Jump to content
ACalcutt

Add Domain User to local group

Recommended Posts

ACalcutt

I am trying to add a domain user to a local group

based on this acticle

http://www.microsoft.com/technet/scriptcen...04/hey1008.mspx

I thought i could do this

$objGroup = ObjGet("WinNT://" & @ComputerName & "/" & $level)
$objUser = ObjGet("WinNT://" & $domain & "/" & $user)
$objGroup.Add($objUser.ADsPath)

that works for a local user, but when i try to do a domain user i get

$objGroup.Add($objUser.ADsPath)

$objGroup.Add($objUser.^ERROR

Error: Variable must be of type "Object"

I'm assuming thats because it needs my credentials to check that the user exists....how whould i provide that information?

;complete function

Func _User($action, $user, $pass="", $domain=@ComputerName, $level="")
    Select
        Case $action = "ADD"
            $objLocalComputer = ObjGet("WinNT://" & @ComputerName); Init COM object
            $objUser = $objLocalComputer.Create ("user", $user); Create user
            $objUser.SetPassword ($pass)
            $objUser.SetInfo
            _User("SET_GROUP", $user, $pass, $domain, $level)
        Case $action = "REMOVE"
;_Profile("REMOVE", $user, $domain)
            $objLocalComputer = ObjGet("WinNT://" & @ComputerName); Init COM object
            $objLocalComputer.Delete("user", $user); Delete user
        Case $action = "SET_GROUP"
            $objGroup = ObjGet("WinNT://" & @ComputerName & "/" & $level)
            $objUser = ObjGet("WinNT://" & $domain & "/" & $user)
            $objGroup.Add($objUser.ADsPath)
        Case $action = "REMOVE_GROUP"
            $objGroup = ObjGet("WinNT://" & @ComputerName & "/" & $level)
            $objUser = ObjGet("WinNT://" & $domain & "/" & $user)
            $objGroup.Remove($objUser.ADsPath)
    EndSelect
EndFunc;==>_User
Edited by ACalcutt

Andrew Calcutt

Http://www.Vistumbler.net

Http://www.TechIdiots.net

Its not an error, its a undocumented feature

Share this post


Link to post
Share on other sites
Jos

what error do you get when you add these lines ?

$oMyError = ObjEvent("AutoIt.Error","MyErrFunc") ; Install a custom error handler 
; <+++++ You code goes here ++++
; This is my custom error handler 
Func MyErrFunc() 
   $HexNumber=hex($oMyError.number,8) 
   Msgbox(0,"","We intercepted a COM Error !" & @CRLF & _
                "Number is: " & $HexNumber & @CRLF & _
                "Linenbr is: " & $oMyError.scriptline  & @CRLF & _
                "Description is: " & $oMyError.description  & @CRLF & _
                "Windescription is: " & $oMyError.windescription ) 

   SetError(1) ; something to check for when this function returns 
Endfunc

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites
ACalcutt

A friend from work helped me get it working...

i ended up with this

Func _User($action, $user, $pass="", $domain=@ComputerName, $level="")
    Select
        Case $action = "ADD"
            $objLocalComputer = ObjGet("WinNT://" & @ComputerName); Init COM object
            $objUser = $objLocalComputer.Create ("user", $user); Create user
            $objUser.SetPassword ($pass)
            $objUser.SetInfo
            _User("SET_GROUP", $user, $pass, $domain, $level)
        Case $action = "REMOVE"
            _Profile("REMOVE", $user, $domain)
            $objLocalComputer = ObjGet("WinNT://" & @ComputerName); Init COM object
            $objLocalComputer.Delete("user", $user); Delete user
        Case $action = "SET_GROUP"
            $dso = ObjGet("WinNT:")
            $objGroup = ObjGet("WinNT://" & @ComputerName & "/" & $level & ",group") 
            $objUser = $dso.OpenDSObject("WinNT://" & $domain & "/" & $user,$domain & "\" & $user, $pass, 1) 
            $objGroup.Add($objUser.ADsPath)
        Case $action = "REMOVE_GROUP"
            $objGroup = ObjGet("WinNT://" & @ComputerName & "/" & $level)
            $objUser = ObjGet("WinNT://" & $domain & "/" & $user)
            $objGroup.Remove($objUser.ADsPath)
    EndSelect
EndFunc ;==>_User

if i have some spare time i will see what the other code gave me as an error

Edited by ACalcutt

Andrew Calcutt

Http://www.Vistumbler.net

Http://www.TechIdiots.net

Its not an error, its a undocumented feature

Share this post


Link to post
Share on other sites
HaeMHuK

Hi!

