LisHawj Posted August 14, 2020 Posted August 14, 2020 Good evening, folks. The following script is used to update thousands of Active Directory computer objects that is missing information in the Description field. The script runs and works when launched by a logged in user. However, the script does not perform as intended when it is run as an AutoPilot application. In AutoPilot the script is running under the NT Authority\System account. Is there a method in AutoIT that allows me to use macro like @Username to grab the currently logged in user while the script is running under NT Authority\System? Maybe I am overlooking something simple here and appreciate the available help/insights. Thank you. Global $sDescription, $aEmail, $sEID, $iValue, $sEmail _AD_Open() If @error Then Exit MsgBox(16, "Active Directory result", "Script function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended) $aProperties = _AD_GetObjectProperties(@ComputerName & "$") $sEID = @Username $sComputerName = @ComputerName $aEmail = _AD_GetObjectsInOU("", "(SAMAccountname=" & $sEID & ")", 2, "mail", "") For $i = 1 To UBound($aEmail) - 1 If StringInStr($aEmail[$i], "E") Then $sEmail = $aEmail[$i] ElseIf StringInStr($aEmail[$i], "LC") Then $sEmail = $aEmail[$i] EndIf ExitLoop Next $sDescription = $sEmail & " - " & $sComputerName ;Insert description information here for production environment. ; Change attribute Description field. $iValue = _AD_ModifyAttribute($sComputerName & "$", "description", $sDescription) If $iValue = 1 Then MsgBox(64, "Active Directory Result", "Description for computer '" & $sComputerName & "' successfully changed") ElseIf @error = 1 Then MsgBox(64, "Active Directory Result", "Computer '" & $sComputerName & "' does not exist") Else MsgBox(64, "Active Directory Result", "Return code '" & @error & "' from Active Directory") EndIf
Gianni Posted August 14, 2020 Posted August 14, 2020 you could try with: $sEID = EnvGet("username") Chimp small minds discuss people average minds discuss events great minds discuss ideas.... and use AutoIt....
Subz Posted August 15, 2020 Posted August 15, 2020 You could also use WMI Win32_ComputerSystem Username to get the logged on user, alternatively you could use qwinsta to get the current active console session.
LisHawj Posted August 17, 2020 Author Posted August 17, 2020 (edited) Thanks for the tip on using WMI. That did the trick for getting the logged on username. My script is updated and again it works when not using NT Authority credential, but now I have a different error that pops up when running under NT Authority. It gets all the way down to the "AD_ModifyAttribute" line and then it returns an error (see PIC). My updated script is as follow. I cannot seem to find any information on the Return Code in the screenshot. Any additional tips that may help me? Error Code: expandcollapse popup_WinAPI_Wow64EnableWow64FsRedirection(False) #include <AD.au3> #include <WinAPIFiles.au3> ; Script Start - Add your code below here Global $sDescription, $aEmail, $sEID, $iValue, $sEmail $wbemFlagReturnImmediately = 0x10 $wbemFlagForwardOnly = 0x20 $colItems = "" $strComputer = "localhost" $Output = "" $objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2") $colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem", "WQL", _ $wbemFlagReturnImmediately + $wbemFlagForwardOnly) If IsObj($colItems) Then For $objItem In $colItems $Output = $objItem.UserName & @CRLF Next $Output = StringTrimLeft($Output, 6) $sEID = StringStripWS($Output, 8) Else MsgBox(0, "WMI Output", "No WMI Objects Found for class: " & "Win32_ComputerSystem") EndIf _AD_Open() If @error Then Exit MsgBox(16, "Active Directory result", "Script function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended) $aProperties = _AD_GetObjectProperties(@ComputerName & "$") $sComputerName = @ComputerName $aEmail = _AD_GetObjectsInOU("", "(SAMAccountname=" & $sEID & ")", 2, "mail", "") For $i = 1 To UBound($aEmail) - 1 If StringInStr($aEmail[$i], "E") Then $sEmail = $aEmail[$i] ElseIf StringInStr($aEmail[$i], "LC") Then $sEmail = $aEmail[$i] EndIf ExitLoop Next msgbox(0,"",$sEmail) $sDescription = $sEmail & " - " & $sComputerName ; Change attribute Description field. $iValue = _AD_ModifyAttribute($sComputerName & "$", "description", $sDescription, 2) If $iValue = 1 Then MsgBox(64, "Active Directory Functions", "Description for computer '" & $sComputerName & "' successfully changed") ElseIf @error = 1 Then MsgBox(64, "Active Directory Functions", "Computer '" & $sComputerName & "' does not exist") Else MsgBox(64, "Active Directory Functions", "Return code '" & @error & "' from Active Directory") EndIf _AD_Close() Edited August 17, 2020 by LisHawj
Subz Posted August 17, 2020 Posted August 17, 2020 Are you sure the computer has permissions to modify the description?https://docs.microsoft.com/en-us/windows/win32/adschema/a-description Personally I would just create a hidden shared folder and have each user create a unique file name and then process the folder using a scheduled task, for example, basic concept, untested: \\Server\Share$ \\Server\Share$\Processed Create a simple script: #NoTrayIcon #include <AD.au3> Global $g_sShare = "\\Server\Share$" ;~ Share doesn't exist, exit If FileExists($g_sShare) = 0 Then Exit Global $g_sComputerUser = @ComputerName & "-" & @UserName & ".ini" ;~ File has already been processed, exit If FileExists($g_sShare & "\Processed\" & $g_sComputerUser) Then Exit _AD_Open() IniWrite($g_sShare & "\" & $g_sComputerUser, "Details", "Computer Name", @ComputerName & "$") IniWrite($g_sShare & "\" & $g_sComputerUser, "Details", "Description", _AD_GetObjectAttribute(@UserName, "mail") & " - " & @ComputerName) _AD_Close() Scheduled task on a server running with account rights to write to the description field for example a domain admin account. #NoTrayIcon #include <File.au3> Global $g_sShare = "\\Server\Share$" Global $g_aShare = _FileListToArrayRec($g_sShare, "*.ini", 1, 0, 0, 2) If @error Then Exit Global $g_sComputerName, $g_sDescription _AD_Open() For $i = $g_aShare[0] To 1 step - 1 $g_sComputerName = IniRead($g_aShare[$i], "Details", "Computer Name", "") If $g_sComputerName = "" Then FileDelete($g_aShare[$i]) $g_sDescription = IniRead($g_aShare[$i], "Details", "Description", "") If $g_sDescription = "" Then FileDelete($g_aShare[$i]) ;~ Process file _AD_ModifyAttribute($g_sComputerName, $g_sDescription, 2) If Not @error Then FileMove($g_aShare[$i], StringReplace($g_aShare[$i], $g_sShare & "\", $g_sShare & "\Processed"), 9) _AD_Close()
LisHawj Posted August 17, 2020 Author Posted August 17, 2020 This is script is used with the new Microsoft AutoPilot to provision PCs for our environment, so it is running from the PC that is getting provisioned. Due to the way AutoPilot work the PC naming convention is completely different and vital information is missing in the Active Directory object property fields for AutoPilot provisioned PCs. I have tested this on my own admin PC and the script does work running as a normal domain account with local admin privilege. However, when I run a CMD window under NT Authority\System and run my script to test it. I get the aforementioned error on my admin PC. Your method is definitely an alternative to consider, but I did not want (at least for now) to create a list that needs to be maintained and/or processed separately later. Any additional tips is much appreciated. Thank you very much in advance.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now