Active Directory UDF - Help & Support (III)

[water]

Unfortunately not from my side. That's far outside my knowledge
Any ideas from your AD admin?

[AdamUL]

Are you renaming your PCs after adding them to AD, such as using _AD_JoinDomain.  How I wrote my function was to rename the computer before adding it to AD.  This was before the feature was added to _AD_JoinDomain.  Also, _AD_JoinDomain should add the PC to the Computers OU with the $sOU value set to the Default keyword.  

Also, I'm wondering if the logic for renaming needs to be changed in _AD_JoinDomain to invoke the .Rename method before the .JoinDomainOrWorkGroup method.  Here's a blog post about changing a PC's name and adding it to AD, using Powershell and WMI.  

http://allanrbo.blogspot.com/2012/07/join-domain-and-rename-in-one-reboot.html

For group policies, you could add "gpupdate /force" with the Run or RunWait function to you script.  

 

Adam

 

[OrangeCoder]

Hey @AdamUL  thanks for that info. 

I'll be sure to give that a try

However for putting the PC to the COmputers OU with $sOU value set to the default keyword - would you provide me an example of that ?

I wanna make sure I do it right the first time lol

[OrangeCoder]

@AdamUL

[AdamUL]

Sorry for the late reply.  I'm on vacation this week, and got the @ notification.  

For the _AD_JoinDomain call use the following.  This uses the same credentials as _AD_Open.  

_AD_JoinDomain(@ComputerName, "", "", Default)

If you are using _AD_CreateComputer first, use the FQDN for the Computers OU, like the following to create the computer account.

_AD_CreateComputer("CN=Computers,DC=ad,DC=something,DC=edu", @ComputerName, $sADUser)

Where I work, any computer account created in the Computers OU, is move to different OUs by a script, based on the computer name prefix.  

 

Adam

 

[OrangeCoder]

hhhmm interesting @AdamUL! about the script to moving computers based on name prefix

 

Thank you for that - no worries on the delay - thought maybe you didn't get the notice cause I didn't tag you correctly

[OrangeCoder]

@water - perhaps I missed it but where do I find a list of all the Flags for ADJoinDomain ?

[water]

Check table 16 here https://technet.microsoft.com/en-us/library/ee692588.aspx

That's the first link in the functions header section.

Edited June 9, 2016 by water

[Kaimberex]

 

Is there a way to get the below function to return the array as DisplayName instead of FQDN? the Recursive function takes too long to process. Im sure I am missing something simple. Any help would be appreciated! Thanks!

 

 

; #FUNCTION# ====================================================================================================================
; Name...........: _AD_GetGroupMembers
; Description ...: Returns an array of group members.
; Syntax.........: _AD_GetGroupMembers($sGroup)
; Parameters ....: $sGroup - Group to retrieve members from. Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName
; Return values .: Success - Returns an one-based one dimensional array of names (FQDN) that are members of the specified group
;                  Failure - "", sets @error to:
;                  |1 - Specified group does not exist
; Author ........: Jonathan Clelland
; Modified.......: water
; Remarks .......: If the group has no members, _AD_GetGroupMembers returns an array with one element (row count) set to 0
; Related .......: _AD_GetGroupMemberOf, _AD_RecursiveGetGroupMembers
; Link ..........:
; Example .......: Yes
; ===============================================================================================================================

[water]

Unfortunately, no. The function returns all members of a group by accessing property "member". This property is returned as the FQDN of the members. It has to be the FQDN to be unique.
So you can only grab the FQDN of each member and use _AD_GetProperty to retrieve the displayname. But that takes some time to process too.
 

Edited June 10, 2016 by water

[Kaimberex]

47 minutes ago, water said:

Unfortunately, no. The function returns all members of a group by accessing property "member". This property is returned as the FQDN of the members. It has to be the FQDN to be unique.
So you can only grab the FQDN of each member and use _AD_GetProperty to retrieve the displayname. But that takes some time to process too.
 