I'm trying to use your script. It goes to en error "The requested action with this object has failed".

$level = 'Administrators'
$domain = 'domainname'
$user = 'domainadmin'
$password = 'domainpassword'
$user1 = 'username'
$dso = ObjGet("WinNT:")
$objGroup = ObjGet("WinNT://" & @ComputerName & "/" & $level & ",group") 
$objUser1 = $dso.OpenDSObject("WinNT://" & $fulldomain & "/" & $user1,$domain & "\" & $user, $password, 1) 
$objGroup.Add ($objUser1.AdsPath)

Could you please help me to reedit it?

Edited by HaeMHuK

Share this post


Link to post
Share on other sites
water

All Active Directory related functions can be done using the Active Directory UDF (for download please see my signature) as well.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
HaeMHuK

All Active Directory related functions can be done using the Active Directory UDF (for download please see my signature) as well.

Thanks for UDF. I've already created script for me based on it.

But I didn't find there what I've mentioned before.

Share this post


Link to post
Share on other sites
water

But I didn't find there what I've mentioned before.

That's true. The only WINNT stuff is related to the functions to join/unjoin a computer to the domain.

But with the AD UDF you can at least get the ADSPATH of the user.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
HaeMHuK

That's true. The only WINNT stuff is related to the functions to join/unjoin a computer to the domain.

But with the AD UDF you can at least get the ADSPATH of the user.

I don't need to add pc to domain. I just only need to add domain user to local group.

How can I do it with AD UDF?

Share this post


Link to post
Share on other sites
water

#include <ad.au3>
_AD_Open()
; Get ADSPath for specified user
$user = @UserName
$sFQDN = _AD_SamAccountNameToFQDN($user)
$sADSPath = "LDAP://" & $sAD_HostServer & "/" & $sFQDN
_AD_Close()
; access group
$level = 'Administrators'
$objGroup = ObjGet("WinNT://" & @ComputerName & "/" & $level & ",group")
; Add user to group
$objGroup.Add ($sADSPath)

This example runs with the credentials of the current user. If you need a userid/password to access the AD then pass them as parameters to _AD_Open().

If you get:

Test.au3 (13) : ==> The requested action with this object has failed.:
$objGroup.Add ($sADSPath)
$objGroup.Add ($sADSPath)^ ERROR
then you're missing the necessary rights to add the user to the local group. Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
HaeMHuK

*****.au3 (12) : ==> The requested action with this object has failed.:

$objGroup.Add ($sADSPath)

$objGroup.Add ($sADSPath)^ ERROR

Maybe I'm doing something wrong?

I have this rights. There is something else.

Edited by HaeMHuK

Share this post


Link to post
Share on other sites
water

*****.au3 (12) : ==> The requested action with this object has failed.:

$objGroup.Add ($sADSPath)

$objGroup.Add ($sADSPath)^ ERROR

Maybe I'm doing something wrong?

No, I think you're just missing the necessary rights to add the user to the local group.

I tested that the $objGroup exists.

To ensure that you aren't doing anything wrong with AutoIt you could download a VB script from the internet and test.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
HaeMHuK

No, I think you're just missing the necessary rights to add the user to the local group.

I tested that the $objGroup exists.

To ensure that you aren't doing anything wrong with AutoIt you could download a VB script from the internet and test.

Well. After rebooting this works fine:

$dso = ObjGet("WinNT:")

$objGroup = ObjGet("WinNT://" & @ComputerName & "/" & $level & ",group")

$objUser = $dso.OpenDSObject("WinNT://" & $fulldomain & "/" & $user1,$domain & "\" & $user, $password, 1)

$objGroup.Add($objUser.ADsPath)

MsgBox(0, "111", "User added")

Sometimes it works sometimes not.

What is the reason, do you have any suggestions?

Share this post


Link to post
Share on other sites
water

Sometimes it works sometimes not.

What is the reason, do you have any suggestions?

