Active Directory UDF (II)

[JLogan3o13]

@Teckx I am guessing you can use _AD_GetUserGroups to get all the groups for the user, then cycle through the returned array with  _AD_RemoveUserFromGrou

[Teckx]

Worth a shot!

[Teckx]

is there a shortcut or a way to retrieve an active directory user email?

also a way to modify extensionAttribute 10 inside 'Exchange Advanced' Custom Attributes?

Edited July 12, 2017 by Teckx

[water]

To retrieve a single attribute use - guess which - function _AD_GetObjectAttribute. 

Run AD_GetObjectProperties.au3 to get all names/values for your user account as an example. 

[Teckx]

1 hour ago, water said:

To retrieve a single attribute use - guess which - function _AD_GetObjectAttribute. 

Run AD_GetObjectProperties.au3 to get all names/values for your user account as an example. 

thanks ill look more into it there

figure I just need to turn the @username into a variable I can manipulate and have it pull the email so I can then inject it into the attribute10

[NotM]

 

Hoping this is the right place to get help with using the Functions in the AD.AU3 UDF created by Mr. Waters.

The function I am having problems with is the Un Join a Domain function... _AD_UnJoinDomain()

I believe my main problem stems from my inability to figure out the proper "calling" syntax to use the functions in real code. In fact I haven't even been able to make the example included in the "_AD_UnJoinDomain.htm" file found in the AD 1.4.8.0 zip file I recently downloaded work. See below code:

 

expandcollapse popup

#AutoIt3Wrapper_AU3Check_Parameters= -d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6


#AutoIt3Wrapper_AU3Check_Stop_OnWarning=Y

#RequireAdmin

; *****************************************************************************

; Example 1

; Unjoins a computer from the domain.

; *****************************************************************************

#include <AD.au3>

#include <ButtonConstants.au3>

#include <GUIConstantsEx.au3>

#include <WindowsConstants.au3>

 

; Open Connection to the Active Directory

_AD_Open()

If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

 

Global $iReply = MsgBox(308, "Active Directory Functions - Example 1", "This script unjoins a computer from the domain and joins it to a workgroup." & @CRLF & @CRLF & _

        "Are you sure you want to change the Active Directory?")

If $iReply <> 6 Then Exit

 

; Enter the computer to unjoin

#region ### START Koda GUI section ### Form=

Global $Form1 = GUICreate("Active Directory Functions - Example 1", 714, 156)

GUICtrlCreateLabel("Computer to unjoin (NetBIOSName):", 8, 10, 231, 17)

Global $IComputer = GUICtrlCreateInput("", 241, 8, 459, 21)

GUICtrlCreateLabel("Workgroup to join the computer:", 8, 42, 231, 17)

Global $IWorkgroup = GUICtrlCreateInput("", 241, 40, 459, 21)

Global $BOK = GUICtrlCreateButton("Unjoin Computer", 8, 114, 121, 33)

Global $BCancel = GUICtrlCreateButton("Cancel", 628, 114, 73, 33, BitOR($GUI_SS_DEFAULT_BUTTON, $BS_DEFPUSHBUTTON))

GUISetState(@SW_SHOW)

#endregion ### END Koda GUI section ###

 

While 1

    Global $nMsg = GUIGetMsg()

    Switch $nMsg

        Case $GUI_EVENT_CLOSE, $BCancel

            Exit

        Case $BOK

            Global $sComputer = GUICtrlRead($IComputer)

            Global $sWorkgroup = GUICtrlRead($IWorkgroup)

            ExitLoop

    EndSwitch

WEnd

 

; Unjoin the computer from the domain

Global $iValue = _AD_UnjoinDomain($sComputer, $sWorkgroup)

If $iValue = 1 Then

    MsgBox(64, "Active Directory Functions - Example 1", "Computer '" & $sComputer & "' successfully unjoined. Please reboot the computer")

ElseIf @error = 1 Then

    MsgBox(64, "Active Directory Functions - Example 1", "Computer account for '" & $sComputer & "' does not exist in the domain")

ElseIf @error = 3 Then

    MsgBox(64, "Active Directory Functions - Example 1", "WMI object could not be created. @extended=" & @extended)

ElseIf @error = 4 Then

    MsgBox(64, "Active Directory Functions - Example 1", "Computer '" & $sComputer & "' is a member of another or no domain")

ElseIf @error = 5 Then

    MsgBox(64, "Active Directory Functions - Example 1", "Unjoining computer '" & $sComputer & "' from the domain was not successful. @extended=" & @extended)

