned as the FQDN of the members. It has to be the FQDN to be unique.
So you can only grab the FQDN of each member and use _AD_GetProperty to retrieve the displayname. But that takes some time to process too.

Here's a sample of the code I am working with

Func _TestUsersInGroup();This function will not be used as it takes an insanely long time to complete
    GUICtrlSetData($ListUsersInSelectedGroup, "")
    _Ad_Open()
    $sObject = GUICtrlRead($ListMembers)
    ConsoleWrite($sObject & @CRLF)



    $sUsersInGroupSelected = _AD_GetGroupMembers($sObject)
    For $i = 1 To UBound($sUsersInGroupSelected) - 1
        
        ConsoleWrite($sUsersInGroupSelected[$i]&@CRLF)
;~      _AD_FQDNToDisplayname($sUsersInGroupSelected[$i])

    Next

EndFunc   ;==>_TestUsersInGroup

It returns the FQDN as expected but is there a way I can loop through all of the elements and _AD_FQDNToDisplayname() on each of them without it taking insanely long to process?

Output:

SM Deskside Support
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=FFIC - Transition,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=Business Users,OU=USERS,OU=BRAZIL,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=BRAZIL,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=CANADA,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=TEMPLATES - DO NOT DELETE,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=S-1-5-21-424429321-1812619029-1179000955-21983,CN=ForeignSecurityPrincipals,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ

Edited June 10, 2016 by Kaimberex

water · June 10, 2016

Do not call _AD_FQDNToDisplayname for every entry in the array. _AD_FQDNToDisplayname just calls _AD_GetObjectAttribute.
Create your own version of _AD_GetObjectAttribute and remove the unneeded statements. That should cut down execution time a bit:

Func _AD_GetObjectAttributeEX($sObject)

    $__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(distinguishedName=" & $sObject & ");ADsPath;subtree"
    Local $oRecordSet = $__oAD_Command.Execute ; Retrieve the ADsPath for the object
    If @error Or Not IsObj($oRecordSet) Or $oRecordSet.RecordCount = 0 Then Return SetError(2, @error, "")
    Local $sLDAPEntry = $oRecordSet.fields(0).value
    Local $oObject = __AD_ObjGet($sLDAPEntry) ; Retrieve the COM Object for the object
    Local $sResult = $oObject.Get("DisplayName")
    If @error Then Return SetError(2, @error, "")
    $oObject.PurgePropertyList
    If IsArray($sResult) Then _ArrayInsert($sResult, 0, UBound($sResult, 1))
    Return $sResult

EndFunc   ;==>_AD_GetObjectAttributeEX

Edited June 10, 2016 by water

nikink · July 16, 2016

Hi Water, when I run your joindomain example I get the following error:

wmi object could not be created. -2147024174

Do you have any ideas why that might be occurring? I unjoined my otherwise working testmachine, so I know it has an AD account. Googling has not been helpful.

water · July 16, 2016

You could add

_AD_ErrorNotify(2)

at the top of your script so we get better error information.

AutoBert · July 16, 2016

Maybe WMI isn't running?

water · July 16, 2016

-2147024174 (decimal) equals 0x800702d2 (hex):

According to MS (https://msdn.microsoft.com/en-us/library/aa394559(v=vs.85).aspx) 0x8007xxxx stands for "Errors originating in the core operating system. WMI may return this type of error because of an external failure, for example, DCOM security failure."

Google only lists 2 entries for this hex code: "0x800702D2 The resumable flag to a timer API was ignored. ERROR_TIMER_RESUME_IGNORED"

Unfortunately this doesn't help very much

nikink · July 17, 2016

Bugger.

Far as I can tell WMI is working. Could be just something specific to our domain I guess - something locked down/blocked.

Hm.

I'll try again with _AD_ErrorNotify(2) and see what happens. Hopefully it'll give a more useful error code!

Thanks for your assistance.

nikink · July 17, 2016

And now the error# has changed. O.o

From ErrorNotify(2):

scriptline: 3771

Hexerror: 80070005

Number: 2147024891

WinDescription: Access is Denied

I'm running the script on win8.1 at a virtual machine with win7

water · July 17, 2016

Microsoft describes what's going on here https://msdn.microsoft.com/en-us/library/aa394603(v=vs.85).aspx

"The user does not have remote access to the computer through DCOM. Typically, DCOM errors occur when connecting to a remote computer with a different operating system version."

Solution:
"Give the user Remote Launch and Remote Activation permissions in dcomcnfg."

nikink · July 17, 2016

Ah nuts, then. Looks like all the necessary permissions are blocked on the domain level, and remain in force even when the pc isn't joined. That's annoying.

Thanks for your help!

Sign In

Active Directory UDF - Help & Support (III)

Recommended Posts

water

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

water

water

water

Posted Images

AdamUL

OrangeCoder

OrangeCoder

AdamUL

OrangeCoder

OrangeCoder

water

Kaimberex

water

Kaimberex

water

nikink

water

AutoBert

water

nikink

nikink

water

nikink

Create an account or sign in to comment

Create an account

Sign in

Browse

AutoIt Resources

Release

Beta