Unfortunately I have no idea. That's not my area of expertise :x Anyone else? Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
Juvigy

Try in cmd :

"Net localgroup administrators domain\user /add"

If this works just RUNDOS it with autoit.

Share this post


Link to post
Share on other sites
HaeMHuK

Guys, nevermind. Now works fine!

Thanks a lot for help.

Share this post


Link to post
Share on other sites
CrabChuck

I'm stuck, again.  I have an application that uses local group membership to control the user roles.  Nesting AD groups into those local groups doesn't work, so my plan is to use a scheduled task to sync the AD group members to the local group.  I've got about 20 machines that need to keep synced, and it's been a pain doing it machine by machine.  I'm to the point where I can get the FQDN list of users out of AD, but I'm too new at this to understand how to take that list and add them to the local group.  Here's what I've got so far trying to make it work based on various threads.  Yes, I am an admin on the PC where I'm running it.  I think I read somewhere about an escape character in the FQDN that was needed, but can't find it again.  

$ADresult = _AD_Open("MYacct","MYpassword","","","",3)
$ADlist = _ad_getgroupmembers("PSuser")
_ad_Close()

$objGroup = ObjGet("WinNT://" & @ComputerName & "/" & "PSoperator")

For $i=1 to $ADlist[0] step +1
$uADS = "LDAP://" & $sAD_HostServer & "/" & $ADlist[$i]
$objGroup.add ($ADlist[$i])
Next

I get this: 

"The requested action with this object has failed.:"

$objGroup^ ERROR

Edited by CrabChuck

Share this post


Link to post
Share on other sites
AdamUL

I have had consistent results using "net localgroup" to add AD groups and users to a local groups.  Example below.  

#RequireAdmin
#include <Constants.au3>

;~ _AddADAccountToLocalGroup("AD\GroupName", "Administrators")
;~ If @error Then MsgBox($MB_ICONERROR, "Error", "Error adding user/group to local group.")

_AddADAccountToLocalGroup("AD\PSUser", "PSoperator")
If @error Then MsgBox($MB_ICONERROR, "Error", "Error adding user/group to local group.")

Func _AddADAccountToLocalGroup($sAccountName, $sLocalGroup)
    If StringLeft($sAccountName, 3) = "AD\" Then $sAccountName = StringTrimLeft($sAccountName, 3)
    
    Local $iPIDNet = Run('net localgroup ' & $sLocalGroup & ' ' & $sAccountName & ' /add', @SystemDir, @SW_HIDE, $STDERR_MERGED)
    ProcessWaitClose($iPIDNet)
    Local $sNetOutput = StringStripWS(StdoutRead($iPIDNet), $STR_STRIPLEADING + $STR_STRIPTRAILING)

    If Not (StringInStr($sNetOutput, "The command completed successfully.") Or StringInStr($sNetOutput, "The specified account name is already a member of the group.")) Then Return SetError(1, 0, False)

    Return True
EndFunc   ;==>_AddToLocalAdminGroup

 

Adam

 

Share this post


Link to post
Share on other sites
CrabChuck

What's the format of your $sAccountName variable?  I'm still working to try and solve my own issue, and discovered one problem with the $sAD_HostServer variable.  I capture it while I have my AD connection open.  That got my $uADS variable looking better.  I've got a debug message box where I return $objGroup.name and it's giving me the name of the group I want to update, so I'm pretty sure my group object is okay.  That means what I'm passing it isn't.  Right now, $uADS looks like this:

LDAP://server123.bob.company.com/CN=Mike Jones,OU=Users,OU=Americas,DC=bob,DC=company,DC=com

Share this post


Link to post
Share on other sites
AdamUL

The $sAccounName is the format for the SamAccountName.  You can use _AD_FQDNToSamAccountName to convert it to the proper format.  

 

Adam

 

Share this post


Link to post
Share on other sites
CrabChuck
9 minutes ago, AdamUL said:

The $sAccounName is the format for the SamAccountName.  You can use _AD_FQDNToSamAccountName to convert it to the proper format.  

 

Adam

 

That's what I was just reading about.  Problem is, all I can get it to return is still the FQDN.  If I wrap my FQDN in quotes, it returns the FQDN.  If I don't, it returns an error.

I've also been playing with _AD_GetObjectProperties but I can't get it to return anything.

Edited by CrabChuck

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×