ElseIf @error = 6 Then

    MsgBox(64, "Active Directory Functions - Example 1", "Joining the Computer '" & $sComputer & "' to workgroup '" & $sWorkgroup & "' was not successful. @extended=" & @extended)

Else

    MsgBox(64, "Active Directory Functions - Example 1", "Return code '" & @error & "' from Active Directory")

EndIf

 

; Close Connection to the Active Directory

_AD_Close()

 

It seems to me that in order for any of the AD functions to work, specifically the ones for Opening AD, Closing AD, Joining, and UnJoining the domain you would have to pass the function the name of the PC you are joining/unjoining to the domain, the name of the domain you are joining/unjoining as well as the credentials, username/password, of a user with authority to join and unjoin the domain.

I have tried many different ways of passing that info, but nothing seems to work.

Taking the example in the .htm file and without changing it, I get an error right after the call to "_AD_Open() in line 15. It reads.. "Function _AD_Open encountered a problem. @error=4, @extended=-2147023541". This seems to be a failure to create an object for the RootDSE.

I look at the example code and doesn't see it asking for and information such as users name/password or Domain name etc. The call to _AD_Open() has no variables being passed. How could it work if it has not got at least the proper credentials, which the example never asks for.

Needless to say there is a problem in the example if doesen't at least ask for the user name etc.

So to cut to the chase how would I use and call the _AD_UnJoinDomain() function in real code. My setup is as follows....

Our system consists of a Forest with 2 Domains/trees, one is called "TheAdmins" the other is called "NotTheAdmins". Our root domain is "TheCollege.Edu" and so the FQDN for each domain is "TheAdmins.TheCollege.Edu" or "NotTheAdmins.TheCollege.Edu". The credentials used are "TheAdmins\Lastname.Firstname". A system will either be joined to one of the two domains or it will be a member of a Workgroup, waiting to be joined.

If take the _AD_Open() line and change it to _AD_Open("TheAdmins\Lastname.Firstname", "ThePassword") I get the same error I got with noting being passed in the brackets. "Function _AD_Open encountered a problem. @error=4, @extended=-2147023541"

If I remove to "_AD_Open" call I will get prompted for the PC name and the WorkGroup" name, but not for any credentials. It will then fail with a...

--> Press Ctrl+Alt+Break to Restart or Ctrl+Break to Stop
"C:\Program Files (x86)\AutoIt3\Include\AD.au3" (590) : ==> Variable must be of type "Object".:
$__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(" & $sProperty & "=" & $sObject & ");ADsPath;subtree"
$__oAD_Command^ ERROR
->15:59:36 AutoIt3.exe ended.rc:1
+>15:59:36 AutoIt3Wrapper Finished.

Obviously something is wrong.

If I change the call to the unjoin function as follows, I get the same error... "Global $iValue = _AD_UnjoinDomain($sComputer, $sWorkgroup, "Theadmins\last.first", "thepassword")"

So would someone be kind enough to help me with the syntax for using the UnJoin function, or any of the functions in the AD.AU3 file.

Where and how would I plug in the Username/password and the PC and Domain name etc to get the example working.

Thanks to all who can and will help,

Ralph

[Neutro]

Hello Ralph,

Quote

The call to _AD_Open() has no variables being passed. How could it work if it has not got at least the proper credentials, which the example never asks for

When this function is called without variables, it uses the credentials of the currently logged user to connect to the domain of which the computer is a member of.

Quote

aking the example in the .htm file and without changing it, I get an error right after the call to "_AD_Open() in line 15. It reads.. "Function _AD_Open encountered a problem. @error=4, @extended=-2147023541". This seems to be a failure to create an object for the RootDSE.

From the help file of _AD_Open() function:

Quote

4 - Creation of the RootDSE object failed. @extended returns the error code received by the COM error handler.
    Generated when connection to the domain isn't successful. @extended returns -2147023541 (0x8007054B)

So basicly it means the computer from where you ran the script tried to use the currenly logged user crendentials to connect to the domain which the computer is already a member of and it failed. 

Quote

If take the _AD_Open() line and change it to _AD_Open("TheAdmins\Lastname.Firstname", "ThePassword") I get the same error I got with noting being passed in the brackets. "Function _AD_Open encountered a problem. @error=4, @extended=-2147023541"

Once again as the help file says:

Quote

_AD_Open will use the alternative credentials $sUserIdParam and $sPasswordParam if passed as parameters.
$sUserIdParam has to be in one of the following forms (assume the samAccountName = DJ)
* Windows Login Name e.g. "DJ"
* NetBIOS Login Name e.g. " \DJ"
* User Principal Name e.g. "DJ@domain.com"
All other name formats have NOT been successfully tested (see section "Link")

"TheAdmins\Lastname.Firstname" is not a format that can be used as the first parameter for login. Also you did not specify to which domain you want the script to connect to.