Here's a sample of the code I am working with 

Func _TestUsersInGroup();This function will not be used as it takes an insanely long time to complete
    GUICtrlSetData($ListUsersInSelectedGroup, "")
    _Ad_Open()
    $sObject = GUICtrlRead($ListMembers)
    ConsoleWrite($sObject & @CRLF)



    $sUsersInGroupSelected = _AD_GetGroupMembers($sObject)
    For $i = 1 To UBound($sUsersInGroupSelected) - 1
        
        ConsoleWrite($sUsersInGroupSelected[$i]&@CRLF)
;~      _AD_FQDNToDisplayname($sUsersInGroupSelected[$i])

    Next

EndFunc   ;==>_TestUsersInGroup

It returns the FQDN as expected but is there a way I can loop through all of the elements and _AD_FQDNToDisplayname() on each of them without it taking insanely long to process?

Output:

SM Deskside Support
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=FFIC - Transition,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=Business Users,OU=USERS,OU=BRAZIL,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=BRAZIL,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=CANADA,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=TEMPLATES - DO NOT DELETE,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ
CN=S-1-5-21-424429321-1812619029-1179000955-21983,CN=ForeignSecurityPrincipals,DC=AGCS,DC=BIZ
CN=User,OU=IT,OU=USERS,OU=US,OU=AGCS,DC=AGCS,DC=BIZ

 

Edited June 10, 2016 by Kaimberex

[water]

Do not call _AD_FQDNToDisplayname for every entry in the array. _AD_FQDNToDisplayname just calls _AD_GetObjectAttribute.
Create your own version of _AD_GetObjectAttribute and remove the unneeded statements. That should cut down execution time a bit:

Func _AD_GetObjectAttributeEX($sObject)

    $__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(distinguishedName=" & $sObject & ");ADsPath;subtree"
    Local $oRecordSet = $__oAD_Command.Execute ; Retrieve the ADsPath for the object
    If @error Or Not IsObj($oRecordSet) Or $oRecordSet.RecordCount = 0 Then Return SetError(2, @error, "")
    Local $sLDAPEntry = $oRecordSet.fields(0).value
    Local $oObject = __AD_ObjGet($sLDAPEntry) ; Retrieve the COM Object for the object
    Local $sResult = $oObject.Get("DisplayName")
    If @error Then Return SetError(2, @error, "")
    $oObject.PurgePropertyList
    If IsArray($sResult) Then _ArrayInsert($sResult, 0, UBound($sResult, 1))
    Return $sResult

EndFunc   ;==>_AD_GetObjectAttributeEX

 

Edited June 10, 2016 by water

[nikink]

Hi Water, when I run your joindomain example I get the following error:

wmi object could not be created. -2147024174

Do you have any ideas why that might be occurring? I unjoined my otherwise working testmachine, so I know it has an AD account. Googling has not been helpful.

[water]

You could add

_AD_ErrorNotify(2)

at the top of your script so we get better error information.

[AutoBert]

Maybe WMI isn't running?

[water]

-2147024174 (decimal) equals 0x800702d2 (hex):

According to MS (https://msdn.microsoft.com/en-us/library/aa394559(v=vs.85).aspx) 0x8007xxxx stands for "Errors originating in the core operating system. WMI may return this type of error because of an external failure, for example, DCOM security failure."

Google only lists 2 entries for this hex code: "0x800702D2 The resumable flag to a timer API was ignored. ERROR_TIMER_RESUME_IGNORED"

Unfortunately this doesn't help very much

 

[nikink]

Bugger.

Far as I can tell WMI is working. Could be just something specific to our domain I guess - something locked down/blocked.

Hm.

I'll try again with _AD_ErrorNotify(2) and see what happens. Hopefully it'll give a more useful error code!

Thanks for your assistance.

[nikink]

And now the error# has changed. O.o

From ErrorNotify(2):

scriptline: 3771

Hexerror: 80070005

Number: 2147024891

WinDescription: Access is Denied

I'm running the script on win8.1 at a virtual machine with win7

[water]

Microsoft describes what's going on here https://msdn.microsoft.com/en-us/library/aa394603(v=vs.85).aspx

"The user does not have remote access to the computer through DCOM. Typically, DCOM errors occur when connecting to a remote computer with a different operating system version."

Solution:
"Give the user Remote Launch and Remote Activation permissions in dcomcnfg."

[nikink]

Ah nuts, then. Looks like all the necessary permissions are blocked on the domain level, and remain in force even when the pc isn't joined. That's annoying.

 

Thanks for your help!