A proper way to connect to "TheAdmins" domain would be like this:

$test = _AD_Open("lastname.firstname", "password", "DC=TheAdmins,DC=TheCollege,DC=EDU")

Check if this work.

If it does not, there is no need to go further. You need the function _AD_Open() to work (return 1) otherwise nothing else will work!

If it does not, then go on a computer which is already a member of the domain "TheAdmins", log on it with "lastname.firstname" account and run _Ad_Open() from it. It must work!

Edited July 12, 2017 by Neutro

[Teckx]

What's the easiest way to grab an AD users email via script?

Edited July 25, 2017 by Teckx

[water]

For the current user:

$vResult = _AD_GetObjectAttribute(@UserName, "mail")

 

[legend]

Just noticed something funny.

If the checkbox is enabled for: "User must change password at next logon" then _AD_GetPasswordInfo won't work,

it will return no information.

 

 

Here is my func:

 

func password_info()
        $brugernavn1 = InputBox("username", "enter username", "")
        If @error Then Exit

        $brugernavn_whitespace = StringStripWS($brugernavn1, $STR_STRIPALL) ;strips all white space.
        $brugernavn = StringRegExpReplace($brugernavn_whitespace, "(?i)[^a-z.]", "") ;strips all special symbols.

        $pwInfo = _AD_GetPasswordInfo($brugernavn)
        if @error Then
            MsgBox(64, "error", "the user does not exist.")
            ClipPut($brugernavn)
            Run(FileGetShortName(@ScriptFullPath & " " & "passwordinfo"))
            Exit
        EndIf

        $last_changed = _DateTimeFormat($pwinfo[8], 0)
        $date_expire = _DateTimeFormat($pwinfo[9], 0)
        MsgBox(0, "Password Information", "password was changed:" & @CRLF & $last_changed & @CRLF & @CRLF & "password expires:" & @CRLF & $date_expire)
EndFunc

 

Edited August 8, 2017 by legend

[water]

Please define "won't work". Is @error set to a valu <> 0? Do you get an empty $pwinfo array? ...

[legend]

16 hours ago, water said:

Please define "won't work". Is @error set to a valu <> 0? Do you get an empty $pwinfo array? ...

If I use my func, the if @error will take action if the checkbox is enabled:

$pwInfo = _AD_GetPasswordInfo($brugernavn)
        if @error Then

If I run the original script (_AD_GetPasswordInfo.au3) it will return a weird date if the checkbox is enabled:

 

If the checkbox "user must change password at next logon" isn't enabled, it works fine:

 

[water]

What is the value of @error then?
According to the function description in the UDF @error can be set to one of this values:

Quote

Failure - "", sets @error to:
  1 - $sObject not found
Warning - Returns a one-based array (see Success), sets @error to:
  2 - Password does not expire (User Access Control - UAC - is set)
  3 - Password has never been set
  4 - The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire
The @error value can be a combination of the above values e.g. 5 = 2 (Password does not expire) + 3 (Password has never been set)

 

[legend]

error code 3, password has expired yes

[legend]

25 minutes ago, water said:

What is the value of @error then?
According to the function description in the UDF @error can be set to one of this values:

 

error code 3, password has expired yes

[water]

@error > 1 isn't an error but an information.
3 means: The password has never been changed by the user. 1601/01/01 00:00 is Microsofts way of telling you that the password has never been changed.

To sum it up: Everything works as designed.
 

Edited August 9, 2017 by water

[legend]

I see, it's working as it should, thank you

[water]

[leortiz]

Hi, Can someone help me with null values in _AD_GetObjectProperties?

This just don't work here....

_AD_Open()
If @error Then Exit
Global $Ramal = _AD_GetObjectProperties(@UserName, "telephoneNumber")
_AD_Close()

If $Ramal = Null Then
    ConsoleWrite( "Test" & $Ramal )
    exit 3
EndIf

 

 

[water]

Please define "don't work".
What is the return value and the values of @error and @extended after _AD_GetObjectProperties?
What does

MsgBox(0, "", VarGetType($Ramal))

return?
What does

MsgBox(0, "", IsKeyword($Ramal))

return?

Edited September 20, 2017 by water